Page MenuHomeFreeBSD
Differential D51724

tcp: mitigate a side channel for detection of TCP connections
ClosedPublic
Actions

Authored by tuexen on Aug 4 2025, 6:20 PM.
Tags
None
Referenced Files
F151858819: D51724.id159715.diff
Sat, Apr 11, 4:01 AM
F151856283: D51724.id160114.diff
Sat, Apr 11, 3:32 AM
Unknown Object (File)
Fri, Apr 10, 7:36 AM
Unknown Object (File)
Tue, Apr 7, 2:27 AM
Unknown Object (File)
Mon, Apr 6, 6:43 PM
Unknown Object (File)
Sat, Apr 4, 2:30 AM
Unknown Object (File)
Sun, Mar 29, 5:53 PM
Unknown Object (File)
Sun, Mar 29, 1:01 AM
View All 60 Files
Subscribers
emaste
glebius
imp
melifaro

Details

Reviewers
rrs
rscheff
nickbanks_netflix.com
peter.lei_ieee.org
lstewart
cc
Group Reviewers
transport
Commits
rGd1ab6d36aeb2: tcp: mitigate a side channel for detection of TCP connections
rGf0f6e5038896: tcp: mitigate a side channel for detection of TCP connections
Summary

If a blind attacker wants to guess by sending ACK segments if there exists a TCP connection , this might trigger a challenge ACK on an existing TCP connection. To make this hit non-observable for the attacker, also increment the global counter, which would have been incremented if it would have been a non-hit.
This issue was reported as issue number 11 in Keyu Man et al.: SCAD: Towards a Universal and Automated Network Side-Channel Vulnerability Detection

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Revision Contents
Changeset List

PathSize
sys/
netinet/
8 lines

Diff 160114

View Options

sys/netinet/tcp_subr.c

Loading...