1*62c56f98SSadaf Ebrahimi## Reporting Vulnerabilities 2*62c56f98SSadaf Ebrahimi 3*62c56f98SSadaf EbrahimiIf you think you have found an Mbed TLS security vulnerability, then please 4*62c56f98SSadaf Ebrahimisend an email to the security team at 5*62c56f98SSadaf Ebrahimi<[email protected]>. 6*62c56f98SSadaf Ebrahimi 7*62c56f98SSadaf Ebrahimi## Security Incident Handling Process 8*62c56f98SSadaf Ebrahimi 9*62c56f98SSadaf EbrahimiOur security process is detailed in our 10*62c56f98SSadaf Ebrahimi[security 11*62c56f98SSadaf Ebrahimicenter](https://developer.trustedfirmware.org/w/mbed-tls/security-center/). 12*62c56f98SSadaf Ebrahimi 13*62c56f98SSadaf EbrahimiIts primary goal is to ensure fixes are ready to be deployed when the issue 14*62c56f98SSadaf Ebrahimigoes public. 15*62c56f98SSadaf Ebrahimi 16*62c56f98SSadaf Ebrahimi## Maintained branches 17*62c56f98SSadaf Ebrahimi 18*62c56f98SSadaf EbrahimiOnly the maintained branches, as listed in [`BRANCHES.md`](BRANCHES.md), 19*62c56f98SSadaf Ebrahimiget security fixes. 20*62c56f98SSadaf EbrahimiUsers are urged to always use the latest version of a maintained branch. 21*62c56f98SSadaf Ebrahimi 22*62c56f98SSadaf Ebrahimi## Threat model 23*62c56f98SSadaf Ebrahimi 24*62c56f98SSadaf EbrahimiWe classify attacks based on the capabilities of the attacker. 25*62c56f98SSadaf Ebrahimi 26*62c56f98SSadaf Ebrahimi### Remote attacks 27*62c56f98SSadaf Ebrahimi 28*62c56f98SSadaf EbrahimiIn this section, we consider an attacker who can observe and modify data sent 29*62c56f98SSadaf Ebrahimiover the network. This includes observing the content and timing of individual 30*62c56f98SSadaf Ebrahimipackets, as well as suppressing or delaying legitimate messages, and injecting 31*62c56f98SSadaf Ebrahimimessages. 32*62c56f98SSadaf Ebrahimi 33*62c56f98SSadaf EbrahimiMbed TLS aims to fully protect against remote attacks and to enable the user 34*62c56f98SSadaf Ebrahimiapplication in providing full protection against remote attacks. Said 35*62c56f98SSadaf Ebrahimiprotection is limited to providing security guarantees offered by the protocol 36*62c56f98SSadaf Ebrahimibeing implemented. (For example Mbed TLS alone won't guarantee that the 37*62c56f98SSadaf Ebrahimimessages will arrive without delay, as the TLS protocol doesn't guarantee that 38*62c56f98SSadaf Ebrahimieither.) 39*62c56f98SSadaf Ebrahimi 40*62c56f98SSadaf Ebrahimi**Warning!** Block ciphers do not yet achieve full protection against attackers 41*62c56f98SSadaf Ebrahimiwho can measure the timing of packets with sufficient precision. For details 42*62c56f98SSadaf Ebrahimiand workarounds see the [Block Ciphers](#block-ciphers) section. 43*62c56f98SSadaf Ebrahimi 44*62c56f98SSadaf Ebrahimi### Local attacks 45*62c56f98SSadaf Ebrahimi 46*62c56f98SSadaf EbrahimiIn this section, we consider an attacker who can run software on the same 47*62c56f98SSadaf Ebrahimimachine. The attacker has insufficient privileges to directly access Mbed TLS 48*62c56f98SSadaf Ebrahimiassets such as memory and files. 49*62c56f98SSadaf Ebrahimi 50*62c56f98SSadaf Ebrahimi#### Timing attacks 51*62c56f98SSadaf Ebrahimi 52*62c56f98SSadaf EbrahimiThe attacker is able to observe the timing of instructions executed by Mbed TLS 53*62c56f98SSadaf Ebrahimiby leveraging shared hardware that both Mbed TLS and the attacker have access 54*62c56f98SSadaf Ebrahimito. Typical attack vectors include cache timings, memory bus contention and 55*62c56f98SSadaf Ebrahimibranch prediction. 