W3C home > Mailing lists > Public > public-web-security@w3.org > October 2011

Re: Security implications of network timing

From: Paul McMillan <paul@mcmillan.ws>
Date: Fri, 7 Oct 2011 17:54:25 -0700
Message-ID: <CAO_YWRUuyNPXu9ctqZdXu__nyBdJt5N2AAoFtTMjZN0RM6QXFA@mail.gmail.com>
Cc: public-web-security@w3.org
> only possible with the addition of this data. Can you please elaborate
> to provide specific novel attack vectors that arise as a result of
> providing this new data, so we can analyze them and confirm that they
> are indeed not possible without the data provided by resource timing?

To be clear, I'm talking about timing attacks against server-side
vulnerabilities like string equality comparisons, which allow
attackers to figure out authentication tokens. I'm not talking about
the privacy issue, or the blind SQLi technique of "wait for 10 seconds
if true". A good intro to the issue is here:
http://codahale.com/a-lesson-in-timing-attacks/

The timing data that is currently available is extremely rough. It
includes the lookup time, connection time, and of course the delivery
of content. The content of an attacked resource is usually composed of
multiple packets, and by the time they all arrive and get processed,
they obliterate the signal. With the proposed additions, responseStart
- requestStart provides a good proxy for what we really care about -
how long the request took to compute.

Dedicated attack tools can resolve timing differences down into the
tens of nanoseconds on a LAN. These additions will improve attack
capabilities by (handwaving) several orders of magnitude at least.
This allows exploitation of an entirely different class of
vulnerabilities. Right now, browser-facilitated timing attacks are
impractical except in cases like blind SQLi where your difference is
measured in seconds. With the additions, I can measure how long it
took to process a login request in order to build a list of valid
usernames to use with brute force password guessing. Or attack an
appliance (slower CPU, easier target) that has a check of the form "if
this long token is equal to the provided value, grant access".

Imagine a customer web router with an XSS vulnerability in some
non-logged in portion of the interface (very common, especially in
help menus). Most of the security of the device lies in the fact that
the password is written on the bottom of it, and the interface is not
accessible from the public internet. With your new additions, a
javascript injection can work out the password for the device, one
character at a time. This is assisted by the fact that the device CPU
is slow and that the programmers didn't use a timing-independent
comparison function, but this attack would not be possible without the
level of detail you propose to add.

Unfortunately, the best mitigation I've come up with is to make the
feature entirely opt-in via header. Maybe this will encourage people
to take timing issues more seriously, but I doubt it. The balancing
act between features and security is always hard. This sounds really
useful, and the fact that it allows the exploitation of existing
issues probably shouldn't stand in its way.

-Paul
Received on Saturday, 8 October 2011 00:55:18 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 8 October 2011 00:55:18 GMT