Timing attacks

Overview

Timing attacks exploit differences in execution times of website code to infer the values of data being operated on. This data, once discovered, may be directly useful to the attacker. Alternatively it may prove useful in a later attack. An example of a timing attack is enumerating valid usernames by checking for variations in the time taken to serve a web page when the user does versus does not exist.

What makes a site vulnerable?

A site may be vulnerable to timing attacks if parts of its execution vary in the time taken to complete depending on the value of site data. An attacker may be able to detect these variations in timing and from them infer the value of the data. If the data is not intended to be known by users, then a security violation will have occurred.

Cross-site Timing Attacks

Cross-site timing attacks can be used by an attacker to violate the single-origin policy. The single-origin policy prevents pages downloaded from one site accessing data on pages from another. However, by placing code on his site which downloads another page (e.g. into a hidden iframe), and a bit of JavaScript, the attacker can time how long it takes the user’s browser to obtain the page. This provides a timing channel from which the attacker can potentially extract information about the third-party site (e.g. whether or not the user is logged in to the site). The attacker can also cause the user’s browser to launch brute force, etc., attacks on other websites and use cross-site timing to obtain the results of the attack. By placing the attack code on popular webpages, the attacker may be able to recruit thousands of users for large scale attacks.

Impact of the attack

The attack may lead to an attacker discovering sensitive information. This may be information about the site’s users. It may also be security relevant information such as cryptographic keys, etc. The severity of the attack will depend on the type of data which can be discovered. It may, for instance, provide information which could be used to gain unauthorised access to parts of the site. As cross-site timing attacks demonstrate, the attacker may also be able to gather information on the user’s use of your site, and may leverage users’ browsers in distributed attacks against your site. 

Preventing the attack

Timing attacks can be prevented by ensuring that execution times are independent of confidential data. This can be done by modifying the algorithms which operate on the data to complete in a constant time. It can also be achieved by always returning the output a fixed length of time after it is requested, regardless of the time taken to generate the page. To prevent cross-site timing attacks it is advisable that you ensure all pages return in a constant time. Ideally, this constant time should be chosen such that it does not interfere with your users’ experience on the site, but long enough to ensure that most if not all pages complete in that time. Identifying and optimising pages with the longest generation time may be beneficial here.