"The user types in a password, which gets checked against a database, character by character. Once the first character doesn't match, an error message is returned. For a close observer trying to break in, the time it takes the system to return that error indicates how many letters of the guessed password the user has already entered correctly. A longer response time indicates more of the password has been guessed."
""Modern software compilers are breaking our code," said René Meusel, sharing his concerns in a FOSDEM talk on February 1. Meusel manages the Botan cryptography library and is also a senior software engineer at Rohde & Schwarz Cybersecurity. As the maintainer of Botan, Meusel is cognizant of all the different ways encryption can be foiled. It's not enough to get the math right. Your software also needs to encrypt and decrypt safely."
Modern compilers transform code into highly optimized forms that can inadvertently remove or alter security safeguards. Timing side channels can leak information when operations like character-by-character password checks return faster on mismatches. Constant-time implementations aim to equalize response times to prevent such leaks. Aggressive compiler optimizations, particularly around Boolean logic and control flow, can undo constant-time guarantees and reintroduce vulnerabilities. Cryptography library maintainers must ensure both mathematically correct algorithms and code patterns that survive compiler transformations. Defensive coding, compiler-aware techniques, and awareness of optimization behaviors are necessary to preserve runtime security properties.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]