Timing Attack is one of the techniques where hackers take advantage of server-side computation to adjust attack payload accordingly. In this article, I will show a most common example of this attack as well as how to prevent it with Golang
I. Timing Attack
- As a type of side-channel attack in which hackers rely on information analyzed from the execution time of a logic segment from the system to gradually retrieve the final result, Timing Attack can be viewed as a form of
manual brute forceis also possible, because the same way to retrieve the results, but the other is that the hacker needs to invest more to analyze the existing data to give the next input. - Hackers always try to take advantage of programmers’ mistakes in common logic codes that are often trivialized (I will show examples below) or libraries (open source) that we often use, nor get rid of this vulnerability
II. Practical examples
For programmers, we will have to encounter a case where we need to authenticate the request coming from the client side, or server to server. There are many ways to deploy, usually using JWT, Oauth2, OpenID Connect or using 3rd party to authen like Google, Facebook, AWS Cognito…One of the most popular and easy to deploy is using use API keys.
However, APIKey can still be exposed by many ways of attack, one of which is Timing attack
III. How to prevent Timing Attack
There is a teacher at his school who has taught students how to completely prevent their system and applications from being hacked. By turning off the internet, or the application is so “genuine” that hackers do not bother to attack or.. the last way is to burn incense and beg
Just kidding, we can’t completely prevent the risk of the system being hacked, but when we understand it, we will make the path that hackers are looking for more difficult.
I will use Golang for the example above, when using the API key, there will definitely be logic to perform to compare the API key sent from the request with the key stored on the server side. We often use the default algorithm (the == operator) to make comparisons, simple as that, but in fact this can be exploited by hackers.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 | <span class="token keyword">var</span> <span class="token punctuation">(</span> a <span class="token punctuation">[</span> <span class="token punctuation">]</span> <span class="token builtin">byte</span> length <span class="token builtin">int</span> <span class="token operator">=</span> <span class="token number">1e8</span> bound <span class="token builtin">int</span> <span class="token operator">=</span> length <span class="token operator">/</span> <span class="token number">10</span> <span class="token punctuation">)</span> <span class="token keyword">func</span> <span class="token function">init</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span> <span class="token punctuation">{</span> a <span class="token operator">=</span> <span class="token function">make</span> <span class="token punctuation">(</span> <span class="token punctuation">[</span> <span class="token punctuation">]</span> <span class="token builtin">byte</span> <span class="token punctuation">,</span> length <span class="token punctuation">)</span> rand <span class="token punctuation">.</span> <span class="token function">Read</span> <span class="token punctuation">(</span> a <span class="token punctuation">)</span> <span class="token punctuation">}</span> <span class="token keyword">func</span> <span class="token function">copyStr</span> <span class="token punctuation">(</span> changedIndex <span class="token builtin">int</span> <span class="token punctuation">)</span> <span class="token punctuation">[</span> <span class="token punctuation">]</span> <span class="token builtin">byte</span> <span class="token punctuation">{</span> b <span class="token operator">:=</span> <span class="token function">make</span> <span class="token punctuation">(</span> <span class="token punctuation">[</span> <span class="token punctuation">]</span> <span class="token builtin">byte</span> <span class="token punctuation">,</span> length <span class="token punctuation">)</span> <span class="token function">copy</span> <span class="token punctuation">(</span> b <span class="token punctuation">,</span> a <span class="token punctuation">)</span> <span class="token keyword">if</span> b <span class="token punctuation">[</span> changedIndex <span class="token punctuation">]</span> <span class="token operator">==</span> <span class="token number">0</span> <span class="token punctuation">{</span> b <span class="token punctuation">[</span> changedIndex <span class="token punctuation">]</span> <span class="token operator">=</span> <span class="token number">1</span> <span class="token punctuation">}</span> <span class="token keyword">else</span> <span class="token punctuation">{</span> b <span class="token punctuation">[</span> changedIndex <span class="token punctuation">]</span> <span class="token operator">=</span> <span class="token number">0</span> <span class="token punctuation">}</span> <span class="token keyword">return</span> b <span class="token punctuation">}</span> <span class="token keyword">func</span> <span class="token function">formatString</span> <span class="token punctuation">(</span> s <span class="token builtin">int</span> <span class="token punctuation">)</span> <span class="token builtin">string</span> <span class="token punctuation">{</span> str <span class="token operator">:=</span> strconv <span class="token punctuation">.