From be18f3f4a53b87f8d981d020d835f691943dc9c7 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 20 Nov 2025 15:46:58 +0100 Subject: [PATCH 1/3] Add a section about compiler-introduced timing side channels Signed-off-by: Gilles Peskine --- SECURITY.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/SECURITY.md b/SECURITY.md index e36162abd7..6f545f8fcf 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -107,6 +107,12 @@ model, they need to be mitigated by physical countermeasures. ### Caveats +#### Compiler-induced side channels + +Mbed TLS is mostly written in C. We use standard C except with known compilers, so we do not expect compilers to introduce direct vulnerabilities. However, compilers can introduce [timing side channels](#timing-attacks) in code that was intended to be constant-time. Mbed TLS includes countermeasures to try to prevent this. But given the diversity of compilers, compiler options and target platforms, this prevention may not be complete. + +We recommend compiling Mbed TLS with commonly used levels of optimizations, such as `-O2` or `-Os`. Higher levels of optimization such as `-O3` or `-Oz` are likely to be safe but are less scrutinized. We do not recommend using less vetted optimization options unless your system is physically isolated. + #### Out-of-scope countermeasures Mbed TLS has evolved organically and a well defined threat model hasn't always From 54ebb9b42db9f6e0193f2d755c04b41d21eeec8a Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 20 Nov 2025 15:49:02 +0100 Subject: [PATCH 2/3] Mention the new advice about compiler options in the changelog Signed-off-by: Gilles Peskine --- ChangeLog.d/security-advice.txt | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 ChangeLog.d/security-advice.txt diff --git a/ChangeLog.d/security-advice.txt b/ChangeLog.d/security-advice.txt new file mode 100644 index 0000000000..1f7677a882 --- /dev/null +++ b/ChangeLog.d/security-advice.txt @@ -0,0 +1,2 @@ +Security + * Added advice about compiler options in SECURITY.md. From d1f0ce8493050f983a6238b120c29a35e2243015 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 26 Feb 2026 11:44:02 +0100 Subject: [PATCH 3/3] Be more specific about what compiler options we consider legitimate Signed-off-by: Gilles Peskine --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 6f545f8fcf..b485d0112e 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -111,7 +111,7 @@ model, they need to be mitigated by physical countermeasures. Mbed TLS is mostly written in C. We use standard C except with known compilers, so we do not expect compilers to introduce direct vulnerabilities. However, compilers can introduce [timing side channels](#timing-attacks) in code that was intended to be constant-time. Mbed TLS includes countermeasures to try to prevent this. But given the diversity of compilers, compiler options and target platforms, this prevention may not be complete. -We recommend compiling Mbed TLS with commonly used levels of optimizations, such as `-O2` or `-Os`. Higher levels of optimization such as `-O3` or `-Oz` are likely to be safe but are less scrutinized. We do not recommend using less vetted optimization options unless your system is physically isolated. +We recommend compiling Mbed TLS with commonly used levels of optimizations, such as `-O2` or `-Os`. We will generally treat exploitable timing side channels as a vulnerability if they appear with a common compiler at a common level of optimization. Higher levels of optimization such as `-O3` or `-Oz` are still likely to be safe but are less scrutinized. We do not recommend using individual options that might introduce data-dependent timing, and we will not try to work around such optimizations if they are not part of a commonly used level. #### Out-of-scope countermeasures