56*62c56f98SSadaf Ebrahimi 57*62c56f98SSadaf EbrahimiMbed TLS provides limited protection against timing attacks. The cost of 58*62c56f98SSadaf Ebrahimiprotecting against timing attacks widely varies depending on the granularity of 59*62c56f98SSadaf Ebrahimithe measurements and the noise present. Therefore the protection in Mbed TLS is 60*62c56f98SSadaf Ebrahimilimited. We are only aiming to provide protection against **publicly 61*62c56f98SSadaf Ebrahimidocumented attack techniques**. 62*62c56f98SSadaf Ebrahimi 63*62c56f98SSadaf EbrahimiAs attacks keep improving, so does Mbed TLS's protection. Mbed TLS is moving 64*62c56f98SSadaf Ebrahimitowards a model of fully timing-invariant code, but has not reached this point 65*62c56f98SSadaf Ebrahimiyet. 66*62c56f98SSadaf Ebrahimi 67*62c56f98SSadaf Ebrahimi**Remark:** Timing information can be observed over the network or through 68*62c56f98SSadaf Ebrahimiphysical side channels as well. Remote and physical timing attacks are covered 69*62c56f98SSadaf Ebrahimiin the [Remote attacks](remote-attacks) and [Physical 70*62c56f98SSadaf Ebrahimiattacks](physical-attacks) sections respectively. 71*62c56f98SSadaf Ebrahimi 72*62c56f98SSadaf Ebrahimi**Warning!** Block ciphers do not yet achieve full protection. For 73*62c56f98SSadaf Ebrahimidetails and workarounds see the [Block Ciphers](#block-ciphers) section. 74*62c56f98SSadaf Ebrahimi 75*62c56f98SSadaf Ebrahimi#### Local non-timing side channels 76*62c56f98SSadaf Ebrahimi 77*62c56f98SSadaf EbrahimiThe attacker code running on the platform has access to some sensor capable of 78*62c56f98SSadaf Ebrahimipicking up information on the physical state of the hardware while Mbed TLS is 79*62c56f98SSadaf Ebrahimirunning. This could for example be an analogue-to-digital converter on the 80*62c56f98SSadaf Ebrahimiplatform that is located unfortunately enough to pick up the CPU noise. 81*62c56f98SSadaf Ebrahimi 82*62c56f98SSadaf EbrahimiMbed TLS doesn't make any security guarantees against local non-timing-based 83*62c56f98SSadaf Ebrahimiside channel attacks. If local non-timing attacks are present in a use case or 84*62c56f98SSadaf Ebrahimia user application's threat model, they need to be mitigated by the platform. 85*62c56f98SSadaf Ebrahimi 86*62c56f98SSadaf Ebrahimi#### Local fault injection attacks 87*62c56f98SSadaf Ebrahimi 88*62c56f98SSadaf EbrahimiSoftware running on the same hardware can affect the physical state of the 89*62c56f98SSadaf Ebrahimidevice and introduce faults. 90*62c56f98SSadaf Ebrahimi 91*62c56f98SSadaf EbrahimiMbed TLS doesn't make any security guarantees against local fault injection 92*62c56f98SSadaf Ebrahimiattacks. If local fault injection attacks are present in a use case or a user 93*62c56f98SSadaf Ebrahimiapplication's threat model, they need to be mitigated by the platform. 94*62c56f98SSadaf Ebrahimi 95*62c56f98SSadaf Ebrahimi### Physical attacks 96*62c56f98SSadaf Ebrahimi 97*62c56f98SSadaf EbrahimiIn this section, we consider an attacker who has access to physical information 98*62c56f98SSadaf Ebrahimiabout the hardware Mbed TLS is running on and/or can alter the physical state 99*62c56f98SSadaf Ebrahimiof the hardware (e.g. power analysis, radio emissions or fault injection). 