2. Timing attacks basics
time to execution of
Function(UserData,PrivateData)
depends from UserData and PrivateData
this time can be use to determine PrivateData
by UserData
4. Timing attacks intro
execution time of search operation depends on:
● search string
● data on which searches for
attack concept is determine data by timings on
different search strings
5. Timing attacks intro
execution time of search operation depends on:
● search string
● data on which searches for
attack concept is determine data by timings on
different search strings
6. ● BH-USA-07 “Timing Attacks for Recovering
Private Entries From Database Engines”
● Attacking page split on update operation
https://www.blackhat.com/presentations/bh-
usa-
07/Waissbein_Futoransky_and_Saura/Whitepa
per/bh-usa-07-
Related work
7. ● Indexed data (CREATE INDEX …)
● Non-indexed data (exhaustive search)
+ cache mechanism
SQL search basics
8. ● Cache does not prevent
timing attacks
● Cache remove disk
operations noises
Non-indexed data
● Really rare
● Full list iterations
● Strings comparation
10. Database INDEX algo Hash type Cache
MySQL B-Tree (all storage
angines)/HASH (only
for memory/heap and
NDB)
Fowler/Noll/Vo
hash
+
Postgres B-
Tree/GiST/GIN
and SP-GiST
(9.2+), HASH
? +
SQL databases index overview
11. Database INDEX algo Hash type Cache
memcache HASH Jenkins/murmur3 Really? )
redis HASH murmur2->SipHash -
mongodb HASH murmur3 +
noSQL databases index overview
20. PoC
● Simple tool that can demonstrate timing
anomaly
● Just PoC, not a framework
● Framework soon ;)
https://github.
com/wallarm/researches/blob/master/no-
and-sqli-timing/timing.c
21. Real case from a wild
● Session entropy reduction
● Formatted logins checks (user-<N>)
● Passwords hash reduction. Fill the difference:
○ SELECT id,role,password FROM users WHERE login=...
○ SELECT id,role FROM users WHERE login=... AND
password=...
● ...