RustCrypto CMOV Conditional Move Intrinsics Non-Constant Time Vulnerability on Cortex M0/M0+/M1

A vulnerability exists in the RustCrypto CMOV library versions prior to 0.4.4, specifically when used with the thumbv6m-none-eabi compiler for Cortex M0, M0+, and M1 processors. The issue arises because the portable version of the conditional move intrinsic 'cmovnz' is compiled into non-constant time assembly. This behavior can lead to potential timing attacks, as the non-constant time operations could be exploited to infer information based on the timing of the execution.

Impact

Exploitation of this vulnerability could introduce timing discrepancies that may be leveraged in a side-channel attack, allowing an attacker to infer sensitive information based on the observed timing variations.

Reproduction

To reproduce this vulnerability, create a library crate with the RustCrypto CMOV library as a dependency. In the 'src/lib.rs' file, implement a function that uses the 'cmovnz' intrinsic. Compile the crate for the 'thumbv6m-none-eabi' target and examine the generated assembly. The assembly will reveal that the 'cmovnz' operation is not constant time, demonstrating the vulnerability.

Remediation

Users should update to RustCrypto CMOV version 0.4.4 or later, where this vulnerability has been fixed.