HN Reader

Timing attacks are such a pernicious idea.

You look at the code and see that there's an auth check in place, you test the code to verify that the auth check has no bugs, you make sure that information is never shared with people who don't have authorization to access it, and yet it turns out it can be accessed as if there was no auth check at all.

To make matters worse, everything can be fine for some time, and then some clever optimization in the CPU, the compiler, cache layer or the database engine introduces a completely unexpected side channel.

A fun thing about this work is that it's following different threads than the remote timing attack research in cryptography follows; high-end remote timing in cryptography involves some signal processing work, which isn't really present here. Which means Kettle's attacks are likely to get more powerful.

At my old job I was able to use a timing attack for remote username enumeration. Our login process was

1) get username and password from user

2) check if username exists and if not, return error

3) if username exists, look up hashed password from db

4) hash potential password

5) compare actual and potential password. if same, generate token and return. else, return error

As you can imagine, we live in a universe with physical laws so steps 3-5 took time. That meant that you could blast login requests with any username and a known-bad password and compare the times it took to return the bad login error. If it was relatively quick, the username was bad. If it took longer than average, the username was good and the password was bad. Combine this with the freely available lists of common usernames and common passwords and one could start with nothing but the address of the login page and walk away with valid cred pairs. We ended up doing ip-based lockout after 10 failed login attempts and adding a random delay of 100-400ms before erroring out on a bad username.

I did some research few weeks ago on the topic of database lookup timing side-channels, conclusion is: They don't really exist (for SELECT FROM WHERE commands atleast). https://altayakkus.substack.com/p/timing-side-channel-on-sql...

I love how he is porting every local attack to web applications.

I am also a bit frightening that the number of attack you have to know for the Burp Certification keeps getting longer.

I'm curious that he appears to completely ignore the network latency/jitter on the return path. How does this work?

I look forward to James Kettle's yearly research results, he's the most incredible appsec researcher I know of.