I'm CCing my advisor, Prof. Zhiyun Qian as well. On Mon, Feb 18, 2019 at 6:31 PM Daimeng Wang <[email protected]> wrote:
> Dear Freetype Development Team, > > We're a group of researchers from University of California Riverside. We > recently discovered that the outline processing (font > translation/decomposition) subroutine in the Freetype version 2.9.1 takes > variable amount of time depending on which character is to be rendered. As > a result, an unprivileged attacker could potentially utilize flush+reload > cache side-channel attack to measure the execution time of said subroutine > to infer user input. Although in most applications, this subroutine is > performed only once for each character of the same font type, we found that > for some applications this is enough for an attacker to extract sensitive > information. > > For detailed information please refer to our paper in the link below. We > would be very happy to work with you to address this issue. Please let us > know what you think. > > https://www.cs.ucr.edu/~zhiyunq/pub/ndss19_cache_keystrokes.pdf > > Sincerely, > Daimeng Wang > > -- > Daimeng Wang > Department of Computer Science & Engineering > University of California, Riverside > > -- Daimeng (Desmond) Wang Department of Computer Science & Engineering University of California, Riverside
_______________________________________________ Freetype-devel mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/freetype-devel
