@@ -24,58 +24,18 @@ experiment.
2424Side Channels
2525-------------
2626
27- This project uses coding patterns that attempt to reduce the risk that the
28- compiler will generate machine code that will leak secrets through timing side
29- channels. This project uses similar mitigations as BoringSSL, but they are not
30- exactly the same, they are not used in exactly the same way. BoringSSL seems to
31- have some ways of validating that its mitigations work with specific versions
32- of specific C/C++ compilers. This project kinda relies on that; this should be
33- revisited.
34-
35- There are some targets where trying to be "constant-time" just isn't going to
36- work.
37-
38- For WebAssembly and WebAssembly-like targets, where there is a JIT, virtual
39- machine, or similar intermediary involved, the runtime is likely to undo
40- whatever we do to mitigate timing side channels. Even with the introduction of
41- blinding, there is a big risk for these targets. WebAssembly itself needs to
42- develop solutions for solving these problems.
43-
44- There are "native" targets that have similar issues. BoringSSL will refuse to
45- compile for some of them because of its allowlist of targets. * ring* doesn't
46- use that allowlist, and also the allowlist doesn't completely avoid the
47- problem.
48-
49- * ring* doesn't use any randomizing mitigations like blinding.
50-
51- Over time, as compiler evolved, mitigations for compiler-introduced side
52- channels have had to evolve. What worked years ago with version X of the C
53- compiler doesn't necessarily work now with version X+1, or even with the same
54- version of the compiler shipped by a different vendor or configured in a
55- different way. This probably affects this project's releases and would probably
56- affect the project more and more over time going forward.
57-
58- Over time * ring* and BoringSSL have diverged in various areas. In some cases
59- * ring* was ahead of BoringSSL regarding mitigations for timing side channels
60- using our own code. For example, there was a time when we replaced much of the
61- ECC code and RSA code that was using variable-length ` BIGNUM ` arithmetic with
62- similar fixed-length bigint arithmetic. However, since then, BoringSSL has come
63- up with its own similar but different solution. Similarly, because of our hopes
64- of eventually getting rid of the C code in * ring* , and the hope of eventually
65- minimizing the use of external assembly code, and other difficulties, in some
66- situations this project uses a substantially different implementation of a
67- primitive than BoringSSL may use. This is something to be investigated.
68-
69- Recently, BoringSSL has converted most of its code from C to C++, whereas
70- * ring* still uses the C variant of that code. This would naturally make sharing
71- code hard unless we also switch to requiring a C++ compiler for * ring* . And of
72- course this even further reduces the validity of relying on BoringSSL's testing
73- for * ring* .
74-
75- Besides all of the above, there are many other things to consider regarding
76- timing side channels and other kinds of side channels.
27+ See [ SIDE-CHANNELS.md] ( SIDE-CHANNELS.md ) for important information regarding
28+ the limitations of the side channel mitigations in this project.
7729
7830
31+ Toolchains & Targets
32+ --------------------
33+
34+ Be especially weary about using toolchains (C compilers, etc.) or targets
35+ that aren't supported by other projects, especially BoringSSL. The further you
36+ are from using the same version of Clang that Chrome uses, the more weary you
37+ should be.
38+
7939
8040Bug Reporting
8141-------------
0 commit comments