Lines Matching refs:a

6 …h an untrusted process. On such systems, the untrusted process might access a shared memory buffer…
19a system that has memory separation between partitions: a partition can't access another partition…
21a system where our PSA Crypto implementation is running inside one partition, called the **crypto …
23a risk that this other partition will access it while the crypto implementation is working. Althou…
25 …only possible if an untrusted entity accesses a buffer while the crypto service is processing the …
29 We consider a security architecture with two or three entities:
31 * a crypto service, which offers PSA crypto API calls over RPC (remote procedure call) using shared…
32 * a client of the crypto service, which makes a RPC to the crypto service;
33 * in some scenarios, a client of the client, which makes a RPC to the crypto client which re-shares…
35 …pto service while it is processing an RPC. It is a security violation if the crypto service behave…
39 If an input argument is in shared memory, there is a risk of a **read-read inconsistency**:
41 1. The crypto code reads part of the input and validates it, or injects it into a calculation.
45a type-length-value or length-value encoding (for example, importing an RSA key). The crypto code …
47 …ual processing): consider an RPC to perform authenticated encryption, using a mechanism with an en…
54 If an output argument is in shared memory, there is a risk of a **write-read inconsistency**:
60 …into the buffer, so that the private-key operation is not a valid signature (e.g. it could be a de…
62 …gn comes from an attestation application which signs some data on behalf of a final client: the ke…
66 If an output argument is in shared memory, there is a risk of a **write-write disclosure**:
72 … considerations related to overlap, or because the implementation relies on a low-level API that w…
74 …backtrack): we consider a provisioning application that provides a data encryption service on beha…
78 If a function both has an input argument and an output argument in shared memory, and processes its…
84 …e content of a plaintext block after seeing the immediately preceding ciphertext block, this gives…
86 TODO: is this a risk we want to take into account? Although this extends the possible behaviors of …
94 Copying is a valid countermeasure. It is conceptually simple. However, it is often unattractive bec…
96 Note that although copying is very easy to write into a program, there is a risk that a compiler (e…
102 The following rules guarantee that shared memory cannot result in a security violation other than […
111 Example: these are the rules that a GlobalPlatform TEE Trusted Application (application running on …
117 A call to a crypto service to perform a crypto operation involves the following components:
122 …ographic mechanism, which may be provided by Mbed TLS (built-in driver) or by a third-party driver.
134 …eans that any buffer located in shared memory must be copied into or out of a buffer in memory own…
136 For buffers with a small static size limit, this is something we often do for convenience, especial…
138a buffer is not in shared memory. However, the location of the buffer is not under the control of …
142 …Therefore having drivers be responsible for protection is only a good choice if there is a definit…
144 …c mechanisms are naturally implemented by processing the input in a single pass, with a low risk o…
154 * Any parsing of formatted data has a high risk of [read-read inconsistency](#read-read-inconsisten…
155 …, it is natural for an implementation to have a [write-read inconsistency](#write-read-inconsisten…
157a “small buffer” is one with a size limit that is known at compile time, and small enough that cop…
164 * The output of a hash or MAC operation.
170a low risk of [read-read inconsistency](#read-read-inconsistency) because they are unformatted dat…
172 **Design decision: require symmetric cryptography drivers to read their input without a risk of rea…
174 …? They are typically small, but don't necessarily have a static size limit (e.g. GCM recommends a
178 Key derivation typically emits its output as a stream, with no error condition detected after setup…
180 …e output, not about cooked key derivation, i.e. deriving a structured key, which is considered a […
188 …ead-inconsistency) if they process the input multiple times, which is natural in a number of cases:
198a single buffer for the input and the output if the driver supports in-place operation (which it i…
202 …quire AEAD drivers to read the additional data without a risk of read-read inconsistency**. Make a
206 For signature algorithms with a hash-and-sign framework, the input to sign/verify-message is passed…
208 …ign/verify-message drivers to read their input without a risk of read-read inconsistency**. Make a
216 * The core (dispatch layer) shall make a copy of the following buffers, so that drivers do not rece…
219     * The output of a hash or MAC operation.
235 Copy what needs copying. This is broadly straightforward, however there are a few things to conside…
241 …implemented, it should be evaluated to see whether compiler optimization is a problem. Specificall…
242 * Write a small program that uses a PSA function which copies inputs or outputs.
244 * Inspect the generated code with `objdump` or a similar tool to see if copying operations are pres…
246 …aviour is preserved by all major compilers then assume that compiler optimization is not a problem.
248 … for important platforms while retaining a C implementation that is likely to be correct on most p…
250 …ll the compiler optimize away copies? If so, can it be prevented from doing so in a portable way?**
254 We may either copy buffers on an ad-hoc basis using `memcpy()` in each PSA function, or use a unifi…
258 * Copy bypass is simpler as we can just replace these functions with no-ops in a single place.
