-r--r--r-- 9404 libcpucycles-20260105/doc/html/security.html raw
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<style type="text/css">
html{overflow-y:scroll;background-color:#10400a}
body{font-family:"Noto Sans","Droid Sans","DejaVu Sans","Arial",sans-serif;line-height:1.5}
tt,code{background-color:#f0f0f0;font-family:"Noto Sans Mono","Droid Sans Mono","DejaVu Sans Mono","Courier New",monospace,sans-serif;font-size:1em;}
pre{margin-left:3em}
p,ul,ol,blockquote,pre{font-size:1.0em;line-height:1.6}
li p{font-size:1.0em}
blockquote p{font-size:1.0em}
h1{font-size:1.5em}
h2{font-size:1.3em}
h3{font-size:1.0em}
h1 a{text-decoration:none}
table{border-collapse:collapse}
th,td{border:1px solid black}
table a{text-decoration:none}
table tr{font-size:1.0em;line-height:1.6em}
table tr{font-size:1.0em;line-height:1.5}
tbody tr:nth-child(12n+1){background-color:#f0ffff}
tbody tr:nth-child(12n+2){background-color:#f0ffff}
tbody tr:nth-child(12n+3){background-color:#f0ffff}
tbody tr:nth-child(12n+4){background-color:#f0ffff}
tbody tr:nth-child(12n+5){background-color:#f0ffff}
tbody tr:nth-child(12n+6){background-color:#f0ffff}
tbody tr:nth-child(12n+7){background-color:#fffff0}
tbody tr:nth-child(12n+8){background-color:#fffff0}
tbody tr:nth-child(12n+9){background-color:#fffff0}
tbody tr:nth-child(12n+10){background-color:#fffff0}
tbody tr:nth-child(12n+11){background-color:#fffff0}
tbody tr:nth-child(12n+12){background-color:#fffff0}

#headline{display:block;margin:0;padding:0;color:#ffffff;background-color:#10400a}
#headline .text{font-weight:bold;font-size:1.0em}
#headline input{display:none}
#nav ul{margin:0;padding:0}
#nav li{list-style-type:none;margin:0;padding:0}
.navtop{padding-bottom:0.5em;font-weight:bold;font-size:1.0em}
.navtop{background-color:#10400a;color:#ffffff}
#nav .here{background-color:#10400a;color:#ffffff}
#nav .away{background-color:#10400a;color:#ffffff}
#nav .away a{text-decoration:none;display:block;color:#ffffff}
#nav .away a:hover,.away a:active{text-decoration:underline}
#hidemenu{visibility:hidden;display:none;overflow:hidden;position:fixed;top:0;left:0;height:100%;width:100%}

.main{padding:5px}
.main{background-color:#ffffff}
.pagetitle{font-size:1.4em;font-weight:bold}
@media only screen and (min-width:512px) {
  .navtop{padding-top:5px}
  #headline{top:0;margin:0;width:160px;height:100%;position:fixed;overflow:auto}
  #headline .noselect{display:none}
  #headline #nav{visibility:visible;display:block;width:auto;height:auto}
  .main{margin-left:170px}
  #headline #hidemenu{visibility:hidden}
}
@media not screen and (min-width:512px) {
  #headline .noselect{-webkit-user-select:none;-ms-user-select:none;user-select:none;}
  #headline #nav #navbot{visibility:hidden;position:fixed;top:0;left:-70%;z-index:2;transition:0.2s;margin:0;padding:0}
  #headline input:checked ~ #nav #navbot{height:100%;position:fixed;top:0;left:0;visibility:visible;display:block;box-sizing:border-box;-moz-box-sizing:border-box;-webkit-box-sizing:border-box;vertical-align:center;font-size:1.0em;width:70%;overflow:auto}
  #headline input:checked ~ #hidemenu{visibility:visible;display:block;background:black;opacity:0.3;z-index:1}
}
</style>
<title>
libcpucycles: Security</title>
</head>
<body>
<label id=headline>
<input type=checkbox />
<nav id=nav>
<div class=navtop>
<span class=noselect>≡</span>
libcpucycles</div>
<ul id=navbot>
<li class=away><a href=index.html>Intro</a>
</li><li class=away><a href=download.html>Download</a>
</li><li class=away><a href=install.html>Install</a>
</li><li class=away><a href=api.html>API</a>
</li><li class=away><a href=counters.html>Counters</a>
</li><li class=away><a href=selection.html>Selection</a>
</li><li class=here>Security
</li><li class=away><a href=license.html>License</a>
</li></ul></nav>
<div id=hidemenu></div>
</label>
<div class=main>
<div class=pagetitle>libcpucycles: Security</div>
<h3>Timing attacks</h3>
<p>Many security systems have been shown to be breakable by "timing
attacks". These attacks extract secrets by analyzing timings of the
legitimate user's operations on secret data. See the June 2022 survey
page <a href="https://timing.attacks.cr.yp.to">https://timing.attacks.cr.yp.to</a>
for an overview and further references.</p>
<p>Sometimes these attacks are used as motivation to disable the attacker's
access to various timing mechanisms. For example, Firefox rounds its
<code>performance.now</code> timer to 1-millisecond resolution
<a href="https://web.archive.org/web/20220428142858/https://developer.mozilla.org/en-US/docs/web/api/performance/now">"to mitigate potential security threats"</a>.</p>
<p>As another example, reducing <code>/proc/sys/kernel/perf_event_paranoid</code>
