Padraic Brady's Blog: Nanosecond Scale Remote Timing Attacks On PHP Apps: Take Them Seriously?
In a new post to his blog Padraic Brady takes a look at remote timing attacks that happen on a nanosecond scale and whether or not we, as application developers, should take them seriously. Timing attacks involve gleaning information off of systems based on the response and execution time.
I've been following the progress of Remote Timing Attacks with a lot of interest over the years, during which time there has been an obvious trend in improving the technique. The most recent reported cases of Remote Timing Attack vulnerabilities, for example, were against the OpenID and OAuth protocols when it was reported in July 2010 that numerous open source implementations of these protocols did not prevent the disclosure of timing information that could enable a Remote Timing Attack. It is important to note that, as with many potential attacks, the protocols themselves contain no vulnerability. This is strictly a potential vulnerability contingent on the method of implementation.
He starts off by defining timing attacks in a bit more detail, including an example of how an attacker could determine the validity of a username based on the response time of how its handled. He continues on talking about how important the nanosecond is to attacks like this (might as well be minutes) and how things like the C function memcmp can be used to catch these tiny time differences. There's plenty more detail in between, but he finishes the post off with a look at what you can do to help prevent this type of attack from being useful on your applications.