CPU Flooding

From SQRLauth.net
Jump to: navigation, search

CPU Flooding is an act carried out by a piece of malware where every one of the CPU's cores is fully loaded with pseudorandom operations.

In most modern operating systems, this is not very effective as a Denial of Service attack since the operating system will manage how processes use the CPU, and can terminate any process that ties up the CPU without responding to messages from the operating system.

However, with SQRL we are worried about a different effect such an attack could have: weakening the hardening of the Master Password through EnScrypt. A clever malware writer could conceivably make malware that would observe the SQRL process and launch its flood in the event the SQRL process's CPU usage spikes. This may correlate with the initiation of EnScrypt, which by design is processor intensive. If the particular EnScrypt operation is the generation of a new encryption key from the Master Password, then this attack would mean that considerably fewer iterations of EnScrypt would be run in the (by default) 5 seconds EnScrypt takes to run.

Moreover, commonly-used operating systems such as Windows don't alert the user of an unresponsive application until 5 seconds has elapsed, at which point EnScrypt has finished running.

The upshot for the attacker is that the Master Password will now be easier to brute-force in the event that the identity is stolen.

So far, no mitigation for this attack is known. Experiments will have to be done to find plausible ways of doing so, which could involve the client observing the overall CPU usage of the device during EnScrypt operations and warning the user or compensating for any deficiency automatically.