Lines Matching full:with

6 …A API functions might receive arguments that are in memory that is shared with an untrusted proces…
21with environments where the arguments passed to a PSA Crypto API function may be in shared memory …
23 …n, may be vulnerable due to having multiple cores or asynchronous data transfers with peripherals.)
29 We consider a security architecture with two or three entities:
33 … client, which makes a RPC to the crypto client which re-shares the memory with the crypto service.
45 Vulnerability example (parsing): suppose the input contains data with a type-length-value or length…
47 …): consider an RPC to perform authenticated encryption, using a mechanism with an encrypt-and-MAC …
62with chained calls: we consider the same RSA signature operation as before. In this example, we ad…
72 Vulnerability example with chained calls (temporary exposure): an application encrypts some data, a…
74with chained calls (backtrack): we consider a provisioning application that provides a data encryp…
86 … of the one-shot interface, the client can do the same thing legitimately with the multipart inter…
96 …easy to write into a program, there is a risk that a compiler (especially with whole-program optim…
126 > In an environment with multiple threads or with shared memory, the implementation carefully acces…
136 For buffers with a small static size limit, this is something we often do for convenience, especial…
144 …nisms are naturally implemented by processing the input in a single pass, with a low risk of ever …
157 Note that in this context, a “small buffer” is one with a size limit that is known at compile time,…
168 #### Symmetric cryptography inputs with small output
178 …s output as a stream, with no error condition detected after setup other than operational failures…
190 * when encrypting with an encrypt-and-authenticate or authenticate-then-encrypt structure (one read…
191 * when decrypting with an encrypt-then-authenticate structure (one read to decrypt and one read to …
192 * with SIV modes (not yet present in the PSA API, but likely to come one day) (one full pass to cal…
194 …sure) if they are implemented by copying the input into the output buffer with `memmove`, then pro…
206with a hash-and-sign framework, the input to sign/verify-message is passed to a hash, and thus can…
229 * The built-in implementations of cryptographic mechanisms with arguments whose access needs to be …
243 * Build the program with link-time optimization / full-program optimization enabled (e.g. `-flto` w…
244 * Inspect the generated code with `objdump` or a similar tool to see if copying operations are pres…
248 …timized away by the compiler, further investigation is needed. Experiment with using the `volatile…
258 * Copy bypass is simpler as we can just replace these functions with no-ops in a single place.
277 …o hold the expected average call to `update()`. When `update()` is called with larger buffers than…
291 #### Validation of copying with memory pools
297 …s poisoned. This could be via memory protection (allocate with `mmap` then disable access with `mp…
326with random data, keeping a copy of the original. For input buffers, keep a copy of the original a…
340 …ver, running tests under Valgrind causes a much greater slowdown compared with ASan. As a result, …
342 **Design decision: Implement memory poisoning tests with both Valgrind's memcheck and ASan manual p…
344 ##### Validation with new tests
346 Validation with newly created tests would be simpler to implement than using existing tests, since …
350 ##### Validation with existing tests
352 An alternative approach would be to integrate memory poisoning validation with existing tests. This…
357 …g the implementation of `malloc()` with one that allocates poisoned buffers. However, there are so…
360 …to be unpoisoned right up until the function is called, so that they can be filled with input data.
371 * Does not require complex linking against different versions of `malloc()` (as is the case with th…
388 As with validation of copying, the simplest method of validation we can implement is careful code r…
406 2. Use `ptrace` with `PTRACE_SINGLESTEP` to re-execute the failed load/store instrution.
427 …at we are looking for. However, it is possible to generate a memory trace with Valgrind using the …
432 This will execute `myprogram` and dump a record of every memory access to `logfile`, with its addre…
448 …gger with [Iris](https://developer.arm.com/documentation/101196/latest/). This allows memory watch…
449 * Tracing of all memory accesses with [Tarmac Trace](https://developer.arm.com/documentation/100964…
462 …ng for the lower code quality of a prototype, would developers unfamiliar with the tests based on …
477 With this complexity in mind it does not seem feasible to run careful-access tests using existing t…
542 …t and output copies' state, and ensure that their length is always stored with them. In the case o…
544 With these structs we may create 2 pairs of functions, one pair for input copies:
574 …which declares and initializes a `psa_crypto_local_input_t` and a pointer with the name `input_cop…
594 … variable name as the name of the local copy while using a new name (e.g. with the suffix `_extern…
636 As discussed in [the design exploration](#validation-with-existing-tests), the preferred approach f…
672with ASan or Valgrind. For now, we can auto-detect ASan at compile-time and set an option: `MBEDTL…
674 Auto-detection and memory-poisoning with Valgrind is left for future work.
678 …es, it would be best to write a test function that misbehaves and test it with memory poisoning. S…
683 Then, we could write a test that uses this function with memory poisoning and ensure that it fails.…