under Linux to 2 (from 3 or higher), so that libcpucycles has access to
the best available Intel/AMD cycle counter (RDPMC), also means making
this cycle counter and other performance-monitoring counters available
to any attacker-controlled software running on the computer. Perhaps
this helps timing attacks, not to mention the possibility of opening up
other vulnerabilities via the complicated <code>perf_event</code> interface.</p>
<p>As yet another example, ARM CPUs disable user access to the main CPU
cycle counter by default. Allowing user access to the cycle counter
(via a kernel module or other kernel configuration) could help attacks.</p>
<p>Given the availability of simple mechanisms to disable RDPMC etc., it is
easy to recommend using those mechanisms. To avoid creating unnecessary
tension between those recommendations and the use of libcpucycles,
applications that use libcpucycles should be structured so that
high-resolution timers are used only on controlled development and
benchmarking machines, not on general end-user machines.</p>
<p>This structure might seem incompatible with using cycle counts to
automatically select the best of multiple options, as in FFTW. However,
infrastructure introduced in <a href="https://lib25519.cr.yp.to">lib25519</a>
automatically selects options on end-user machines based on cycle counts
that were <em>collected on benchmarking machines</em>.</p>
<p>The above text should not be understood as endorsing the idea that
disabling timers is an <em>effective</em> defense against timing attacks.
Certainly disabling high-resolution timers is not sufficient for
security: there are many ways for attackers to amplify timing signals
and to statistically filter out noise from low-resolution timers.
Disabling <em>every</em> standard timing mechanism on the machine does not stop
the attacker from accessing a remote timer or a counter maintained by
the attacker's software. Perhaps disabling timers sometimes makes the
difference between a feasible attack and an infeasible attack, but
evaluating this is extremely difficult.</p>
<p>Meanwhile there is an auditable methodology available to stop timing
attacks: constant-time programming, which systematically cuts off data
flow from secrets to timings.</p>
<p>For example, constant-time programming does not permit comparisons
involving secrets (e.g., <code>x&gt;y</code> where <code>x</code> or <code>y</code> is secret): comparisons
are sometimes compiled into branches, and branches take variable time.
The <a href="https://cr.yp.to/papers.html#cryptoint">cryptoint</a> library
provides constant-time comparison operations.</p>
<p>As another example, constant-time programming disables overclocking
mechanisms such as Turbo Boost: secrets affect a CPU's power
consumption, and overclocking creates data flow from power consumption
to timings. The importance of disabling overclocking is illustrated by
the <a href="https://www.hertzbleed.com">Hertzbleed attack</a> extracting secret
keys from the SIKE cryptosystem (before SIKE was broken in other ways),
and by an <a href="https://arxiv.org/abs/2206.07012">independent attack</a>
extracting secret AES keys.
This is why <a href="https://timing.attacks.cr.yp.to">https://timing.attacks.cr.yp.to</a>
recommends turning off Turbo Boost "right now", and explains the
mechanisms available to do this. One non-security reason that it was
already normal (although not universal) for manufacturers to provide
these mechanisms to end users is that Turbo Boost has a reputation for
causing premature hardware failures. Turbo Boost also provides very
little speed benefit for modern multithreaded vectorized applications.</p>
<p>Another reaction to timing attacks is to apply "masking" techniques.
These techniques <em>seem</em> to make it more difficult for attackers to
extract secrets from power consumption and other side channels. However,
as <a href="https://timing.attacks.cr.yp.to">https://timing.attacks.cr.yp.to</a>
explains, it is "practically impossible for an auditor to obtain any
real assurance that these techniques are secure". See the December 2022
paper
<a href="https://eprint.iacr.org/2022/1713">"Breaking a fifth-order masked implementation of CRYSTALS-Kyber by copy-paste"</a>
for a newer example of a security failure in a masked implementation.</p>
<h3>Setuid programs</h3>
<p>libcpucycles is not intended for usage in setuid programs. It often
calls further programs to estimate the CPU frequency, and it inspects
possibly untrustworthy environment variables.</p><hr><font size=1><b>Version:</b>
This is version 2026.01.05 of the "Security" web page.
</font>
</div>
</body>
</html>