Page MenuHomeFreeBSD
Differential D51724

tcp: mitigate a side channel for detection of TCP connections
ClosedPublic
Actions

Authored by tuexen on Aug 4 2025, 6:20 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sat, Oct 25, 7:22 AM
Unknown Object (File)
Tue, Oct 21, 7:19 PM
Unknown Object (File)
Thu, Oct 9, 1:09 PM
Unknown Object (File)
Thu, Oct 9, 12:26 PM
Unknown Object (File)
Thu, Oct 9, 12:26 PM
Unknown Object (File)
Thu, Oct 9, 11:56 AM
Unknown Object (File)
Mon, Oct 6, 2:48 AM
Unknown Object (File)
Sun, Oct 5, 3:36 AM
View All 34 Files
Subscribers
emaste
glebius
imp
melifaro

Details

Reviewers
rrs
rscheff
nickbanks_netflix.com
peter.lei_ieee.org
lstewart
cc
Group Reviewers
transport
Commits
rGd1ab6d36aeb2: tcp: mitigate a side channel for detection of TCP connections
rGf0f6e5038896: tcp: mitigate a side channel for detection of TCP connections
Summary

If a blind attacker wants to guess by sending ACK segments if there exists a TCP connection , this might trigger a challenge ACK on an existing TCP connection. To make this hit non-observable for the attacker, also increment the global counter, which would have been incremented if it would have been a non-hit.
This issue was reported as issue number 11 in Keyu Man et al.: SCAD: Towards a Universal and Automated Network Side-Channel Vulnerability Detection

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Revision Contents
Changeset List

PathSize
sys/
netinet/
8 lines

Diff 160114

View Options

sys/netinet/tcp_subr.c

Loading...