# Covert Timing Channel

Covert timing channels **convey information**.

* by **modulating** some **aspect of system behavior** over time.
* so that the **program receiving** the information can **observe system behavior and infer protected information**.

Covert channels are long used to exfiltrate information from systems.

* Modulate system response time, packet interval, etc..

But undesirable Cover Timing Channels can be present due to flaws.

* Unknown to the developer/sysadmin.
* But perceived to the attacker, allowing attackers to guess state from timing discrepancies.

**Covert channels can be limited and reduced of usefulness.**

* Can be prevent in specific cases, especially time based.
* Covert channels for malicious purposes can not be avoided altogether.

## Example

```python
def validate_password(actual_pw, typed_pw):
    if len(actual_pw) != len(typed_pw):
        return False
        
    for i in range(len(actual_pw)):
        if actual_pw[i] != typed_pw[i]:
            return False
    
    return False
```

Code checks if two passwords are the same.

* First the length.
* Then byte comparison, exiting on first unmatching byte.

Provides a covert channel making it possible to guess the password.

* Same password: 0.710 usecs
* Different length: 0.147 usecs 
* First byte wrong: 0.366 usecs 
* Second byte wrong: 0.401 usecs 
* Last byte wrong: 0.656 usecs

Solutions may consider:

* Different logic.
* Making functions time constant.
* Adding random delay (delay should be dominant).

```python
def validate_password(actual_pw, typed_pw):
    time.sleep(random() / 100)
    # Throw random time
    if len(actual_pw) != len(typed_pw):
        return False
    
    for i in range(len(actual_pw)):
        if actual_pw[i] != typed_pw[i]:
            return False
    return False
```

## Covert Channel

Some covert channels are created by physical interactions.

* Keyboards, smartphones.
* Typing creates patterns due to hand anatomy and keyboard layout.
* Touching a smartphone to enter a code produces small axis rotations.

<figure><img src="https://3744219775-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FUaTnynVhA2CYjsGJT14j%2Fuploads%2FmFcM6BJQdiupoEpxI64g%2F2023-11-20_12-07.png?alt=media&#x26;token=2ca8a5f1-e3fc-4df7-a119-9896a358edca" alt=""><figcaption><p>Timing Analysis of Keystrokes and Timing Attacks on SSH</p></figcaption></figure>

<figure><img src="https://3744219775-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FUaTnynVhA2CYjsGJT14j%2Fuploads%2FnSplK3jjcVMCMUl4Qfik%2F2023-11-20_12-07_1.png?alt=media&#x26;token=ee5f389b-abc8-4fa5-94f0-72d6e1cee9f0" alt=""><figcaption></figcaption></figure>

## Microarchitectural Covert Channels

Since 2017 a new class of bugs was published which exploits microarchitectural behavioral changes.

* Related to the access mechanisms to RAM by the CPU.
* Potentiated by speculative and out of order execution mechanisms in present CPUs.

General strategy: measure timing differences accessing resources, which will provide information about private data.

* Resources are memory pages, memory addresses in the program address space or outside it.

Impact:

* Attacker can read memory content from other parts of process space, or even kernel space.
* Attacker can also read memory from other VMs, processes, maybe enclaves...
* Can be explored remotely through network card drivers.
  * In the beginning even Javascript engines were vulnerable.