Bugtraq mailing list archives
Re: Remote Timing Techniques over TCP/IP
From: Syzop <syz () dds nl>
Date: Fri, 19 Apr 2002 06:06:17 +0200
Hi, Mauro Lacy wrote:
This paper describes remote timing techniques based on TCP/IP intrinsic operation and options. The techniques are used for careful observation of the TCP/IP data stream to detect timing differences in the operation of the remote application and relate them to selected data and/or phenomena.
This reminds me of http://online.securityfocus.com/archive/82/185167 (+see the thread) which also discusses something like this (timing techniques) and the "additional noise" such as task switches, etc.
I'll quote here a comment by Paul Kocher, who told me in a private communication "You might want to try some ... statistical attacks ... ... -- using them, even very tiny differences (<1 us) can be resolved even if there is quite a lot of measurement error (>1 ms)... . The general math required is quite simple - you'd want to look for the difference between the *average* time when [for example] n bytes of a password are correct and the average time when n+1 bytes of the password are correct."
I also remember this reply with another aproach to this problem: (from http://online.securityfocus.com/archive/82/186161 ) Quote:
Why noise-filtering? Since there seem to be no invalid low numbers, just take the minimum of a certain amount of tries (1000, 10000) and check whether those give you a clue -- i.e. try to find the ones with the lowest noise and compare them.
I didn't read this all yet (it's a bit late), but it looks very interresting... Bram Matthys.
Current thread:
- Remote Timing Techniques over TCP/IP Mauro Lacy (Apr 18)
- Re: Remote Timing Techniques over TCP/IP Solar Designer (Apr 19)
- Re: Remote Timing Techniques over TCP/IP stealth (Apr 20)
- Re: Remote Timing Techniques over TCP/IP Syzop (Apr 19)
- Re: Remote Timing Techniques over TCP/IP Solar Designer (Apr 19)