Diffusion FreeBSD src repository f0f6e5038896

tcp: mitigate a side channel for detection of TCP connections
f0f6e5038896
Actions

Tags

None

Referenced Files

None

Subscribers

None

Description

tcp: mitigate a side channel for detection of TCP connections

If a blind attacker wants to guess by sending ACK segments if there
exists a TCP connection , this might trigger a challenge ACK on an
existing TCP connection. To make this hit non-observable for the
attacker, also increment the global counter, which would have been
incremented if it would have been a non-hit.
This issue was reported as issue number 11 in Keyu Man et al.:
SCAD: Towards a Universal and Automated Network Side-Channel

Vulnerability Detection

Reviewed by: Nick Banks, Peter Lei
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D51724

Details

Provenance

Authored on Aug 9 2025, 12:17 PM

Reviewer

Differential Revision

D51724: tcp: mitigate a side channel for detection of TCP connections

Parents

rG2eb786d96e97: tcp: rate limit the sending of all RST segments

Branches

Unknown

Tags

Unknown

Event Timeline

tuexen committed rGf0f6e5038896: tcp: mitigate a side channel for detection of TCP connections (authored by tuexen).Aug 9 2025, 12:17 PM

tuexen added an edge: D51724: tcp: mitigate a side channel for detection of TCP connections.Aug 9 2025, 12:22 PM

tuexen mentioned this in rGd1ab6d36aeb2: tcp: mitigate a side channel for detection of TCP connections.Sep 5 2025, 6:58 PM

Changes (1)

Path

Size

sys/

netinet/

rGf0f6e5038896

sys/netinet/tcp_subr.c

Loading...