Opportunities and Limits of Remote Timing Attacks

1
Opportunities and Limits of Remote Timing Attacks

• Scott A Crosby

2
Introduction

• Systems arent mathematical
• They can leak secrets
• Errors
• Power usage
• Response time
• New attack opportunity

3
Remote timing attacks

• Processing time can vary
• RSA exponentiation
• strcmp()
• Hash tables
• What processing times can be measured remotely?
• Results on WAN and LAN environments
• When are attacks possible or impossible?

4
Example strcmp()

• Graph of strcmp time as a function of common
  prefix length TODO

5
Measurement over a network
Latency
Processing Time
Response Time
Latency
6
Measurement the difference
Care about processing time difference despite
jitter.
10ms J
X µs
X-Y µs J
Y µs
10ms J
How well can attacker get X vs.Y despite J ?
7
Differences with standard jitter

• Not a realtime system
• Dont care about response time
• Care about processing time
• Collect many measurements
• Filter out noise

8
Test Program

• Central server
• Pingpong protocol
• Server receives ping, waits, replies
• Use CPU cycle counter for nanosecond precision.
• Measured 50 different processing time values from
  100ns to 65ms.

9
WAN Tests

• For each of 75 Planetlab hosts
• For each of 50 processing times
• 80,000 measurements
• 133 million measurements total

10
LAN Tests

• For each of 8 hosts on Rice LAN
• For each of 50 processing times
• 27,000 samples

11
Scoring Filters

• F(Resps) Proc delay error
• Least Squares linear
• Peak finder
• Percentile
• Average range

12
LAN Raw data
13
WAN Raw Data
14
LAN detrend data
15
WAN detrend data
16
LAN overall
17
WAN overall
18
Attempt to attack

• Try to perform an attack on a host pair
• For two different processing times
• Choose random subset
• See how well we can discriminate
• Repeat 200 times
• Choose point where were correct 95
• Histogram the results

19
WAN discrimination histogram
20
WAN overall discrimination
21
LAN overall discrimination
22
Summary of Results

• Can detect and perhaps exploit
• lt100 ns over a LAN
• 10 µs over a WAN
• Example processing times
• strcmp() 1000 bytes 5 µs

23
Conclusion

• Remote timing attacks over WAN
• May be more difficult than you think
• Remote timing attacks over LAN
• Can measure a fraction of a microsecond

24
Results

• On a LAN, can measure as a few hundred clock
  cycles of a remote system
• On a WAN, can measure a few thousand clock cycles
  of a remote system
• Attacker might do better

25
Measurement over a network
10ms
X µs
20ms X µs
10ms