From c05f1506f41ef548680f4898245f693632a78152 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 6 Nov 2019 10:15:26 +0100 Subject: [PATCH] Introduce return values for tinycrypt functions Currently functions that may return success or failure tend to do so by returning 0 or 1. If an active physical attacker can flip a bit in memory or registers at the right time, they may easily change a failure value into a success value, with potentially catastrophic security consequences. As typical attackers can only flip a few bits, an element of protection against such attacks is to ensure a sufficient Hamming distance between failure values and the success value. This commit introduces such values, which will put to use in critical functions in future commits. In addition to SUCCESS and FAILURE, a third value ATTACK_DETECTED is introduced, which can be used later when suspicious-looking events are noticed (static data changed when it shouldn't, double condition checking returning inconsistent results, etc.). Values are chosen so that Hamming distances are large, and that no value is the complement of another, in order to avoid unwanted compiler optimisations. Note: the error values used by Mbed TLS are already safe (assuming 32-bit integers) as they are of the form -x with x in the range [1, 2^15) so their Hamming distance with the success value (0) is at least 17, so it's hard for an attacker to turn an error value into the success value (or vice-versa). --- include/tinycrypt/ecc.h | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/include/tinycrypt/ecc.h b/include/tinycrypt/ecc.h index 2da74b3c0a..9a705c495b 100644 --- a/include/tinycrypt/ecc.h +++ b/include/tinycrypt/ecc.h @@ -83,6 +83,13 @@ extern "C" { #endif +/* Return values for functions, chosen with large Hamming distances between + * them (especially to SUCESS) to mitigate the impact of fault injection + * attacks flipping a low number of bits. */ +#define UECC_SUCCESS 0 +#define UECC_FAILURE 0x75555555 +#define UECC_ATTACK_DETECTED 0x7aaaaaaa + /* Word size (4 bytes considering 32-bits architectures) */ #define uECC_WORD_SIZE 4