As part of a larger security analysis of embedded security architectures and applications, we found that this repository is using a non-constant-time hardware implementation for comparing secret-dependent memory buffers. This may allow an attacker to brute-force expected authentication tags in linear instead of exponential time.
We recommend adding a register to keep track of the result of the comparison, but completing it in every case:
always @(*)
/* fail the currently executing crypto instruction on IRQ arrival; this
should also stop the crypto unit in case of an SM memory violation */
if (irq_pnd & irq_state_ok) next_state = IRQ_FAIL; else
case (state)
...
VERIFY_TAG: next_state = VERIFY_TAG_WAIT;
VERIFY_TAG_WAIT: next_state = mem_done ?
(tag_ok_reg ? SUCCESS : FAIL) :
wrap_busy ? VERIFY_TAG_WAIT : VERIFY_TAG;
...
...
reg tag_ok_reg_init;
always @(*)
begin
...
tag_ok_reg_init = 0;
case (next_state)
...
TAG_INIT:
begin
...
tag_ok_reg_init = 1;
end
reg tag_ok_reg;
always @(posedge clk)
if (tag_ok_reg_init)
tag_ok_reg = 1;
else if ( !tag_ok )
tag_ok_reg = 0;We also submitted this change as a pull request here.
For more information about our analysis, we invite you to read our paper on exposing timing leakage at different levels of the hardware-software stack, which will appear at the 8th Workshop on System Software for Trusted Execution (SysTEX 2025).
Let us know if you have any questions, and thank you for releasing your work as open source!
@rubenvdijck, @martonbognar, @jovanbulck
As part of a larger security analysis of embedded security architectures and applications, we found that this repository is using a non-constant-time hardware implementation for comparing secret-dependent memory buffers. This may allow an attacker to brute-force expected authentication tags in linear instead of exponential time.
We recommend adding a register to keep track of the result of the comparison, but completing it in every case:
We also submitted this change as a pull request here.
For more information about our analysis, we invite you to read our paper on exposing timing leakage at different levels of the hardware-software stack, which will appear at the 8th Workshop on System Software for Trusted Execution (SysTEX 2025).
Let us know if you have any questions, and thank you for releasing your work as open source!
@rubenvdijck, @martonbognar, @jovanbulck