8

I have a simple executable binary. It takes as input a user supplied string and compares it with a private string using strcmp. How can I slow down the execution of this program such that I can launch a statistical timing attack on the string comparison? Currently the early-exit nature of strcmp is too slight to detect.

Assume I have local privileges, the binary is owned by another user, and the system is ulimit protected against fork bombs.

While I get that I could use the strings command or reverse engineering to get the private string, this is intended as a POC for the feasibility of timing attacks on compiled programs on modern systems.

robertkin
  • 277
  • 2
  • 6
  • Are you just trying to determine the length of the internal string? – RoraΖ Jun 04 '15 at 03:31
  • @raz strcmp() looks through on the strings to be compared, and returns on the first non-equal characters. – peterh Jun 04 '15 at 06:08
  • I guess you could just emulate host architecture, and hopefully emulator would have a slowdown option. Probably not the answer you're looking for, since there are easier options when you control the host. – domen Jun 04 '15 at 09:07

2 Answers2

3

As long as the binary is linked dynamically, you should be able to LD_PRELOAD it with custom strcmp implementation which you can hack to be more "cooperative" with timing attack.

If the binary is linked statically, you'll have to use some more precise time measurement - perhaps utilise HPET somehow?

cptMikky
  • 455
  • 2
  • 5
1

Just loop over the strcmp() for e.g. 1.000.000 times.

for(i = 0; i < 1000000; i++) strcmp(a, b);

This should increase the delta between comparisons by a factor of a million.

And... make sure your compiler does not optimze that away ;-)

fr00tyl00p
  • 2,329
  • 1
  • 15
  • 17
  • 1
    Thanks, but I was looking more for when the binary is pre-compiled. When I can amplify the difference through the way you described, it can be easily detected. However, when the only way to do the strcmp a million times is to run the entire program a million times, I still have the problem with too much noise. – robertkin Jun 04 '15 at 16:59