miki123211
17 hours ago
Timing attacks are such a pernicious idea.
You look at the code and see that there's an auth check in place, you test the code to verify that the auth check has no bugs, you make sure that information is never shared with people who don't have authorization to access it, and yet it turns out it can be accessed as if there was no auth check at all.
To make matters worse, everything can be fine for some time, and then some clever optimization in the CPU, the compiler, cache layer or the database engine introduces a completely unexpected side channel.
GoToRO
16 hours ago
would adding random delays prevent this?
pwagland
14 hours ago
No, it only makes it take longer to get the underlying secret.
Timing attacks are already dealing with "noisy" data, task scheduling et al, so they all boil down to some level of statistical analysis on the response times. Adding noise to that slows you down, but the underlying bias on the timings is still there.
ozim
6 hours ago
So in practice it prevents the attack as real world attackers have limited resources and try to find easier targets.
saagarjha
3 hours ago
That’s what everyone says until they realize they understated the costs to attempt such an attack.
GoblinSlayer
3 hours ago
So you need to compute this statistics and add just the right delay to even out the bias.
saagarjha
3 hours ago
At that point you’ve implemented a constant-time algorithm.
Filligree
15 hours ago
Random delays specifically do not, as they average out. Delays until a specific point in time do work, so long as the delay is never negative.
bostik
4 hours ago
This particular case would be a fantastic fit for timer wheel.[0] Instead of writing a brittle implementation of "after a fixed time in the future" logic yourself, you queue the outgoing event to occur after N ticks [of granularity X], and let the dedicated data structure engine do the work for you.
0: https://www.snellman.net/blog/archive/2016-07-27-ratas-hiera...
wiredfool
15 hours ago
One thing that I’ve done where I previously had a random delay is implement a delay till a constant time from the start of the request. So all of the timing you get out is effectively how well sleep can target a time.
tptacek
16 hours ago
It depends on the kinds of attacks you're thinking of. For the stuff Kettle is doing, probably yes. For cryptographic side channels, probably no.
jack_pp
15 hours ago
or you could benchmark the functions that compare secrets to user input and figure out how much time it's supposed to take, add 0.5s to the average and always add time before responding to get to that target so essentially your response time is constant regardless of input
tptacek
14 hours ago
Important to keep in mind here that the timing attacks Kettle is talking about generally do not take the form of "providing secret input to a function with variable timing".
jack_pp
6 hours ago
He says this exact same thing in the Defense at the end:
> Finally, yes I do recommend using constant-time functions when comparing user input with secret keys. Just ask anyone who says this is an actual threat to provide a proof of concept.