Transcript Timing Attacks

Exposing Private Information by
Timing Web Applications
Stephen Kleinheider
Agenda
• Introduction to Timing Attacks
• Direct Timing Attacks
– Dealing with Network Noise/Jitter
– Username Enumeration
– Counting Number of Private Albums in a Gallery
• Cross-Site Timing Attacks
– Techniques and Issues
– Test if User is Logged in
– Counting Number of Items in User’s Shopping Cart
Introduction to Timing Attacks
• In general, timing attacks on web applications measure time
browser takes to load a given page
– By performing a lot of requests, possible to obtain private
information by measuring and comparing response times
• Prevention is possible, but often ignored by web developers
• Two main types:
– Direct Timing Attacks
– Cross-Site Timing Attacks
Direct Timing Attacks
• Measures the time web site takes to respond to HTTP requests
• Custom program to get very accurate timing data (submillisecond)
• Problems: Dealing with network noise/jitter
• Example 1: Testing for Boolean Values
– Username Enumeration
• Example 2: Estimating the Size of Hidden Data
– Counting Number of Private Albums in a Gallery
Dealing with Network Noise/Jitter
• Varying network conditions
– Long delays, packet loss
• Server Load
– Server handling a great number of requests concurrently
• Solution:
– Statistical analysis of test data to determine jitter
– Calculate real data taking into account jitter from test data
Username Enumeration
• Useful for phishing attacks
– Especially when usernames are email addresses
Bad
Good
• Possible to use direct timing attacks for username enumeration
Username Enumeration
Username Enumeration
Estimating the Size of Hidden Data
• Timing attacks used to find data sets hidden from certain users
• How it works:
– When displaying data sets, many web applications loop over all data
before returning and displaying the applicable data
– Possible to calculate timing data with strong correlation to number of
items
• Example: Photo Gallery Blog
– Some albums have specific permissions per person
– “Private” albums only seen by creator
– Develop timing attack to count the number of “private” albums in a
gallery
Counting Number of Hidden Albums
• Much more susceptible to
noise
• Very small difference in
response time
• Requires unusually fast
network path to target
Cross-Site Timing Attacks
• Timing attacks which enable a malicious site to obtain
information about the user’s view of another site
– Able to time these CSRF attacks even if preventive measures exist
– Can be used to test if other CSRF attacks worked
• Harder to use than direct timing attacks
• Example 1: Testing for Boolean Values
– Test if User is Logged in
• Example 2: Estimating the Size of Hidden Data
– Counting Number of Items in User’s Shopping Cart
Cross-Site Timing Techniques
• JavaScript: script is allowed to learn when and whether
embedded content loads
• Images are an effective method to timing
• IMG tags can be used to time any web-accessible url
• Technique: use invisible image and JavaScript to take several
timing samples
– Reponses timed via onerror handler
Cross-Site Timing Techniques
Issues with Cross-Site Timing Attacks
• No stable, known network configuration
– User could have any type of connection at almost any
geographical location
– Absolute timing comparison not useful
• Solution: Two Sources
– Page whose computation time is dependent on hidden data
– Page which has as little dependency as possible on hidden data
(Baseline)
Determining if a User is Logged in
• Two Sources:
– Test Page – front page of website
– Reference Page – “Contact Us” page
• Able to distinguish between four types of users:
–
–
–
–
Never been to the site
Been to the site but have never logged in
Currently logged into site
Have logged in sometime in past, but not currently logged in
• Users who are logged in get redirected –> adding to request
time
Determining if a User is Logged in
Estimating Size of Hidden Data
• Tremendous amount of “countable”
data visible only to user
– Number of transactions on banking site
– Auctions at an auction site
– Emails at popular webmail site
– Search results
• Example: Counting Number of Items
in User’s Shopping Cart
Summary
• Timing attacks on web applications can expose private
information
• Can be used for information gathering and as a first step for
phishing attack
• Both types of timing attacks need to account for network
noise/jitter
• Best Defense = ensure web server always takes a constant
amount of time to process request
References
• http://crypto.stanford.edu/~dabo/papers/webtiming.pdf
• https://www.brendanlong.com/timing-attacks-andusernames.html
• https://www1.informatik.uni-erlangen.de/side-channels
• https://www.usenix.org/legacy/event/sec03/tech/brumley/
brumley_html/
• https://www.securitee.org/files/timing-attacks_ccs2015.pdf