[RndTbl] openssl bug

wyatt@prairieturtle.ca wyatt at prairieturtle.ca
Mon Mar 14 21:41:57 CDT 2016

Seems to me the fault is entirely Intel's. No programmer can be expected to make unsafe hardware safe.


----- Reply message -----
From: "Trevor Cordes" <trevor at tecnopolis.ca>
To: "MUUG RndTbl" <roundtable at muug.mb.ca>
Subject: [RndTbl] openssl bug
Date: Mon, Mar 14, 2016 00:31

A side-channel attack was found which makes use of cache-bank conflicts on 
the Intel Sandy-Bridge microarchitecture which could lead to the recovery 
of RSA keys.  The ability to exploit this issue is limited as it relies on 
an attacker who has control of code in a thread running on the same 
hyper-threaded core as the victim thread which is performing decryptions.

This issue affects OpenSSL versions 1.0.2 and 1.0.1.


Uhh... Umm... OK.  How does one decide to start looking at hardware 
cache-bank conflicts to hack RSA keys?

Worse yet, how is a programmer supposed to think of this stuff in his 
"brainstorm what can go wrong" phase of programming?  "Oh, I need to alter 
my code to ensure it uses different cache banks on Sandy-Bridge."  This is 
Roundtable mailing list
Roundtable at muug.mb.ca
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.muug.mb.ca/pipermail/roundtable/attachments/20160314/33bf8639/attachment.html>

More information about the Roundtable mailing list