Organizing effective timing attacks using HTTP / 2 and WPA3

New hacking technique overcomes “network jitter” that can affect the success of side-channel attacks

The new technique, developed by researchers at the University of Leuven (Belgium) and New York University in Abu Dhabi, has shown that attackers can use the features of network protocols to organize confidential information leaks.

This technique is called Timeless Timing AttacksShowcased at this year’s Usenix conference, it leverages network protocol handling of concurrent requests to address one of the problems of remote timed side-channel attacks.

Problems of remote attacks by time

In timing attacks, attackers measure differences in the execution time of different commands in an attempt to bypass the protection provided by encryption and obtain information about confidential information, such as encryption keys, private correspondence, and user surfing behavior.

However, in order to successfully implement timing attacks, an attacker needs to know exactly how long it takes for the attacked application to process a request.

This becomes a problem when attacking remote systems such as web servers, because network latency (jitter) leads to variation in response times, which complicates the calculation of processing time.

In remote timing attacks, attackers typically send each command multiple times and perform statistical analysis of response times to reduce the impact of network jitter. But this method is only useful to a certain extent.

“The smaller the time difference, the more requests are required, and at a certain stage the computation becomes impossible,” Tom Van Götham, a data security researcher and lead author of an article on the new type of attacks, tells us.

Timeless Time Attack

The technique developed by Göthem and his colleagues performs remote timing attacks in such a way that they negate the effects of network jitter.

The principle behind a timeless attack on time is simple: you need to make sure that requests reach the server at exactly the same time, and not be transmitted sequentially.

Concurrency ensures that all requests are under the same network conditions and that their processing is not affected by the path between the attacker and the server. The order in which the responses are received will give the attacker all the information needed to compare execution times.

“The main advantage of timeless attacks on timing is that they are much more accurate, so fewer requests are required. This allows the attacker to recognize differences in execution time down to 100 ns, ”says Van Götham.

The minimum time difference observed by researchers in a traditional Internet time attack was 10 μs, that is, 100 times more than in a simultaneous request attack.

How simultaneity is ensured

“We provide concurrency by putting both requests in the same network packet,” explains Van Götham. “In practice, the implementation mostly depends on the network protocol.”

Researchers use the capabilities of different network protocols to send concurrent requests.

For example, HTTP / 2, which is fast becoming the de facto standard for web servers, supports “request multiplexing”, a feature that allows a client to send multiple requests in parallel over a single TCP connection.

“In the case of HTTP / 2, we just need to put both requests in the same packet (for example, by writing both to the socket at the same time).” However, this technique has its own subtleties. For example, in most content delivery networks such as Cloudflare, which provides content for most of the web, the connection between the edge servers and the site is over HTTP / 1.1, which does not support request multiplexing.

While this reduces the effectiveness of a timeless attack, they are still more accurate than classic remote timing attacks because they eliminate jitter between the attacker and the CDN edge server.

In the case of protocols that do not support request multiplexing, attackers can use an intermediate network protocol that encapsulates the requests.

Researchers have shown how a timeless time attack works on the Tor network. In this case, the attacker encapsulates multiple requests in a Tor cell, an encrypted packet transmitted between Tor nodes in single TCP packets.

“Since the Tor chain for onion services goes all the way to the server, we can ensure that requests arrive at the same time,” says Van Götham.

Timeless attacks in practice

In their article, the researchers examined timeless attacks in three different situations.

When direct attacks on time the attacker connects directly to the server and tries to leak secret information associated with the application.

“Since most web applications do not take into account the fact that timing attacks can be very practical and accurate, we believe that many websites are vulnerable to such attacks,” says Van Goethen.

When cross-site attacks by timing the attacker makes requests to other websites from the victim’s browser and makes assumptions about the content of confidential information by observing the sequence of responses.

Attackers used this scheme to exploit a vulnerability in the HackerOne bug bounty program and extracted information such as keywords used in confidential reports of unresolved vulnerabilities.

“I looked for cases where the time attack was previously recorded, but was not considered effective. A HackerOne bug has already been reported at least three times (Bug IDs: 350432, 348168 and 4701), but it was not eliminated because it was believed that this attack could not be used. Then I created a simple internal research project with timeless time attacks.

At the time, it was still very unoptimized because we continued to figure out the details of the attack, but nevertheless it turned out to be quite accurate (on my home WiFi connection, I was able to achieve very accurate results).

The researchers also tried to conduct timeless attacks on the WPA3 WiFi protocol…

One of the co-authors of the article, Mati Vanhof, had previously discovered potential time leakage in WPA3 handshake protocol… But the time was either too short to be used on high-end devices, or it could not be used against servers.

“With a new kind of timeless timing attacks, we have demonstrated that it is actually possible to use authentication handshake (EAP-pwd) against servers, even if they are running powerful hardware,” explains Van Goethem.

Perfect moment

In their article, the researchers provided recommendations for protecting servers from timeless attacks, such as limiting execution to constant time and adding random latency. Further research is required to implement practical defenses against direct timing attacks that would have little impact on network performance.

“We believe this area of ​​research is at a very early stage of development and requires much more in-depth study,” says Van Götham.

Future research could explore other techniques that attackers could use to carry out simultaneous timing attacks, other protocols and network layers that could be attacked, and assess the vulnerability of popular websites that allow such research to be carried out under program conditions. search for bugs.

The name “timeless” was chosen “because we did not use any (absolute) time information in these attacks,” explains Van Goethem.

“In addition, they can be considered ‘timeless’ because (remote) timing attacks have been around for a long time, and, judging by our research, the situation will only get worse.”