Comments (5)
The whole system needs to be protected.
Exactly.
It looks like this was answered in the libsodium repository, so, I'm going to close this issue.
from halite.
On the surface it would see that the answer to this question is "probably no", however I wonder if the great effort that libsodium has go to, in order to protect memory space; that this library and other libsodium projects are immune or "not as vulnerable" to these types of attacks.
That would be a good answer for the libsodium repo but I think you're right that the answer is "probably no" since the problem exists much lower than a userspace library.
from halite.
"A tiny tiny tiny bit". libsodium, even in the stable branch, will try to use the retpoline trick if the compiler supports it (currently only clang, and if the flags to do so doesn't change), to provide some mitigation against CVE-2017-5715.
But this is clearly insufficient. The whole system needs to be protected.
from halite.
Good call @paragonie-scott, I just asked over in jedisct1/libsodium#659.
I expect all the information here is probably as complete as it can be with current information that's been made available on the internet, so I don't entirely expect any different of an answer.
I would love to see proof of concept code on these issues so we could actually do a real world test.
from halite.
Just a followup since I spent the weekend with people working on LLVM and Spectre mitigations.
What requires to be recompiled ia anything that allows untrusted users to execute arbitrary code, or rather, trigger speculative reads to arbitrary memory locations.
The kernel absolutely requires to be protected. Along with web browsers and anything embedding JITs and bytecode interpreters.
Everything else... not so much.
from halite.
Related Issues (20)
- getKeyDataFromString hash validation fail HOT 8
- Invalid message authentication code HOT 1
- export/import string Asymmetric-Key Encryption keypair? HOT 3
- password protected secretKey? And: change password without changing publicKey? HOT 2
- Switch to ChaCha20 for symmetric encryption HOT 6
- What if you already have a RSA 2048 key and you want to use it instead of generating a new key? HOT 2
- Use EC brainpoolP256r1 key for encryption/decryption HOT 6
- Asymmetric authenticated file encryption/decryption HOT 3
- Create a different key pr environment HOT 3
- PHP 8.0 < 8.1 -- real slow due to XChaCha20 polyfill HOT 8
- halite for Python HOT 2
- php opcache.preload won't work because of conditional functions HOT 2
- Decrypting a file to output buffer fails HOT 1
- 'Expected hexadecimal character' exception from $cookie->fetch() after upgrade
- Is there a reason why the result of Symmetric::encrypt() always starts with 'MUIFA'? HOT 1
- Make use of PHP 8.2's #[\SensitiveParameter] to improve security
- Invalid message authentication code HOT 1
- invalid version tag when migrating from halite 4.8.0 to 5.1.0
- Uncaught PHP Exception RangeException: \"Expected hexadecimal character\ on symfony HOT 1
- Question: Can this library be used to decrypt Web Push Notifications from Mastodon?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from halite.