I fell into a rabbit hole today on memcmp() timing analysis for a remote service that verifies a MD5 digest... hours later, it's clear that due to compiler optimizations this is _really_ hard to exploit on most 64-bit machines (it can turn into 2^64 brute force in many cases).

Any tips on modern (remote) timing analysis of memcmp() implementations?

Also, Erlang should probably stop using memcmp() for cookie digest verification.

#erlang #infosec #memcmp