| Tom Cosgrove | 0b86ac1 | 2022-07-29 13:44:01 +0100 | [diff] [blame] | 1 | ## Reporting Vulnerabilities |
| Manuel Pégourié-Gonnard | a21abf2 | 2021-02-25 11:41:38 +0100 | [diff] [blame] | 2 | |
| 3 | If you think you have found an Mbed TLS security vulnerability, then please |
| 4 | send an email to the security team at |
| 5 | <mbed-tls-security@lists.trustedfirmware.org>. |
| 6 | |
| 7 | ## Security Incident Handling Process |
| 8 | |
| Shaun Case | 8b0ecbc | 2021-12-20 21:14:10 -0800 | [diff] [blame] | 9 | Our security process is detailed in our |
| Gilles Peskine | a23df13 | 2021-03-16 12:04:44 +0100 | [diff] [blame] | 10 | [security |
| Manuel Pégourié-Gonnard | a21abf2 | 2021-02-25 11:41:38 +0100 | [diff] [blame] | 11 | center](https://developer.trustedfirmware.org/w/mbed-tls/security-center/). |
| 12 | |
| 13 | Its primary goal is to ensure fixes are ready to be deployed when the issue |
| 14 | goes public. |
| 15 | |
| 16 | ## Maintained branches |
| 17 | |
| Gilles Peskine | a23df13 | 2021-03-16 12:04:44 +0100 | [diff] [blame] | 18 | Only the maintained branches, as listed in [`BRANCHES.md`](BRANCHES.md), |
| 19 | get security fixes. |
| Manuel Pégourié-Gonnard | a21abf2 | 2021-02-25 11:41:38 +0100 | [diff] [blame] | 20 | Users are urged to always use the latest version of a maintained branch. |
| Janos Follath | 18d4173 | 2023-02-24 16:00:21 +0000 | [diff] [blame] | 21 | |
| 22 | ## Threat model |
| 23 | |
| 24 | We use the following classification of attacks: |
| 25 | |
| 26 | - **Remote Attacks:** The attacker can observe and modify data sent over the |
| Janos Follath | 144dd7d | 2023-03-03 14:56:38 +0000 | [diff] [blame^] | 27 | network. This includes observing the content and timing of individual packets, |
| 28 | as well as suppressing or delaying legitimate messages, and injecting messages. |
| Janos Follath | 24792d0 | 2023-03-03 14:16:12 +0000 | [diff] [blame] | 29 | - **Timing Attacks:** The attacker can gain information about the time taken |
| 30 | by certain sets of instructions in Mbed TLS operations. |
| Janos Follath | 18d4173 | 2023-02-24 16:00:21 +0000 | [diff] [blame] | 31 | - **Physical Attacks:** The attacker has access to physical information about |
| 32 | the hardware Mbed TLS is running on and/or can alter the physical state of |
| 33 | the hardware. |
| 34 | |
| 35 | ### Remote attacks |
| 36 | |
| Janos Follath | 144dd7d | 2023-03-03 14:56:38 +0000 | [diff] [blame^] | 37 | Mbed TLS aims to fully protect against remote attacks and to enable the user |
| 38 | application in providing full protection against remote attacks. Said |
| 39 | protection is limited to providing security guarantees offered by the protocol |
| 40 | in question. (For example Mbed TLS alone won't guarantee that the messages will |
| 41 | arrive without delay, as the TLS protocol doesn't guarantee that either.) |
| Janos Follath | 18d4173 | 2023-02-24 16:00:21 +0000 | [diff] [blame] | 42 | |
| 43 | ### Timing attacks |
| 44 | |
| Janos Follath | 144dd7d | 2023-03-03 14:56:38 +0000 | [diff] [blame^] | 45 | Mbed TLS provides limited protection against timing attacks. The cost of |
| 46 | protecting against timing attacks widely varies depending on the granularity of |
| 47 | the measurements and the noise present. Therefore the protection in Mbed TLS is |
| 48 | limited. We are only aiming to provide protection against publicly documented |
| 49 | attacks, and this protection is not currently complete. |
| Janos Follath | 18d4173 | 2023-02-24 16:00:21 +0000 | [diff] [blame] | 50 | |
| Janos Follath | 24792d0 | 2023-03-03 14:16:12 +0000 | [diff] [blame] | 51 | **Warning!** Block ciphers do not yet achieve full protection. For |
| Janos Follath | 18d4173 | 2023-02-24 16:00:21 +0000 | [diff] [blame] | 52 | details and workarounds see the section below. |
| 53 | |
| 54 | #### Block Ciphers |
| 55 | |
| Janos Follath | 24792d0 | 2023-03-03 14:16:12 +0000 | [diff] [blame] | 56 | Currently there are four block ciphers in Mbed TLS: AES, CAMELLIA, ARIA and DES. |
| Janos Follath | 144dd7d | 2023-03-03 14:56:38 +0000 | [diff] [blame^] | 57 | The pure software implementation in Mbed TLS implementation uses lookup tables, |
| 58 | which are vulnerable to timing attacks. |
| Janos Follath | 18d4173 | 2023-02-24 16:00:21 +0000 | [diff] [blame] | 59 | |
| 60 | **Workarounds:** |
| 61 | |
| 62 | - Turn on hardware acceleration for AES. This is supported only on selected |
| 63 | architectures and currently only available for AES. See configuration options |
| 64 | `MBEDTLS_AESCE_C`, `MBEDTLS_AESNI_C` and `MBEDTLS_PADLOCK_C` for details. |
| Janos Follath | 144dd7d | 2023-03-03 14:56:38 +0000 | [diff] [blame^] | 65 | - Add a secure alternative implementation (typically hardware acceleration) for |
| 66 | the vulnerable cipher. See the [Alternative Implementations |
| 67 | Guide](docs/architecture/alternative-implementations.md) for more information. |
| 68 | - Use cryptographic mechanisms that are not based on block ciphers. In |
| 69 | particular, for authenticated encryption, use ChaCha20/Poly1305 instead of |
| 70 | block cipher modes. For random generation, use HMAC\_DRBG instead of CTR\_DRBG. |
| Janos Follath | 18d4173 | 2023-02-24 16:00:21 +0000 | [diff] [blame] | 71 | |
| 72 | ### Physical attacks |
| 73 | |
| Janos Follath | 144dd7d | 2023-03-03 14:56:38 +0000 | [diff] [blame^] | 74 | Physical attacks are out of scope (eg. power analysis or radio emissions). Any |
| 75 | attack using information about or influencing the physical state of the |
| 76 | hardware is considered physical, independently of the attack vector. (For |
| 77 | example Row Hammer and Screaming Channels are considered physical attacks.) If |
| 78 | physical attacks are present in a use case or a user application's threat |
| 79 | model, it needs to be mitigated by physical countermeasures. |