Example Sins

Lets start by looking at examples of timing attacks, and then move on to more traditional information leakage, for which we can find entries in the Common Vulnerabilities and Exposures (CVE) database at http://cve.mitre.org.

Dan Bernsteins AES Timing Attack

Dan Bernstein was able to perform a remote timing attack against the OpenSSL 0.9.7 implementation of AES. It turns out that the large tables used within the implementation led to table data getting kicked out of cache, making the code run in non-constant time. The operations were key dependent, and, to some degree, so was the cache behavior. Bernstein was able to attack an encrypted connection after viewing about 50GB worth of encrypted data. There are some caveats, though. First, he could have been a lot more sophisticated with his attack, and he clearly collected more data than he needed. Its reasonable to believe that he could have extracted a key after only a few gigabytes of data, and maybe even less.

Second, he was using a pretty contrived scenario where the protocol was including high performance timing information without encrypting it, with time stamps that immediately proceeded and followed the AES operations. Just because his example is contrived doesnt mean there is no problem, though. This setup was meant to minimize the noise and make the true signal as clear as possible. In a real-world scenario where a remote machine is using its own clock to do timing, the noise level will be higher, but the attacker can always launch the same attack. Statistically, the attacker just needs to collect more samples to amplify the signal to the point where it is clear through the noise.

The question is how much extra data is necessary. That is currently an unanswered question. If a protocol can leak a high-performance time stamp to an attacker, we would generally start to worry. If not, theres probably little to be concerned about.

If the attacker is local, then theres a lot to fear. It turns out to be particularly true in a hyperthreading environment. Not only does Bernsteins AES attack work well for a local attacker on a machine with hyperthreading turned on, it also works well for public key operations with RSA (see CAN-2005-0109 in the CVE database).

If youre worried about remote attacks against your AES implementation, Bernstein does provide techniques for avoiding all known timing attacks. Brian Gladmans popular AES implementation is hardened against such attacks (see the Other Resources section), and Bernstein provides his own versions. As far as were aware, at the time of this writing, other AES implementations are not yet hardened against this kind of attack.

CAN-2005-1411

ICUII is a tool for performing live video chat. Version 7.0.0 has a bug that allows an untrusted user to view passwords due to a weak access control list (ACL) on the file that allows everyone to read the file.

CAN-2005-1133

This defect in IBMs AS/400 is a classic leakage; the problem is that different error codes are returned depending on whether an unsuccessful login attempt to the AS/400 POP3 server is performed with a valid or invalid username. The best bug detail can be found in the paper Enumeration of AS/400 users via POP3(www.venera.com/downloads/Enumeration_of_AS400_users_via_pop3.pdf), but heres an example:

 +OK POP server ready USER notauser +OK POP server ready PASS abcd -ERR Logon attempt invalid CPF2204 USER mikey +OK POP server ready PASS abcd -ERR Logon attempt invalid CPF22E2 

Note the change in error message: CPF2204 means no such user; CPF22E2 means a valid user, but a bad password. The change in error message is very useful to an attacker, because there is no user named notauser, but there is a user named mikey.



19 Deadly Sins of Software Security. Programming Flaws and How to Fix Them
Writing Secure Code
ISBN: 71626751
EAN: 2147483647
Year: 2003
Pages: 239

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net