Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Minerva attack on s390x architecture #24252

Open
GeorgePantelakis opened this issue Apr 24, 2024 · 3 comments
Open

Minerva attack on s390x architecture #24252

GeorgePantelakis opened this issue Apr 24, 2024 · 3 comments
Labels
branch: master Merge to master branch branch: 3.0 Merge to openssl-3.0 branch branch: 3.1 Merge to openssl-3.1 branch: 3.2 Merge to openssl-3.2 branch: 3.3 Merge to openssl-3.3 help wanted resolved: not a bug The issue is not considered a bug triaged: bug The issue/pr is/fixes a bug

Comments

@GeorgePantelakis
Copy link

GeorgePantelakis commented Apr 24, 2024
edited

@tomato42 and I have tested OpenSSL in s390x architecture with z15 microarchitecture and we found that it may be vulnerable to a variant of the Minerva attack. We used statistical analysis to confirm the presence of side channels but we did not perform the Minerva attack against the implementation.

In the test scenario, we measure the time of signing of random messages using the EVP_DigestSign API (Init, Update, and Final) and then use the private key to extract the K value (nonce) from the signatures. Then based on the bit size of the extracted nonce we compare the signing time of full-sized nonces to signatures that used smaller nonces using statistical tests.

In our initial test, we found side-channels in curves P-256, P-364, and P-521. In these results we can see a clear leak: there is a dependency between the bit size of K and the size of the side channel.

For the non-deterministic path of the code:
conf_interval_plot_all_k_sizes_trim_mean_45_0-10
Results for P-256. Skilling-Mack test p-value: 0. The sample tested has 143,963,933 observations.

conf_interval_plot_all_k_sizes_trim_mean_45_0-10
Results for P-384. Skilling-Mack test p-value: 0. The sample tested has 143,966,184 observations.

conf_interval_plot_all_k_sizes_trim_mean_45_0-10
Results for P-521. Skilling-Mack test p-value: 0. The sample tested has 143,961,342 observations.

For the deterministic path of the code:
conf_interval_plot_all_k_sizes_trim_mean_45_0-10
Results for P-256. Skilling-Mack test p-value: 0. The sample tested has 143,961,755 observations.

conf_interval_plot_all_k_sizes_trim_mean_45_0-10
Results for P-384. Skilling-Mack test p-value: 1.180236e-133. The sample tested has 143,952,618 observations.

conf_interval_plot_all_k_sizes_trim_mean_45_0-10
Results for P-521. Skilling-Mack test p-value: 8.712206e-06. The sample tested has 143,961,258 observations.
@GeorgePantelakis GeorgePantelakis added the issue: bug report The issue was opened to report a bug label Apr 24, 2024
@GeorgePantelakis GeorgePantelakis changed the title Minerva attack in s390x architecture Minerva attack on s390x architecture Apr 24, 2024
@t8m t8m added branch: master Merge to master branch help wanted triaged: bug The issue/pr is/fixes a bug branch: 3.0 Merge to openssl-3.0 branch branch: 3.1 Merge to openssl-3.1 branch: 3.2 Merge to openssl-3.2 branch: 3.3 Merge to openssl-3.3 and removed issue: bug report The issue was opened to report a bug labels Apr 24, 2024
@t8m
Copy link
Member

t8m commented Apr 24, 2024

In comparison to the PPC64 and ARM results here the signal is much bigger (tenths of ns).

@holger-dengler
Copy link
Contributor

We'll take a look.

@holger-dengler
Copy link
Contributor

After analysis it has been determined not to be an issue in OpenSSL. IBM Z and LinuxONE customers are advised to stay current with their service and refer to the IBM Z and LinuxONE Security Portal for information about security vulnerabilities. See also https://www.ibm.com/support/pages/ibm-security-vulnerability-management .

@t8m t8m added the resolved: not a bug The issue is not considered a bug label Apr 29, 2024
@tomato42 tomato42 mentioned this issue May 9, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
branch: master Merge to master branch branch: 3.0 Merge to openssl-3.0 branch branch: 3.1 Merge to openssl-3.1 branch: 3.2 Merge to openssl-3.2 branch: 3.3 Merge to openssl-3.3 help wanted resolved: not a bug The issue is not considered a bug triaged: bug The issue/pr is/fixes a bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@t8m @GeorgePantelakis @holger-dengler