</span> <span class="token function">Itoa</span> <span class="token punctuation">(</span> s <span class="token punctuation">)</span> <span class="token keyword">var</span> result <span class="token builtin">string</span> <span class="token keyword">for</span> i <span class="token operator">:=</span> <span class="token function">len</span> <span class="token punctuation">(</span> str <span class="token punctuation">)</span> <span class="token operator">-</span> <span class="token number">1</span> <span class="token punctuation">;</span> i <span class="token operator">>=</span> <span class="token number">0</span> <span class="token punctuation">;</span> i <span class="token operator">--</span> <span class="token punctuation">{</span> <span class="token keyword">if</span> <span class="token punctuation">(</span> <span class="token function">len</span> <span class="token punctuation">(</span> str <span class="token punctuation">)</span> <span class="token operator">-</span> <span class="token number">1</span> <span class="token operator">-</span> i <span class="token punctuation">)</span> <span class="token operator">%</span> <span class="token number">3</span> <span class="token operator">==</span> <span class="token number">0</span> <span class="token operator">&&</span> i <span class="token operator">!=</span> <span class="token function">len</span> <span class="token punctuation">(</span> str <span class="token punctuation">)</span> <span class="token operator">-</span> <span class="token number">1</span> <span class="token punctuation">{</span> result <span class="token operator">=</span> <span class="token string">"."</span> <span class="token operator">+</span> result <span class="token punctuation">}</span> result <span class="token operator">=</span> <span class="token function">string</span> <span class="token punctuation">(</span> str <span class="token punctuation">[</span> i <span class="token punctuation">]</span> <span class="token punctuation">)</span> <span class="token operator">+</span> result <span class="token punctuation">}</span> <span class="token keyword">return</span> result <span class="token punctuation">}</span> <span class="token keyword">func</span> <span class="token function">execute</span> <span class="token punctuation">(</span> fn <span class="token keyword">func</span> <span class="token punctuation">(</span> a <span class="token punctuation">,</span> b <span class="token punctuation">[</span> <span class="token punctuation">]</span> <span class="token builtin">byte</span> <span class="token punctuation">)</span> <span class="token builtin">bool</span> <span class="token punctuation">)</span> <span class="token punctuation">{</span> <span class="token keyword">for</span> i <span class="token operator">:=</span> length <span class="token operator">-</span> <span class="token number">1</span> <span class="token punctuation">;</span> i <span class="token operator">></span> <span class="token number">0</span> <span class="token punctuation">;</span> i <span class="token operator">-=</span> bound <span class="token punctuation">{</span> b <span class="token operator">:=</span> <span class="token function">copyStr</span> <span class="token punctuation">(</span> i <span class="token punctuation">)</span> startTime <span class="token operator">:=</span> time <span class="token punctuation">.</span> <span class="token function">Now</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span> <span class="token function">fn</span> <span class="token punctuation">(</span> a <span class="token punctuation">,</span> b <span class="token punctuation">)</span> endTime <span class="token operator">:=</span> time <span class="token punctuation">.</span> <span class="token function">Since</span> <span class="token punctuation">(</span> startTime <span class="token punctuation">)</span> fmt <span class="token punctuation">.</span> <span class="token function">Printf</span> <span class="token punctuation">(</span> <span class="token string">"Differences at Index: %s, time execute: %sn"</span> <span class="token punctuation">,</span> <span class="token function">formatString</span> <span class="token punctuation">(</span> i <span class="token punctuation">)</span> <span class="token punctuation">,</span> endTime <span class="token punctuation">.