[Cryptech Tech] Cure53 security audit
Michael Dockter
dockter at dkey.org
Wed Oct 10 16:15:14 UTC 2018
I'm not so sure that CT-01-005 is an actual issue. Cure53 states the attacker could cause an OOB by writing (presumably meaning passing this in) a negative value for attributes_len.
1. attributes_len is set by calling hal_xdr_decode_int, it is not passed into pkey_get_attributes. it's true that attributes_len is passed back in hal_xdr_decode_int via *value = ntohl(**(uint32_t **)inbuf); but this is not the same sitaution as CT-01-006
2. hal_xdr_decode has a buffer overflow check and the conditional check is unsigned, therefore a signed value buffer overflow attack is not possile in my sing opinion. using arm-non-eabi-objdump we see the conditonal check is b.n without a cmp to set the cc.
*
/* buffer overflow check */
if (limit - *inbuf < (ptrdiff_t)sizeof(*value))
56: 2001 movs r0, #1
58: e001 b.n 5e <hal_xdr_decode_buffer_in_place+0x5e>
5a: 2001 movs r0, #1
return HAL_ERROR_XDR_BUFFER_OVERFLOW;
________________________________
From: Tech <tech-bounces at cryptech.is> on behalf of Phil Roberts <roberts at dkey.org>
Sent: Tuesday, October 9, 2018 7:37:03 AM
To: tech at cryptech.is
Subject: [Cryptech Tech] Cure53 security audit
Hi folks,
Cure53 completed a security audit for us last month. The Cryptech core team has begun updating the design and implemention
in accordance with the recommendations in the audit report. Furthermore, the core team is reviewing and updating our development process and how to augument the toolchain to ensure that an even higher, and more consistent quality
and level of security will be reached. It is expected that there will be
incremental updates to address the identified issues, and these will be finished by the end of year.
Regards,
Phil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cryptech.is/archives/tech/attachments/20181010/5a33bf04/attachment.html>
More information about the Tech
mailing list