The timeless timing attack- a more efficient way of remote timing attacks.
Recently, a white paper has been released by researchers at the Center for Cyber Security, New York University, Abu Dhabi, which has introduced a new type of attack. The attack is claimed to be a more efficient version of the remote, timeless attack and is named as Timeless Timing attack.
Conventionally in a remote timing attack, the adversary obtains a series of sequential measurements and then performs statistical analysis in an attempt to infer the actual execution time for varying inputs. These types of attacks happen over a network connection, and these rely absolutely on the timing information. The scientists in their paper have claimed that these attacks have been present and studied for several decades, and secret information can be leaked by exploiting a measurable difference in the execution time. They have earlier been applied in various contexts like abusing SSL/TLS to extract private keys, for revealing the browsing habits of the users and many others.
However, timing attacks can become impractical if there are variations in the network transmission time (jitter).
The Timeless timing attack is a concurrency based timing attack that is unaffected by the network conditions and is regardless of the distance between the adversary and the victim server.
In contrast to typical timing attacks, where absolute measurements are obtained sequentially, timeless attacks extract information from the order in which two concurrent execution tasks are completed, and do not use any timing information. Because of their basis on concurrency, timeless attacks are, in fact, unaffected by network variations.
The researchers have devised means to trick network protocols into combining concurrent HTTP/2 requests in a single data packet. Hence, as the requests arrive one after the other, the tasks execute simultaneously, thus giving the desired concurrency. So, even in case of a network delay, the attack remains unaffected. Then, measuring the time difference between the two provides the desired information.
Web-based timing attacks have been classified as direct attacks and cross-site attacks. In a direct timing attack, the adversary will connect directly to the targeted server and obtain measurements based on the responses that it returns. While in the cross-site attack model, the attacker will make the victim’s browser initiate requests to a targeted server by executing JavaScript.
The paper elaborately talks about the application of the timeless timing attack on the Tor onion services and against the EAP-pwd authentication method of Wi-Fi, which leaves them vulnerable to security threats.
Along with the illustrations to explain how this attack works, the researchers have also talked about the pre-requisites for the attack which are mainly for the requests to arrive simultaneously at the server, processing of these requests also needs to be done concurrently along with the accurate reflection of the difference in the execution time.
One of the most significant limitations of the attack is that many websites use a content delivery network (CDN) that may not support HTTP/2. The request and response multiplexing of HTTP/2 makes them more susceptible to this concurrency based timing attack.
The researchers are planning to present the findings of the paper at the USENIX Security Symposium later this year.