</span> <span class="token function">String</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span> <span class="token punctuation">)</span> <span class="token punctuation">}</span> <span class="token punctuation">}</span> <span class="token keyword">func</span> <span class="token function">Compare</span> <span class="token punctuation">(</span> a <span class="token punctuation">,</span> b <span class="token punctuation">[</span> <span class="token punctuation">]</span> <span class="token builtin">byte</span> <span class="token punctuation">)</span> <span class="token builtin">bool</span> <span class="token punctuation">{</span> <span class="token keyword">return</span> <span class="token function">string</span> <span class="token punctuation">(</span> a <span class="token punctuation">)</span> <span class="token operator">==</span> <span class="token function">string</span> <span class="token punctuation">(</span> b <span class="token punctuation">)</span> <span class="token punctuation">}</span> <span class="token keyword">func</span> <span class="token function">CompareConstantTime</span> <span class="token punctuation">(</span> a <span class="token punctuation">,</span> b <span class="token punctuation">[</span> <span class="token punctuation">]</span> <span class="token builtin">byte</span> <span class="token punctuation">)</span> <span class="token builtin">bool</span> <span class="token punctuation">{</span> <span class="token keyword">return</span> subtle <span class="token punctuation">.</span> <span class="token function">ConstantTimeCompare</span> <span class="token punctuation">(</span> a <span class="token punctuation">,</span> b <span class="token punctuation">)</span> <span class="token operator">==</span> <span class="token number">1</span> <span class="token punctuation">}</span> |
- The above code will compare 2 strings of the same length but at a certain index will be different. With the
==operator, the program will immediately stop performing the rest comparison and return the result..hmmm you get it. If your API key is “abc”, the hacker will try with the string “aaa” and “aba”, it is easy to see that the execution time of the string “aba” is longer, so it can be guessed that “aba” is the correct string higher body, and so on…
Therefore, in the above code, I use subtle.ConstantTimeCompare , the function returns 1 if the two strings are equal, 0 if different and immediately returns 0 if the lengths of the two strings are not the same. But how is it different from normal string comparison, we will run the above code and observe the result:
1 2 3 4 5 6 7 8 9 10 11 12 | <span class="token keyword">func</span> <span class="token function">main</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span> <span class="token punctuation">{</span> fmt <span class="token punctuation">.</span> <span class="token function">Printf</span> <span class="token punctuation">(</span> <span class="token string">"Length of chars: %snn"</span> <span class="token punctuation">,</span> <span class="token function">formatString</span> <span class="token punctuation">(</span> length <span class="token punctuation">)</span> <span class="token punctuation">)</span> fmt <span class="token punctuation">.</span> <span class="token function">Println</span> <span class="token punctuation">(</span> <span class="token string">"Normal comparison: using equal operator"</span> <span class="token punctuation">)</span> <span class="token function">execute</span> <span class="token punctuation">(</span> Compare <span class="token punctuation">)</span> fmt <span class="token punctuation">.</span> <span class="token function">Println</span> <span class="token punctuation">(</span> <span class="token string">"n"</span> <span class="token operator">+</span> strings <span class="token punctuation">.</span> <span class="token function">Repeat</span> <span class="token punctuation">(</span> <span class="token string">"*"</span> <span class="token punctuation">,</span> <span class="token number">50</span> <span class="token punctuation">)</span> <span class="token operator">+</span> <span class="token string">"n"</span> <span class="token punctuation">)</span> fmt <span class="token punctuation">.</span> <span class="token function">Println</span> <span class="token punctuation">(</span> <span class="token string">"Constant time comparison: using subtle.ConstantTimeCompare"</span> <span class="token punctuation">)</span> <span class="token function">execute</span> <span class="token punctuation">(</span> CompareConstantTime <span class="token punctuation">)</span> <span class="token punctuation">}</span> |
- For normal comparisons, the later the string’s position differs, the longer the execution time will be, but with
ConstantTimeCompare, the execution result is guaranteed to be almost the same.
IV. Conclusion
- In fact, the execution time will be affected by many factors such as network latency, other threads, … may have to perform a lot of test samples to give the smallest error. This type of attack is really difficult to achieve, but it is completely possible
- Besides, using
ConstantTimeComparewill take more time, let’s use it when it’s really necessary ^^
Thank you for viewing the article.