|
48 | 48 | //! * if I/O can be isolated to separate profiling events, and doesn't impact |
49 | 49 | //! execution in a more subtle way (see below), the deterministic parts of |
50 | 50 | //! the program can still be profiled with high accuracy |
51 | | -//! * low-level non-determinism (e.g. ASLR, randomized `HashMap`s, thread scheduling) |
| 51 | +//! * intentional uses of randomness may change execution paths, though for |
| 52 | +//! cryptographic operations specifically, "constant time" implementations |
| 53 | +//! are preferred / necessary (in order to limit an external observer's |
| 54 | +//! ability to infer secrets), so they're not as much of a problem |
| 55 | +//! * even otherwise-deterministic machine-local communication (to e.g. system |
| 56 | +//! services or drivers) can behave unpredictably (especially under load) |
| 57 | +//! * while we haven't observed this in the wild yet, it's possible for |
| 58 | +//! file reads/writes to be split up into multiple smaller chunks |
| 59 | +//! (and therefore take more userspace instructions to fully read/write) |
| 60 | +//! * low-level non-determinism (e.g. ASLR, randomized `HashMap`s, timers) |
52 | 61 | //! * ASLR ("Address Space Layout Randomization"), may be provided by the OS for |
53 | 62 | //! security reasons, or accidentally caused through allocations that depend on |
54 | 63 | //! random data (even as low-entropy as e.g. the base 10 length of a process ID) |
|
65 | 74 | //! ASLR and ASLR-like effects, making the entire program more sensitive |
66 | 75 | //! * the default hasher is randomized, and while `rustc` doesn't use it, |
67 | 76 | //! proc macros can (and will), and it's harder to disable than Linux ASLR |
68 | | -//! * `jemalloc` (the allocator used by `rustc`, at least in official releases) |
69 | | -//! has a 10 second "purge timer", which can introduce an ASLR-like effect, |
70 | | -//! unless disabled with `MALLOC_CONF=dirty_decay_ms:0,muzzy_decay_ms:0` |
| 77 | +//! * most ways of measuring time will inherently never perfectly align with |
| 78 | +//! exact points in the program's execution, making time behave like another |
| 79 | +//! low-entropy source of randomness - this also means timers will elapse at |
| 80 | +//! unpredictable points (which can further impact the rest of the execution) |
| 81 | +//! * this includes the common thread scheduler technique of preempting the |
| 82 | +//! currently executing thread with a periodic timer interrupt, so the exact |
| 83 | +//! interleaving of multiple threads will likely not be reproducible without |
| 84 | +//! special OS configuration, or tools that emulate a deterministic scheduler |
| 85 | +//! * `jemalloc` (the allocator used by `rustc`, at least in official releases) |
| 86 | +//! has a 10 second "purge timer", which can introduce an ASLR-like effect, |
| 87 | +//! unless disabled with `MALLOC_CONF=dirty_decay_ms:0,muzzy_decay_ms:0` |
71 | 88 | //! * hardware flaws (whether in the design or implementation) |
72 | 89 | //! * hardware interrupts ("IRQs") and exceptions (like page faults) cause |
73 | 90 | //! overcounting (1 instruction per interrupt, possibly the `iret` from the |
|
0 commit comments