Page MenuHomeFreeBSD
Differential D51724

tcp: mitigate a side channel for detection of TCP connections
ClosedPublic
Actions

Authored by tuexen on Aug 4 2025, 6:20 PM.
Tags
None
Referenced Files
Unknown Object (File)
Tue, May 19, 9:22 AM
Unknown Object (File)
Thu, May 14, 7:42 AM
Unknown Object (File)
Thu, May 14, 5:06 AM
Unknown Object (File)
Wed, May 13, 7:51 PM
Unknown Object (File)
Wed, May 13, 6:41 PM
Unknown Object (File)
Wed, May 13, 6:41 PM
Unknown Object (File)
Wed, May 13, 6:18 PM
Unknown Object (File)
Mon, May 11, 11:28 AM
View All 75 Files
Subscribers
emaste
glebius
imp
melifaro

Details

Reviewers
rrs
rscheff
nickbanks_netflix.com
peter.lei_ieee.org
lstewart
cc
Group Reviewers
transport
Commits
rGd1ab6d36aeb2: tcp: mitigate a side channel for detection of TCP connections
rGf0f6e5038896: tcp: mitigate a side channel for detection of TCP connections
Summary

If a blind attacker wants to guess by sending ACK segments if there exists a TCP connection , this might trigger a challenge ACK on an existing TCP connection. To make this hit non-observable for the attacker, also increment the global counter, which would have been incremented if it would have been a non-hit.
This issue was reported as issue number 11 in Keyu Man et al.: SCAD: Towards a Universal and Automated Network Side-Channel Vulnerability Detection

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Revision Contents
Changeset List

PathSize
sys/
netinet/
8 lines

Diff 160114

View Options

sys/netinet/tcp_subr.c

Loading...