263 **Design decision: Create a unified set of functions for copying input and output data.**
269 ##### 1. Allocate a buffer and copy input on each call to `update()`
271a multi-part operation is likely to be bad for performance. Multipart APIs are designed in part fo…
273 **Open question: Does memory allocation in `update()` cause a performance problem? If so, to what e…
275 ##### 2. Allocate a buffer at the start of the operation and subdivide calls to `update()`
293 …ode calling API functions allocates memory in a certain pool, and code in the library allocates me…
299 In the library, the code that does the copying temporarily unpoisons the memory by calling a test h…
322 1. Using Valgrind's memcheck tool. Valgrind provides a macro `VALGRIND_MAKE_MEM_NO_ACCESS` that all…
323 …g. It is suitable for input buffers only, since it allows us to detect when a poisoned buffer is r…
325 …will have to manually ensure that buffers sit in their own pages, which likely means making a copy.
326a copy of the original. For input buffers, keep a copy of the original and copy it back once the P…
334 … call a special macro on some buffer that was allocated by us and the sanitizer takes care of ever…
340 …nted). However, running tests under Valgrind causes a much greater slowdown compared with ASan. As…
346a testsuite using existing tests as a starting point - `mbedtls_test_psa_exercise_key` is a test h…
360 * Those buffers that are inputs to a PSA function need to be unpoisoned right up until the function…
361 * Those buffers that are outputs from a PSA function need to be unpoisoned straight after the funct…
363 …s simple to achieve, the extra coverage and time saved on new tests will be a benefit. If not, wri…
374 **Design decision: Use a memory poisoning approach to validate copying.**
382 …not to cause a security issue. Specifically, we must check that each memory location in a shared b…
395 If all other approaches turn out to be prohibitively difficult, code review exists as a fallback op…
399 …hat a memory location is not accessed more than once may be achieved by using `mprotect()` on a Li…
403 …protect` to deny or reenable access. Use `ptrace` from a parent process to react to SIGSEGV from a
405a `mprotect` system call in the child to enable access. TODO: How? `ptrace` can modify registers a…
407 3. Use `ptrace` to execute a `mprotect` system call in the child to disable access.
414 Idea: call `mmap` to allocate memory for arguments and `mprotect` to deny or reenable access. Use a
421 … in the gdb language, so we may want to just log the addresses and then use a separate program to …
425 An alternative approach is to use a dynamic instrumentation tool (the most obvious being Valgrind) …
427 …s the property that we are looking for. However, it is possible to generate a memory trace with Va…
432 …ecute `myprogram` and dump a record of every memory access to `logfile`, with its address and data…
434 1. Set up input and output buffers for a PSA function call.
444a Fixed Virtual Platform such as Corstone 310 ecosystem FVP, available [here](https://developer.ar…
448 * Convenient scripted use of a debugger with [Iris](https://developer.arm.com/documentation/101196/…
455 1. Take 1-2 days to create a basic prototype of a test that uses the approach.
456 2. Document the prototype - write a short guide that can be followed to arrive at the same prototyp…
461 …* Ease of reproduction - Does the prototype require a particular platform or tool to be set up? Ho…
462 …* Comprehensibility - Accounting for the lower code quality of a prototype, would developers unfam…
463 …uld allow us to ensure that there are no double-accesses due to a bug that only affects a specific…
475 … allocation of special buffers. FVP testing even requires the tests to be run on a non-host target.
481 …correctly detect careful-access violations when they occur. To do this, write a test function that:
486 Then, write a careful-access test for this function and ensure that it fails.
490 TODO: analyze the built-in implementations of mechanisms for which there is a requirement on driver…
510 Asymmetric signature | Careful access | Copying | Inputs to signatures are passed to a hash. This w…
514 …pying | Copying | Keys may be imported and exported in DER format, which is a structured format an…
518 As discussed in [Copying code](#copying-code), it is simpler to use a single unified API for copyin…
523 These seem to be a repeat of the same function, however it is useful to retain two separate functio…
542 …them. In the case of output copies, we keep a pointer to the original buffer so that it is easy to…
553 * `psa_crypto_local_input_alloc()` calls `calloc()` to allocate a new buffer of length `input_len`,…
556 We also create a pair of functions for output copies:
565 …llocate a new buffer of length `output_len` and stores `output_len` and the pointer to the buffer …
568 …mizations that reduce memory usage. For example, ciphers may be able to use a single intermediate …
574 …E(input, input_copy_name)`, which declares and initializes a `psa_crypto_local_input_t` and a poin…
584 …ns to have copying added while keeping the code mostly unmodified. Consider a hypothetical PSA fun…
594 …retain the original variable name as the name of the local copy while using a new name (e.g. with …
618 To this end, the macros above are defined conditionally on a new config option, `MBEDTLS_PSA_ASSUME…
640 In order to implement transparent memory poisoning we require a wrapper around all PSA function cal…
664a more generic mechanism for making exactly this kind of transformation - the PSA test wrappers, w…
666 The test wrappers are generated by a script, although they are not automatically generated as part …
678 …heir input/output buffers rather than the copies, it would be best to write a test function that m…
680 * Read its input buffer and after calling the input-buffer-copying function to create a local copy …
683 Then, we could write a test that uses this function with memory poisoning and ensure that it fails.…
685 This testing is implemented in `programs/test/metatest.c`, which is a program designed to check tha…