From 65a533d905b81fd791b55ed4113f4e3bed4c011f Mon Sep 17 00:00:00 2001 From: Mathy Vanhoef Date: Mon, 26 Oct 2020 04:59:38 +0400 Subject: [PATCH] fragattack: note to code audit cache attacks --- research/README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/research/README.md b/research/README.md index d03dcbfc8..87420b283 100644 --- a/research/README.md +++ b/research/README.md @@ -385,6 +385,12 @@ The last two tests are used to simulate our A-MSDU injection attack: which can be useful in case there is a small delay between completion of the handshake and installing the negotiated key. +- Overall it can be tedious to test if a device is vulnerable to cache attacks. Therefore I also recommend to + perform a code audit to check if fragments stay in the memory after disassociating or deauthenticating from + a network or after reassociating (this can also be dynamically checking using debug prints). If fragments + stay in memory, you should consider this as a risk, even if it's unknown whether it can be exploited. This + is similar to knowing an implementation has a buffer overflow but not (yet) knowing how to exploit it. + ## 7.5. Non-consecutive PNs attack (ยง6.2 -- CVE-2020-26146)