News Feed
Sections




News Archive
feed this:

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Anthony Ferrara:
It's All About Time
December 01, 2014 @ 10:46:15

In his latest post Anthony Ferrara talks about a tricky subject in PHP - timing attacks. A timing attack has to do with vulnerabilities that can come up because of the differences in time it takes to perform cryptographic operations (like hashing or encrypting).
An interesting pull request has been opened against PHP to make bin2hex() constant time. This has lead to some interesting discussion on the mailing list (which even got me to reply :-X). There has been pretty good coverage over remote timing attacks in PHP, but they talk about string comparison. I'd like to talk about other types of timing attacks.

He starts with a definition of what a remote timing attack is and provides an example of a simple script showing the delay that's key to the attack. His script deals with string location but it gives you an idea of how the attack works and where the danger lies. He points out that even remotely attackers could determine the times to perform operations (down to the nanosecond) and use this to their advantage. He points out that both == and === are vulnerable to this type of attack because of how the comparison happens. He gives two options (one an internal function) to help protect your application and briefly covers a few other types of timing attacks: index lookup, cache-timing and branch-based timing attacks.

0 comments voice your opinion now!
timing attack comparison time example tutorial introduction prevent

Link: http://blog.ircmaxell.com/2014/11/its-all-about-time.html

Padraic Brady's Blog:
Nanosecond Scale Remote Timing Attacks On PHP Apps Take Them Seriously?
October 21, 2010 @ 09:42:58

In a new post to his blog Padraic Brady takes a look at remote timing attacks that happen on a nanosecond scale and whether or not we, as application developers, should take them seriously. Timing attacks involve gleaning information off of systems based on the response and execution time.

I've been following the progress of Remote Timing Attacks with a lot of interest over the years, during which time there has been an obvious trend in improving the technique. The most recent reported cases of Remote Timing Attack vulnerabilities, for example, were against the OpenID and OAuth protocols when it was reported in July 2010 that numerous open source implementations of these protocols did not prevent the disclosure of timing information that could enable a Remote Timing Attack. It is important to note that, as with many potential attacks, the protocols themselves contain no vulnerability. This is strictly a potential vulnerability contingent on the method of implementation.

He starts off by defining timing attacks in a bit more detail, including an example of how an attacker could determine the validity of a username based on the response time of how its handled. He continues on talking about how important the nanosecond is to attacks like this (might as well be minutes) and how things like the C function memcmp can be used to catch these tiny time differences. There's plenty more detail in between, but he finishes the post off with a look at what you can do to help prevent this type of attack from being useful on your applications.

0 comments voice your opinion now!
timing attack application nanosecond introduction opinion



Community Events





Don't see your event here?
Let us know!


podcast community introduction framework conference symfony voicesoftheelephpant release artisanfiles interview language composer series version list tool laravel library security opinion

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework