Time is NOT on your Side presented at Chaos Communication Congress 29

by Sebastian Schinzel,

Tags: Web Security Attack Timing Attacks

Summary : In this years talk, I tie on my 28c3 talk and present timing side channels from a defending viewpoint: How can one mitigate timing side channels? Arent random delays sufficient to prevent timing side channels in practice? What is the minimum size of random delays to be effective? Are there other delay strategies besides random delays that are more effective and efficient?
Timing side channels are vulnerabilities in software applications that leak sensitive information about secret values such as cryptographic keys. They differ from common intrusive vulnerabilities such as Buffer Overflows or SQL-Injection because the attacker sends normally looking requests to the server and infers secret information just from the time it took to process the request. Timing attacks are getting increasingly well understood by day-to-day penetration testers and in academia, breaking Web standards such as XML Encryption [1], or helping to fingerprint Web Application Firewalls [2]. At 28c3, I gave the talk Time is on my Side [3], which gave an overview of timing attacks, introduced a set of tools for timing attacks and explained practical timing attacks against real applications.
In this years talk, I tie on my 28c3 talk and present timing side channels from a defending viewpoint: How can one mitigate timing side channels? Arent random delays sufficient to prevent timing side channels in practice? What is the minimum size of random delays to be effective? Are there other delay strategies besides random delays that are more effective and efficient?