[25168] in bugtraq
Re: Remote Timing Techniques over TCP/IP
daemon@ATHENA.MIT.EDU (Syzop)
Fri Apr 19 14:30:55 2002
Message-ID: <3CBF97B9.5150735@dds.nl>
Date: Fri, 19 Apr 2002 06:06:17 +0200
From: Syzop <syz@dds.nl>
MIME-Version: 1.0
To: Mauro Lacy <maurol@mail.com>, bugtraq@securityfocus.com
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Hi,
Mauro Lacy wrote:
> This paper describes remote timing techniques based on TCP/IP intrinsic operation and options. The techniques are used for careful observation of the TCP/IP data stream to detect timing differences in the operation of the remote application and relate them to selected data and/or phenomena.
This reminds me of http://online.securityfocus.com/archive/82/185167 (+see the thread) which
also discusses something like this (timing techniques) and the "additional noise" such as
task switches, etc.
> I'll quote here a comment by Paul Kocher, who told me in a private communication
>
> "You might want to try some ... statistical attacks ...
> ... -- using them, even very tiny differences (<1 us) can
> be resolved even if there is quite a lot of measurement error
> (>1 ms)... . The general math required
> is quite simple - you'd want to look for the difference between
> the *average* time when [for example] n bytes of a password
> are correct and the average time when n+1 bytes of the password
> are correct."
I also remember this reply with another aproach to this problem:
(from http://online.securityfocus.com/archive/82/186161 )
Quote:
> Why noise-filtering? Since there seem to be no invalid low numbers,
> just take the minimum of a certain amount of tries (1000, 10000)
> and check whether those give you a clue -- i.e. try to find
> the ones with the lowest noise and compare them.
I didn't read this all yet (it's a bit late), but it looks very interresting...
Bram Matthys.
