I found that memcmp() will return false earlier if the first byte is different in both strings, and I thought it has a timing attack risk. However, when I tried to find out if there were other functions that had side-channel risks like memcmp, I couldn't find any information.
Are there other C standard library functions like memcmp that have timing side-channel risk?
346 Views Asked by zhxf7481 At
1
There are 1 best solutions below
Related Questions in C
- Passing arguments to main in C using Eclipse
- kernel module does not print packet info
- error C2016 (C requires that a struct or union has at least one member) and structs typedefs
- Drawing with ncurses, sockets and fork
- How to catch delay-import dll errors (missing dll or symbol) in MinGW(-w64)?
- Configured TTL for A record(s) backing CNAME records
- Allocating memory for pointers inside structures in functions
- Finding articulation point of undirected graph by DFS
- C first fgets() is being skipped while the second runs
- C std library don't appear to be linked in object file
- gcc static library compilation
- How to do a case-insensitive string comparison?
- C programming: Create and write 2D array of files as function
- How to read a file then store to array and then print?
- Function timeouts in C and thread
Related Questions in MEMCMP
- Compare two unsigned char structures and bitfields
- Trying to get fast reverse memcmp in C++
- c++ string pattern matching buffer data
- Compare structs in C using memcmp() and pointer arithmetic
- Implementing memcmp
- C++ is_trivially_copyable check
- memcmp strangely fails returning array
- fastest u_int64_t[8] array compare in C/C++
- faster memory compare for equality 16 bytes block than memcmp
- Understanding the return from memcmp
- using memcmp for image matching?
- Practical advantages of std::copy, std::equal, std::fill over memcpy, memset, memcmp
- memcmp to compare segments of an array (remove duplicates)
- Identify exactly where memcmp fails
- Compare two doubles to see if they are the same NaN
Related Questions in C-STANDARD-LIBRARY
- C99 nested arrays undefined behaviour
- Which libraries will be included in a statically linked C program?
- Man page workaround for dlsym() still error prone?
- weird crash with strtol() in C
- What library to include on Windows for stdlib.h functions?
- Print character at coordinates in C
- Why does stdlib.h's abs() family of functions return a signed value?
- undefined symbols remain, but shared libraries compile and seem to function properly
- What's the meaning of "reserved for any use"?
- Find the algorithms behind standard library functions
- Is there a standard library function to get hash value of a string in C?
- Passing two references to the same object in strtoul
- How can I find source code of printf in macOS?
- How do C output functions actually work under the hood?
- May a header from the C standard library include another header?
Related Questions in TIMING-ATTACK
- Split token for PHP login - timing attack
- Java: Why is this Equal-String function protected against timing attacks
- Should I use == for string comparison?
- Fixing a timing attack
- Cannot detect any meaningful timing difference in PHP (constant timing attack)
- Main techniques for preventing timing attacks
- PHP constant-time realpath()?
- nodejs: timing attack on "=="
- Prevent django send_mail timimg attack
- Timing attack with PHP
- Optimization-stable constant-time array comparisons
- Why is order of arguments in PHP's hash_equals() function important?
- Force PHP to run all if conditions
- How could HMAC comparison ever not be constant-time in Python?
- Is the time leakage by comparing the hashes of two strings vulnerable?
Related Questions in SIDE-CHANNEL-ATTACKS
- How to experience cache miss and hits in Linux system?
- How to get the time to load the iframe using onload
- Chipwhisperer TVLA has errors in site-packages
- memcpy instruction inside kernel module causes kernel to crash
- Flush & Reload cache side channel attack
- How can I get master key of ARIA encryption algorithm?
- Why are cross-origin isolation and CORB/CORP both needed?
- How does Spectre attack read the cache it tricked CPU to load?
- De-activating the Core Voltage Regulator to Perform Power Analysis on STM32F407 DISCOVERY Board
- Gem5: No workload specified
- How Process can Share array2(the oracle array) in Spectre Attack?
- Python library or technique to defend against timing side channel attack
- Is there a way to map two variables to same cache set in ARM?
- How to calculate the bit error rate of flush+reload on RSA
- Are there other C standard library functions like memcmp that have timing side-channel risk?
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
Yes.
strcmpand friends all work the same way. If in the rare case you are timing attack sensitive you have to write all your own comparison loops. The compiler can quite often optimize them back into timing sensitive loops now too, so you end up compiling such files with -O0. I know, so sad.Typically you don't have this problem because you compare hashes.