Timing Attacks
Timing attacks are security exploits that attack the system by analyzing how long it takes to process different inputs. These kinds of vulnerabilities aren’t left in the system by purpose or are noticed that easily by a programmer.
Let me give you a nice example of a timing attack.
Consider that your system uses an authentication system that compares the password with the stored password letter by letter. (Code snippet attached below)
Let’s say that for each letter comparison it took 1 sec.
Then, if the password you guessed mismatches with the stored password at letter 2, the system would take 2 sec to give the output.
If you have guessed the first 7 letters of the password correctly, the system would take 8 sec to give the output.
Using this change in processing time for each input, the authentication system can easily be broken.
Say the correct passcode is of 4 digits and the password only takes digits 0–9.
The number of possible passcodes for the system without a timing attack is 10⁴.
The number of possible passcodes for the system with timing attack vulnerability is 40. (Because for each position we would need at most 10 choices to be tried)
Notice how the number of passcode choices that the attacker required to try reduced drastically, this is the power of a timing vulnerability.
This particular doesn’t need a lot of effort to fix the vulnerability. If we send the result after checking all the letters, even if we have found that it doesn’t match at letter 2, then a timing attack can be prevented in this case.
The timing attacks don’t necessarily just use the processing time information for the attacks. All the systems use a cache to store frequently accessed data. The information in the cache would be returned faster than the information from the disk or memory. Using this time difference, attackers can get to know various information about the system.
Hence, timing attacks can’t completely be avoided as avoiding caches or the mechanisms we use to optimize code expose us to these vulnerabilities but removing them would make the system’s performance reduce drastically. Hence, as programmers, it is our responsibility to know the possibility of these kinds of attacks and develop codes that have less chance of these attacks.
