IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [timing-attack]

73 questions
4
votes
1 answer

What are security implications of enabling access to performance counters on ARM Cortex A9?

On an ARM Cortex A9 core, privileged instructions have to be executed so that unprivileged code can use performance counters. For instance with this GCC inline code, which would have to be run in a kernel: /* Allow access to perf counter */ __asm__…
Kaz
  • 2,303
  • 16
  • 17
4
votes
0 answers

FLUSH + RELOAD Proof of Concept - Why do we need to flush more than needed?

Problem I am putting together a proof of concept for the FLUSH + RELOAD attack. The method is outlined in great detail in this paper. The general idea is simple - cached addresses can be accessed with much greater speed than addresses not in the…
K. Jiang
  • 91
  • 2
4
votes
2 answers

How to preventing timing attacks against values used for authentication, like emails, stored in Databases?

I am building a web app that allows login with an email and password. I understand that I need to use a timing safe function to compare the passwords to prevent timing attacks. However I realized that the emails might be vulnerable to the same…
JBis
  • 640
  • 5
  • 17
4
votes
1 answer

Can string comparison realistically be exploited in a timing attack on a web server?

Suppose you have the following code in Node: const { token } = req.body const hash = crypto.createHmac('sha256', SECRET).update(token).digest('hex') const user = await User.findById(req.session.userId) if (hash === user.rememberMeHash)…
Alex
  • 141
  • 2
4
votes
1 answer

Timing attack - Is safe to check if strings have the same length?

In Node, you can use crypto.timingSafeEqual() to check if two strings are equal in a timing-attack safe way. But, they must have the same length, so you have to do something like that: return stringOne.length === stringTwo.length &&…
Bob
  • 43
  • 3
4
votes
2 answers

Change the function such that there are no more side-channels

Given is the function compareKey which is a part of a crackme (a binary file). Which side-channel attack can be used to find the right password (password is made up by ASCII coded big and small letters from a-z, and decimals) and how can you design…
eyesima
  • 173
  • 5
4
votes
4 answers

Is sql where queries in authentication prone to timing attacks, if one or no database rows are returned?

Say I have this code for authentication. $me = mysql_query("SELECT * from users WHERE id='$_COOKIE[userid]' && password ='$_COOKIE[pass]'") or die (mysql_error()); $me = mysql_fetch_array($me); To authenticate a user to a website, something…
desbest
  • 201
  • 1
  • 7
4
votes
1 answer

SecureString how to compare against another SecureString that is safe against Timing Attacks?

I see Microsoft provide a SecureString: https://msdn.microsoft.com/en-us/library/system.security.securestring(v=vs.110).aspx, is it possible to compare two SecureStrings and ensure it is safe against Timing Attacks?
Coppermill
  • 141
  • 3
3
votes
2 answers

Timing-safe string comparison in high-level languages

I'm looking for a reliable solution to compare two strings without leaking their content through time differences. The length of the strings is not secret. The background is this: I'm implementing password-based authentication for a web application.…
Fleche
  • 4,024
  • 1
  • 17
  • 20
3
votes
1 answer

Does this theoretical salted-hash-sleep scheme mitigate timing attacks?

This question is purely theoretical, I have no intention of ever implementing this scheme in practice. I'm familiar with the shortcomings of sleeping as means of mitigating timing attacks. I'm more interested in this from the attacker's…
PhilipRoman
  • 133
  • 3
3
votes
0 answers

Are there any C++ STL alternatives which is bulletproof against timing attack?

Just out of curiosity, I wonder if there are any packages of popular algorithm/data structures which are secure against timing attack. I think GNU libstdc++ std::string::compare(), std::unordered_map (which employs open addressing) and so on are all…
nodakai
  • 131
  • 3
3
votes
1 answer

Can timing attacks over a webservice be eliminated by standardizing the time it takes to return a request?

For example, would this (pseudo)-code work? let t = timeRightNow() let message = stuffWhoseTimingCantBeLeaked() waitUntilTime(t+1 second) send message Or similar? That way the time that the message is sent doesn't depend on the timing of…
PyRulez
  • 2,937
  • 4
  • 15
  • 29
3
votes
2 answers

Cross-language primitives against string comparison timing attacks?

Related, not a duplicate: Timing Safe String Comparison - Avoiding Length Leak I know about cache misses, let's assume we fit in a cache line swimmingly. Thomas' excellent answer doesn't talk about jitter except that introduced by GC, nor does it…
Deer Hunter
  • 5,297
  • 5
  • 33
  • 50
3
votes
0 answers

SQL security - ACID transactions and locking to prevent financial fraud (timing attack?)

I am trying to prevent something similar to this from happening: http://hackingdistributed.com/2014/04/06/another-one-bites-the-dust-flexcoin/ Basically the financial exchange was using non-ACID transactions and multiple requests sent very near in…
ROCK
  • 96
  • 6
2
votes
1 answer

Timeless timing attacks and response jitter

I've been researching timeless timing attacks, ie: timing attacks using concurrency rather than round trip time. Here is an article by portswigger with links to the original article by Van Goethem. Basically it says that if you pack two requests…
wade king
  • 123
  • 4
1 2
3
4 5