100*62c56f98SSadaf Ebrahimi 101*62c56f98SSadaf EbrahimiMbed TLS doesn't make any security guarantees against physical attacks. If 102*62c56f98SSadaf Ebrahimiphysical attacks are present in a use case or a user application's threat 103*62c56f98SSadaf Ebrahimimodel, they need to be mitigated by physical countermeasures. 104*62c56f98SSadaf Ebrahimi 105*62c56f98SSadaf Ebrahimi### Caveats 106*62c56f98SSadaf Ebrahimi 107*62c56f98SSadaf Ebrahimi#### Out-of-scope countermeasures 108*62c56f98SSadaf Ebrahimi 109*62c56f98SSadaf EbrahimiMbed TLS has evolved organically and a well defined threat model hasn't always 110*62c56f98SSadaf Ebrahimibeen present. Therefore, Mbed TLS might have countermeasures against attacks 111*62c56f98SSadaf Ebrahimioutside the above defined threat model. 112*62c56f98SSadaf Ebrahimi 113*62c56f98SSadaf EbrahimiThe presence of such countermeasures don't mean that Mbed TLS provides 114*62c56f98SSadaf Ebrahimiprotection against a class of attacks outside of the above described threat 115*62c56f98SSadaf Ebrahimimodel. Neither does it mean that the failure of such a countermeasure is 116*62c56f98SSadaf Ebrahimiconsidered a vulnerability. 117*62c56f98SSadaf Ebrahimi 118*62c56f98SSadaf Ebrahimi#### Block ciphers 119*62c56f98SSadaf Ebrahimi 120*62c56f98SSadaf EbrahimiCurrently there are four block ciphers in Mbed TLS: AES, CAMELLIA, ARIA and 121*62c56f98SSadaf EbrahimiDES. The pure software implementation in Mbed TLS implementation uses lookup 122*62c56f98SSadaf Ebrahimitables, which are vulnerable to timing attacks. 123*62c56f98SSadaf Ebrahimi 124*62c56f98SSadaf EbrahimiThese timing attacks can be physical, local or depending on network latency 125*62c56f98SSadaf Ebrahimieven a remote. The attacks can result in key recovery. 126*62c56f98SSadaf Ebrahimi 127*62c56f98SSadaf Ebrahimi**Workarounds:** 128*62c56f98SSadaf Ebrahimi 129*62c56f98SSadaf Ebrahimi- Turn on hardware acceleration for AES. This is supported only on selected 130*62c56f98SSadaf Ebrahimi architectures and currently only available for AES. See configuration options 131*62c56f98SSadaf Ebrahimi `MBEDTLS_AESCE_C`, `MBEDTLS_AESNI_C` and `MBEDTLS_PADLOCK_C` for details. 132*62c56f98SSadaf Ebrahimi- Add a secure alternative implementation (typically hardware acceleration) for 133*62c56f98SSadaf Ebrahimi the vulnerable cipher. See the [Alternative Implementations 134*62c56f98SSadaf EbrahimiGuide](docs/architecture/alternative-implementations.md) for more information. 135*62c56f98SSadaf Ebrahimi- Use cryptographic mechanisms that are not based on block ciphers. In 136*62c56f98SSadaf Ebrahimi particular, for authenticated encryption, use ChaCha20/Poly1305 instead of 137*62c56f98SSadaf Ebrahimi block cipher modes. For random generation, use HMAC\_DRBG instead of CTR\_DRBG. 138*62c56f98SSadaf Ebrahimi 139*62c56f98SSadaf Ebrahimi#### Everest 140*62c56f98SSadaf Ebrahimi 141*62c56f98SSadaf EbrahimiThe HACL* implementation of X25519 taken from the Everest project only protects 142*62c56f98SSadaf Ebrahimiagainst remote timing attacks. (See their [Security 143*62c56f98SSadaf EbrahimiPolicy](https://github.com/hacl-star/hacl-star/blob/main/SECURITY.md).) 144*62c56f98SSadaf Ebrahimi 145*62c56f98SSadaf EbrahimiThe Everest variant is only used when `MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED` 146*62c56f98SSadaf Ebrahimiconfiguration option is defined. This option is off by default. 147