-
Notifications
You must be signed in to change notification settings - Fork 271
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Constant-time tests for libsecp256k1 #213
base: master
Are you sure you want to change the base?
Conversation
Tests for constant-time violations in a few functions taking secret data as input.
Instructions for generating LLVM bitcode, and running the test are in |
Hi, this looks very interesting but can you provide some background? What's pitchfork? What does it do? How does it work? |
pitchfork is a crate for testing cryptographic libraries for constant-time violations. It is based on the haybale crate, a SAT solver written in Rust. Basically, These are still, ultimately, software checks. So, weird compiler optimizations, hardware side-channels, etc. could still lead to non-constant-time code. However, these checks are an extra assurance that the code is protected from timing side-channels. |
Looks like the CI environment would need to be changed to run
|
Hi, Second, currently this doesn't do anything, because the function names are wrong, and inspecting the output of After fixing those and running, it fails on the C symbols, because doing |
Independently of this, maybe upstream secp256k1 is a better place to run this in CI. Rust code here should never work on secrets (but pass it to the C code). |
This is actually pretty cool,
And if we look at line 426 we see: @real-or-random idk, I think upstreams CI is already quite busy, and this library is only in rust so adding it here might be easier (if not I might set it up on a third party github) |
I see that point. One problem is that this won't catch issues early enough, I think. We'll see the problem only when we update the secp256k1 subtree here (which is probably much later than the code was committed or even released upstream). |
That's also fair, I wonder if I can do some travis cron job on a branch here or on a fork that will update to upstream everyday, run all the tests and run these ct tests. although merging to master in libsecp might also be too late? (and I will need to actually notice the Travis email saying it failed) |
Yeah, but to be honest, I feel then it's easier to just add it upstream. Sure, the CI is large already but why not. I guess a rust dependency is not an issue when it's just in Travis. (Just my, we'd need to see upstream of course.) |
@real-or-random @elichai I considered making the pull upstream, but did not know how they would feel about Rust code in a pure-C project. Happy to make a PR, and maybe put it under a
Yeah, wasn't sure about if the C functions were coming through... re: your failing test on upstream, I had problems with false-positives behind references when testing Thanks for the feedback 😄 |
To be honest, I don't know what the other contributors to upstream think about Rust code in the repo. I'm not sure whether I'd like that, but I'd be okay if it's just for the CI in some But before we talk about this, a much important issue is declassification, which we rely on with our current valgrind tests. Has anybody run the tests here successfully at all against the current master? For example, |
That's why I wanted to run this on master, but I didn't got to doing it, I hope I'll be able to do it today |
I will also try running this against master, with the advice from above. |
Tests for constant-time violations in a few functions taking secret data as input.
No violations found 🚀