Notes - MCS
Analysis and Exploration of Vulnerabilities
Notes - MCS
Analysis and Exploration of Vulnerabilities
  • Analysis and Exploration of Vulnerabilities
  • Vulnerabilities
    • Vulnerabilities
      • CIA Triad
      • Vulnerability Sources
    • Vulnerability Tracking
    • Vulnerability Disclosure
  • Vulnerability Assessment of Networked Systems
    • Vulnerability Research
    • Vulnerability Assessment
    • Penetration Test
      • Scope
    • Types of Assessments
    • Vulnerability Management Life Cycle
  • Enumeration and Information Leakage
    • Network access
    • Information leakage
    • Errors
    • Web Sources and Support Files
    • Cookies
    • Ports
    • Banners
    • OS Fingerprinting
  • Injection
    • CWE-74
    • How it works
    • Common Pitfalls
    • CWE-89 SQL Injection
    • Using SQL
    • Things to consider
    • The NULL plate
    • SQLi types
    • SQL Injection - Avoiding
    • CWE-78 OS Command Injection
    • Command Override
    • Argument Exploitation
    • GTFOBins and LOLBAS
    • Environmental Variables
    • Parameter Expansion
    • Code Injection - CWE-94
    • Avoiding OS Injection
  • Broken Authentication
    • OWASP A2
    • HTTP Basics
    • HTTP Communication
    • Authentication
    • Authentication Flow State
    • Referer Header
    • SESSION ID
    • Cookies (RFC 6265)
    • JWT - JSON Web Tokens
  • XSS Cross Site Scripting
    • Prevalence and Detectability
    • Reflected XSS
    • Stored XSS
    • DOM XSS
    • Cross Site Request Forgery
    • Avoiding XSS
    • Same Origin Policy
  • Concurrency
    • Concurrency
    • CWE-361 - 7PK - Time and State
    • Basic Time Related CWEs
      • CWE-362 – Race Condition
    • Serializability
    • Database ACID characteristic
    • State Related CWEs
    • Basic Side Effects Related CWEs (Covert Channel)
    • Covert Timing Channel
    • Meltdown Type
  • Buffers
    • Buffer Overflow
    • Popularity decline
    • Potentially Vulnerable Software
    • Dominant prevalence
    • Vulnerabilities in languages (mostly C/C++)
    • Why? Memory Structure 101
    • CWE-120 Classic Overflow
      • Practical Examples
    • Stack Based Vulnerabilities
    • Stack Smashing
    • Countermeasures
    • ROP
Powered by GitBook
On this page
  • Example
  • Covert Channel
  • Microarchitectural Covert Channels
  1. Concurrency

Covert Timing Channel

Covert timing channels convey information.

  • by modulating some aspect of system behavior over time.

  • so that the program receiving the information can observe system behavior and infer protected information.

Covert channels are long used to exfiltrate information from systems.

  • Modulate system response time, packet interval, etc..

But undesirable Cover Timing Channels can be present due to flaws.

  • Unknown to the developer/sysadmin.

  • But perceived to the attacker, allowing attackers to guess state from timing discrepancies.

Covert channels can be limited and reduced of usefulness.

  • Can be prevent in specific cases, especially time based.

  • Covert channels for malicious purposes can not be avoided altogether.

Example

def validate_password(actual_pw, typed_pw):
    if len(actual_pw) != len(typed_pw):
        return False
        
    for i in range(len(actual_pw)):
        if actual_pw[i] != typed_pw[i]:
            return False
    
    return False

Code checks if two passwords are the same.

  • First the length.

  • Then byte comparison, exiting on first unmatching byte.

Provides a covert channel making it possible to guess the password.

  • Same password: 0.710 usecs

  • Different length: 0.147 usecs

  • First byte wrong: 0.366 usecs

  • Second byte wrong: 0.401 usecs

  • Last byte wrong: 0.656 usecs

Solutions may consider:

  • Different logic.

  • Making functions time constant.

  • Adding random delay (delay should be dominant).

def validate_password(actual_pw, typed_pw):
    time.sleep(random() / 100)
    # Throw random time
    if len(actual_pw) != len(typed_pw):
        return False
    
    for i in range(len(actual_pw)):
        if actual_pw[i] != typed_pw[i]:
            return False
    return False

Covert Channel

Some covert channels are created by physical interactions.

  • Keyboards, smartphones.

  • Typing creates patterns due to hand anatomy and keyboard layout.

  • Touching a smartphone to enter a code produces small axis rotations.

Microarchitectural Covert Channels

Since 2017 a new class of bugs was published which exploits microarchitectural behavioral changes.

  • Related to the access mechanisms to RAM by the CPU.

  • Potentiated by speculative and out of order execution mechanisms in present CPUs.

General strategy: measure timing differences accessing resources, which will provide information about private data.

  • Resources are memory pages, memory addresses in the program address space or outside it.

Impact:

  • Attacker can read memory content from other parts of process space, or even kernel space.

  • Attacker can also read memory from other VMs, processes, maybe enclaves...

  • Can be explored remotely through network card drivers.

    • In the beginning even Javascript engines were vulnerable.

Last updated 1 year ago

Timing Analysis of Keystrokes and Timing Attacks on SSH