[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openssl-dev
Subject:    [openssl-dev] CVE-2016-2178 - Constant time flag not preserved in DSA signing
From:       Leif Thuresson <leif.thuresson () foxt ! com>
Date:       2016-09-26 15:45:31
Message-ID: 477e2e12-c93e-a44d-9468-8c2046d09e99 () foxt ! com
[Download RAW message or body]

I'm trying to understand the severity of this issue.
The demo exploit described here http://eprint.iacr.org/2016/594 relies 
on the fact the target program
and the attacker share the same memory image of the OpenSSL shared library.
If my program is statically linked to OpenSSL will that make it more 
resistant to this type of attack?
Or will page de-duplication techniques like Linux KSM make it just as 
vulnerable as a dynamically linked program?

/leif


-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[prev in list] [next in list] [prev in thread] [next in thread]