Gaining Precision in Information Leakage Attacks

By Robert HansenIt’s hard to narrow down your life’s work into
one interesting event or tidbit. Even
picking 10 would be tough. So instead
of picking something I am well-known for, I wanted to look for something I had
a lot of fun coming up with that you probably didn’t read. I’ve always been interested in information
leakage as an exploit class. It’s
something most people like to overlook, in favor of the higher-profile
exploits. Sure, it’s a lot sexier to
go after the direct administrative compromise, but I enjoy the nuances of
piecing together big puzzles. Information leakage as a class provides me that kind of mental
stimulus.

It’s hard to narrow down your life’s work into
one interesting event or tidbit. Even
picking 10 would be tough. So instead
of picking something I am well-known for, I wanted to look for something I had
a lot of fun coming up with that you probably didn’t read. I’ve always been interested in information
leakage as an exploit class. It’s
something most people like to overlook, in favor of the higher-profile
exploits. Sure, it’s a lot sexier to
go after the direct administrative compromise, but I enjoy the nuances of
piecing together big puzzles. Information leakage as a class provides me that kind of mental
stimulus.Back in 2008, during the summer Olympics, I came
up with a concept of using the date stamps within HTTP responses to reduce the
problems with latency that are often attributed to timing attacks. Timing attacks are when you use the logic of
a website against itself to reveal data.

Sometimes it takes appreciably and measurably longer for
a website to return data, depending on how the data was handled. If for instance you type in a correct
username but an incorrect password it could be that the server makes two
database requests instead of one. But if
you type in an incorrect username, the vulnerable server will never bother
making the second database request.  That
measurable time difference makes for a method of enumerating usernames, as an
example.

While watching Michael Phelps swim across the finish
line in that epic photo finish, it occurred to me that the precision of a clock
down to the second is really for human benefit, not for the computer’s. In reality, when you look at the clock on
your computer it is only showing you the significant bits that you are
interested in. In reality it has a much
higher precision than what it shows you. When your browser makes a request, the server will return the time
stamp. By careful and long-term measurement,
you can identify the exact millisecond that the second hand moves – nearly down
to the same precision that the actual clock is set at – assuming a
normal/stable connection against a normal web server.

If you receive a lot of variance, you know that something
is up on the server(s) in question or you are hitting different
servers that are load balanced etc…
Yes, you really can do this so you can rule out latency in your timing attacks over the Internet. And now you’re probably asking me, why.  Because I was watching the Olympics and it
just came to me – that’s why!

Then I started looking at the actual DNS and TCP
packets themselves, which represent a large overhead, that really, you should
ignore if you can. Most of the packets
associated with constructing a connection are useless for measuring
purposes. By carefully choosing which
packets you look at, you can get about 33% higher precision. That’s exactly the kind of esoteric thing I
love to work on.  Even if it’s not the
sexiest hack in the world.

(You can read
more about it in these posts: Timing Precision and More Timing Precision Enhancements.)

So why would I bring this to your attention
again after the world ignored it the first time?  In the end it took an interesting event in
the real world to make me think about ways to gain precision in an already
obscure information security leak, which then expanded into monitoring TCP
packets to get even more precision. I
was elated by the idea. Sadly, I think
the lack of utility and it being a bit esoteric allowed it to get quickly swept
under the rug. But nevertheless, it was
one of the most fun issues I have played with. I guess sometimes job satisfaction isn’t a matter of impressing anyone
else.

Robert Hansen is a security researcher and CEO of SecTheory.

This is the first in an occasional series of guest posts by security researchers, focusing on their favorite or most interesting piece of research.

Suggested articles