Gaining Precision in Information Leakage Attacks

By Robert Hansen

It's hard to narrow down your life's work into one interesting event or tidbit. Even picking 10 would be tough. So instead of picking something I am well-known for, I wanted to look for something I had a lot of fun coming up with that you probably didn't read. I've always been interested in information leakage as an exploit class. It's something most people like to overlook, in favor of the higher-profile exploits. Sure, it's a lot sexier to go after the direct administrative compromise, but I enjoy the nuances of piecing together big puzzles. Information leakage as a class provides me that kind of mental stimulus.Back in 2008, during the summer Olympics, I came up with a concept of using the date stamps within HTTP responses to reduce the problems with latency that are often attributed to timing attacks. Timing attacks are when you use the logic of a website against itself to reveal data.

Sometimes it takes appreciably and measurably longer for a website to return data, depending on how the data was handled. If for instance you type in a correct username but an incorrect password it could be that the server makes two database requests instead of one. But if you type in an incorrect username, the vulnerable server will never bother making the second database request.  That measurable time difference makes for a method of enumerating usernames, as an example.

 While watching Michael Phelps swim across the finish line in that epic photo finish, it occurred to me that the precision of a clock down to the second is really for human benefit, not for the computer's. In reality, when you look at the clock on your computer it is only showing you the significant bits that you are interested in. In reality it has a much higher precision than what it shows you. When your browser makes a request, the server will return the time stamp. By careful and long-term measurement, you can identify the exact millisecond that the second hand moves - nearly down to the same precision that the actual clock is set at - assuming a normal/stable connection against a normal web server. 

If you receive a lot of variance, you know that something is up on the server(s) in question or you are hitting different servers that are load balanced etc...  Yes, you really can do this so you can rule out latency in your timing attacks over the Internet. And now you're probably asking me, why.  Because I was watching the Olympics and it just came to me - that's why!

Then I started looking at the actual DNS and TCP packets themselves, which represent a large overhead, that really, you should ignore if you can. Most of the packets associated with constructing a connection are useless for measuring purposes. By carefully choosing which packets you look at, you can get about 33% higher precision. That's exactly the kind of esoteric thing I love to work on.  Even if it's not the sexiest hack in the world. 

(You can read more about it in these posts: Timing Precision and More Timing Precision Enhancements.)

So why would I bring this to your attention again after the world ignored it the first time?  In the end it took an interesting event in the real world to make me think about ways to gain precision in an already obscure information security leak, which then expanded into monitoring TCP packets to get even more precision. I was elated by the idea. Sadly, I think the lack of utility and it being a bit esoteric allowed it to get quickly swept under the rug. But nevertheless, it was one of the most fun issues I have played with. I guess sometimes job satisfaction isn't a matter of impressing anyone else.

Robert Hansen is a security researcher and CEO of SecTheory.

This is the first in an occasional series of guest posts by security researchers, focusing on their favorite or most interesting piece of research.

Commenting on this Article is closed.