Covert Timing Channel

Covert timing channels convey information.

• by modulating some aspect of system behavior over time.

• so that the program receiving the information can observe system behavior and infer protected information.

Covert channels are long used to exfiltrate information from systems.

• Modulate system response time, packet interval, etc..

But undesirable Cover Timing Channels can be present due to flaws.

• Unknown to the developer/sysadmin.

• But perceived to the attacker, allowing attackers to guess state from timing discrepancies.

Covert channels can be limited and reduced of usefulness.

• Can be prevent in specific cases, especially time based.

• Covert channels for malicious purposes can not be avoided altogether.

Example

def validate_password(actual_pw, typed_pw):
    if len(actual_pw) != len(typed_pw):
        return False
        
    for i in range(len(actual_pw)):
        if actual_pw[i] != typed_pw[i]:
            return False
    
    return False

Code checks if two passwords are the same.

• First the length.

• Then byte comparison, exiting on first unmatching byte.

Provides a covert channel making it possible to guess the password.

• Same password: 0.710 usecs

• Different length: 0.147 usecs

• First byte wrong: 0.366 usecs

• Second byte wrong: 0.401 usecs

• Last byte wrong: 0.656 usecs

Solutions may consider:

• Different logic.

• Making functions time constant.

• Adding random delay (delay should be dominant).

def validate_password(actual_pw, typed_pw):
    time.sleep(random() / 100)
    # Throw random time
    if len(actual_pw) != len(typed_pw):
        return False
    
    for i in range(len(actual_pw)):
        if actual_pw[i] != typed_pw[i]:
            return False
    return False

Covert Channel

Some covert channels are created by physical interactions.

• Keyboards, smartphones.

• Typing creates patterns due to hand anatomy and keyboard layout.

• Touching a smartphone to enter a code produces small axis rotations.

Timing Analysis of Keystrokes and Timing Attacks on SSH

Microarchitectural Covert Channels

Since 2017 a new class of bugs was published which exploits microarchitectural behavioral changes.

• Related to the access mechanisms to RAM by the CPU.

• Potentiated by speculative and out of order execution mechanisms in present CPUs.

General strategy: measure timing differences accessing resources, which will provide information about private data.

• Resources are memory pages, memory addresses in the program address space or outside it.

Impact:

• Attacker can read memory content from other parts of process space, or even kernel space.

• Attacker can also read memory from other VMs, processes, maybe enclaves...

• Can be explored remotely through network card drivers.

  • In the beginning even Javascript engines were vulnerable.