Re: Remote Timing Techniques over TCP/IP

[Syzop <syz () dds nl>]

Hi,

Mauro Lacy wrote:

> This paper describes remote timing techniques based on TCP/IP intrinsic operation and options. The techniques are 
> used for careful observation of the TCP/IP data stream to detect timing differences in the operation of the remote 
> application and relate them to selected data and/or phenomena.

This reminds me of http://online.securityfocus.com/archive/82/185167 (+see the thread) which
also discusses something like this (timing techniques) and the "additional noise" such as
task switches, etc.

> I'll quote here a comment by Paul Kocher, who told me in a private communication
>
> "You might want to try some ... statistical attacks ...
> ... -- using them, even very tiny differences (<1 us) can
> be resolved even if there is quite a lot of measurement error
> (>1 ms)... . The general math required
> is quite simple - you'd want to look for the difference between
> the *average* time when [for example] n bytes of a password
> are correct and the average time when n+1 bytes of the password
> are correct."

I also remember this reply with another aproach to this problem:
(from http://online.securityfocus.com/archive/82/186161 )
Quote:
> Why noise-filtering? Since there seem to be no invalid low numbers,
> just take the minimum of a certain amount of tries (1000, 10000)
> and check whether those give you a clue -- i.e. try to find
> the ones with the lowest noise and compare them.

I didn't read this all yet (it's a bit late), but it looks very interresting...

    Bram Matthys.