mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-01-30 06:33:06 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
27,611 Commits 170 Branches 263 Tags
Commit Graph

46 Commits

Author SHA1 Message Date
David Horstmann
e88a6f8368 Add portability consideration to careful-access 
It's important that we be able to test for target-specific bugs.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2023-10-30 15:26:21 +00:00
David Horstmann
d081e52685 Discuss plain-overwriting memory poisoning 
Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2023-10-30 15:22:07 +00:00
David Horstmann
599b087990 Rename and specify config options 
* Rename config options to have MBEDTLS_TEST_ prefix
* Clarify that these config options should not exist in mbedtls_config.h

Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2023-10-25 18:09:17 +01:00
David Horstmann
78bd77f574 Careful-access prototyping to design exploration 
Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2023-10-25 18:04:39 +01:00
David Horstmann
c59913822e Remove references to new-test approach in design 
This is already covered in the design exploration and since the other
approach was chose, we do not need to discuss it in the detailed design
section.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2023-10-25 15:33:50 +01:00
David Horstmann
2b86df87da De-duplicate section titles 
Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2023-10-25 15:26:27 +01:00
David Horstmann
8e58ccb4f6 Add blank lines before lists 
This widens compatibility with different dialects of Markdown.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2023-10-25 15:13:29 +01:00
David Horstmann
2711d23976 Fix broken links 
Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2023-10-25 15:07:58 +01:00
David Horstmann
f95767ad56 Clarify use of new tests for careful-access 
New tests are needed (rather than existing ones) because the complexity
of setting up careful-access tests would make it difficult to build atop
existing tests.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2023-10-24 16:16:36 +01:00
David Horstmann
c7ccbf5157 Add detailed design section for careful access 
This consists in outlining the prototyping and evaluation of different
possible testing approaches.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2023-10-24 15:43:12 +01:00
David Horstmann
56aa1b3fbb Add exploration section on FVP testing 
Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2023-10-23 21:20:01 +01:00
David Horstmann
09c84ef0cd Add lengths to convenience interface sketch 
Add lengths to structs in the convenience functions to allocate and copy
input and output buffers. It seems better to ensure we always store a
buffer with its length.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2023-10-23 20:43:03 +01:00
David Horstmann
730dea31cb Rewrite incorrect description of psa_exercise_key 
And clarify our potential use of it as a starting point for writing
memory poisoning tests from scratch.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2023-10-23 20:35:35 +01:00
David Horstmann
6c51207602 Add notes about configuration of poisoning tests 
Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2023-10-23 20:25:14 +01:00
David Horstmann
8f905c289d Add reference to test hooks in detailed design 
Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2023-10-23 20:08:38 +01:00
David Horstmann
806055edbf Refactor note on preferred poison-test approach 
Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2023-10-23 19:53:30 +01:00
David Horstmann
52df620736 Use ASan for memory poisoning as well as Valgrind 
Also add information about ASan from Microsoft docs.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2023-10-23 19:49:00 +01:00
David Horstmann
c61ddb2089 Add C language annotation to code block 
Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2023-10-23 19:18:50 +01:00
David Horstmann
cbf068dbee Fix broken reference 
Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2023-10-23 19:03:10 +01:00
David Horstmann
f889e0fa0a Replace vague 'above' with a reference for ease-of-navigation 
Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2023-10-23 19:01:21 +01:00
David Horstmann
ded14a2c02 Add example wrapper function implementation 
Give an example wrapper foir psa_aead_update for the transparent testing
option.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2023-10-23 18:58:41 +01:00
David Horstmann
16dac00cb9 Add skeleton of detailed design rewrite 
In light of choosing Valgrind/ASan over mprotect()-based poisoning,
update the detailed design of copy validation.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2023-10-23 18:57:01 +01:00
David Horstmann
be868347f4 Rewrite design exploration of copy validation 
Main changes:
* New tests are easier to write than first stated
* Use of existing tests is ledd beneficial
* But using existing tests is a benefit if it can be done transparently

Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2023-10-20 19:25:11 +01:00
David Horstmann
51fc6cf378 Explore sanitizers for memory poisoning 
Consider MSan, ASan and Valgrind as options for implementing memory
poisoning tests. Come to the altered conclusion that Valgrind is the
best option.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2023-10-20 18:40:15 +01:00
David Horstmann
17b3716c5a Tweak compiler optimization evaluation section 
* Remove references to the platform - this is unlikely to affect whether
copies are optimized.
* Note that the evaluation should test extreme optimisation settings.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2023-10-20 18:39:14 +01:00
David Horstmann
4e54abf182 Add section on possible use of Valgrind tracing 
Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2023-10-19 17:59:45 +01:00
David Horstmann
05ca3d9a1b Expand design for validation of careful access 
Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2023-10-19 16:45:37 +01:00
David Horstmann
a72b4ca734 Modify optimize-testing instructions 
Mention -flto and whole-program optimization as this is the most
important aspect.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2023-10-19 15:22:15 +01:00
David Horstmann
3f7e42a750 Move implementation by module table earlier 
Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2023-10-19 15:14:50 +01:00
David Horstmann
dae0ad439f Add more detail in design of memory poisoning 
Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2023-10-19 15:12:34 +01:00
David Horstmann
0bd87f5959 Change unsigned int to uint8_t 
Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2023-10-19 13:45:21 +01:00
David Horstmann
23661cc232 Detailed design of memory protection strategy 
Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2023-10-18 18:20:33 +01:00
Gilles Peskine
8ebeb9c180 Test for read-read inconsistency with mprotect and ptrace/gdb 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-10-16 18:37:02 +02:00
Gilles Peskine
87889ebe86 Fix editorial error with semantic consequences 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-10-16 15:40:02 +02:00
Gilles Peskine
a3ce6437bf Typos 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-10-16 15:39:37 +02:00
Gilles Peskine
1f2802c403 Suggest validating copy by memory poisoning 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-10-13 21:49:17 +02:00
Gilles Peskine
6998721c69 Add a section skeleton for copy bypass 
It's something we're likely to want to do at some point.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-10-13 20:05:32 +02:00
Gilles Peskine
7bc1bb65e9 Short explanations of what is expected in the design sections 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-10-13 20:05:25 +02:00
Gilles Peskine
35de1f7a7d Distinguish whole-message signature from other asymmetric cryptography 
Whole-message signature may process the message multiple times (EdDSA
signature does it).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-10-13 20:04:16 +02:00
Gilles Peskine
9cad3b3a70 Design change for cipher/AEAD 
There are many reasons why a driver might violate the security requirements
for plaintext or ciphertext buffers, so mandate copying.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-10-13 20:03:18 +02:00
Gilles Peskine
2859267a27 Clarify terminology: built-in driver 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-10-13 20:02:00 +02:00
Gilles Peskine
db00543b3a Add a section on write-read feedback 
It's a security violation, although it's not clear whether it really needs
to influence the design.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-10-13 19:57:53 +02:00
Gilles Peskine
352095ca86 Simplify the relaxed output-output rule 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-10-13 19:56:22 +02:00
Gilles Peskine
60c453ee72 Expand explanations of the vulnerabilities 
Add a few more examples.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-10-13 19:07:56 +02:00
Gilles Peskine
8daedaeac9 Fix typos and copypasta 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-10-13 18:47:29 +02:00
Gilles Peskine
f7806ca782 Analyze requirements for protection of arguments in shared memory 
Propose a dual-approach strategy where some buffers are copied and others
can remain shared.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-10-12 16:00:11 +02:00