News Feed
Sections




News Archive
feed this:

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Padraic Brady's Blog:
Nanosecond Scale Remote Timing Attacks On PHP Apps Take Them Seriously?
October 21, 2010 @ 09:42:58

In a new post to his blog Padraic Brady takes a look at remote timing attacks that happen on a nanosecond scale and whether or not we, as application developers, should take them seriously. Timing attacks involve gleaning information off of systems based on the response and execution time.

I've been following the progress of Remote Timing Attacks with a lot of interest over the years, during which time there has been an obvious trend in improving the technique. The most recent reported cases of Remote Timing Attack vulnerabilities, for example, were against the OpenID and OAuth protocols when it was reported in July 2010 that numerous open source implementations of these protocols did not prevent the disclosure of timing information that could enable a Remote Timing Attack. It is important to note that, as with many potential attacks, the protocols themselves contain no vulnerability. This is strictly a potential vulnerability contingent on the method of implementation.

He starts off by defining timing attacks in a bit more detail, including an example of how an attacker could determine the validity of a username based on the response time of how its handled. He continues on talking about how important the nanosecond is to attacks like this (might as well be minutes) and how things like the C function memcmp can be used to catch these tiny time differences. There's plenty more detail in between, but he finishes the post off with a look at what you can do to help prevent this type of attack from being useful on your applications.

0 comments voice your opinion now!
timing attack application nanosecond introduction opinion



Community Events





Don't see your event here?
Let us know!


version voicesoftheelephpant language update series symfony laravel package tool composer library application podcast opinion security interview community release introduction framework

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework