Presented at
Black Hat USA 2014,
Aug. 7, 2014, 2:15 p.m.
(60 minutes)
Attacks on software become increasingly sophisticated over time and while the community has a good understanding of many classes of vulnerabilities that are commonly exploited, the practical relevance of side-channel attacks is much less understood.
One common side-channel vulnerability that is present in many web applications today are timing side-channels which allow an attacker to extract information based on different response times. These side-channel vulnerabilities are easily introduced wherever sensitive values such as credentials or API keys are processed before responding to a client. Even though there is basic awareness of timing side-channel attacks in the community, they often go unnoticed or are flagged during code audits without a true understanding of their exploitability in practice.
In this talk, we provide both a tool 'time trial' and guidance on the detection and exploitability of timing side-channel vulnerabilities in common web application scenarios. Specifically, the focus of our presentation is on remote timing attacks, which are performed over a LAN, in a cloud environment, or on the Internet. To illustrate this, we first present experimental timing results that demonstrate how precisely timing can be measured and, more importantly, which timing differences can be distinguished remotely. Second, we compare our results with timing differences that are typically encountered in modern web frameworks and servers. The discussed attack scenarios include database queries, message authentication codes, web API keys, OAuth tokens, and login functions.
Our presentation has significance for a wide spectrum of the conference audience. Attendees in defensive security roles will gain a better understanding of the threat timing side-channel vulnerabilities pose and, based on the demonstrated attacks, will be better able to evaluate the severity and impact of a successful side-channel attack. Attendees in a penetration testing role will learn how to distinguish theoretical timing attacks from legitimately exploitable flaws by using our tool 'time trial'. Finally, attendees focused on research implications will receive a comprehensive update on the state-of-the-art in exploiting timing attacks in practice.
Presenters:
-
Daniel Mayer
- Matasano Security
Daniel is a Senior Consultant with Matasano Security. His experience includes penetration testing, mobile security, cryptographic protocol analysis and design, security research, and system and network administration. Prior to joining Matasano, Daniel was a researcher at the Stevens Institute of Technology working on applied cryptography and privacy. He presented his research at various security conferences including ShmooCon, SOURCE Boston, and several international academic venues. Daniel holds a PhD degree in Computer Science from Stevens and a MS degree in Physics from Rutgers.
-
Joel Sandin
- Matasano Security
Joel Sandin is a Security Consultant at Matasano Security. At Matasano he is considered a god at darts, but also performs security assessments on anything that is put in front of him. Before joining Matasano's consulting team, he worked in the Network Safety and Network Security groups at Akamai Technologies, where he helped build and maintain distributed systems for security monitoring and defense.
Links:
Similar Presentations: