[WIP] Skewed RNGs that trigger corner cases #59
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR addresses #53.
An uniform RNG has a hard time triggering carry paths, especially with 64-bit word, the probability is 2^-64 * 2^-64 = 2^-128.
A significant amount of algebra bugs in established libraries like OpenSSL are due to carries.
Most fuzzing tools like AFL or LibFuzzer are branch coverage based, but constant-time code is branchless so it's likely that they won't focus on the carry path as it's indistinguishable from the normal path from a Control Flow Graph perspective.
Add a RNG biaised towards high Hamming Weight words
Add the same RNG as libsecp256k1 that produces long sequences of 1111... and 0000...
and found CVE-2014-3570 in OpenSSL and would likely have found similar bug in TweetNaCK: https://gist.github.com/CodesInChaos/8374632
Use them in testing, in particular check if they can trigger the same edge cases as Modular Square Root (spurious?) failure for FKM12_447 #30, Fused modular square root on 32-bit - wrong "isSquare" result #42 and Fused modular square root on 32-bit - wrong "isSquare" result #43 that are targeted for solving in Fuzzing campaign fixes #58