

OpenSSL vulnerable to timing attack? - Moral_
http://seclists.org/fulldisclosure/2014/Apr/117

======
eps
This could, in theory, allow discovering IDs of sessions that are either
active or cached on the server end. IDs are passed in clear between SSL peers,
so being able to recover them doesn't compromise the security of the protocol.

That said, this can be used to estimate the size of the server's session list
and to covertly measure and monitor the volume of its activity. This can come
handy in some cases, but then splicing into server's Internet connection and
passively listening to the traffic would yield the same information with much
less fuss.

~~~
tptacek
C memcmp() timing channels are extremely difficult in practice to exploit,
even at relatively close proximity to targets, so I'm not sure how practical
any of this is.

~~~
pipeep
It's probably not practical, but it doesn't hurt to fix or remove (it's not
used internally in OpenSSL) the code anyways. I submitted a pull request to
Ruby, where the code was copied to, and is used:
[https://github.com/ruby/ruby/pull/591](https://github.com/ruby/ruby/pull/591)
.

------
paulannesley
Follow-up email:
[http://seclists.org/fulldisclosure/2014/Apr/149](http://seclists.org/fulldisclosure/2014/Apr/149)

> Not used anywhere though, just a corpse lying around in the code. — Jann
> Horn

~~~
pipeep
Not in OpenSSL, but Ruby uses it:
[https://github.com/ruby/ruby/blob/1aa54bebaf274bc08e72f9ad38...](https://github.com/ruby/ruby/blob/1aa54bebaf274bc08e72f9ad3854c7ad592c344a/ext/openssl/ossl_ssl_session.c#L76)

~~~
stusmall
Ruby uses a version of it they copied into their source tree. You can't really
fault OpenSSL for another project copying one of their internal, static
functions. I've never looked at Ruby's code base before. Did they just fork
all of OpenSSL?

EDIT: I see you made a patch for it. High five!

~~~
pipeep
The code in question is a Ruby FFI wrapper for OpenSSL (not a fork).
Originally the function wasn't static, so when OpenSSL made it static, Ruby
copied the function implementation to their source tree, as to avoid breaking
their API.

------
chomp
I don't see this function called anywhere in the OpenSSL source, or, for
instance, the Apache source code. Could you clarify on this post?

EDIT: I see it exposed in 0.9.8y. Anyone know of anything that builds against
this specifically and uses it?

~~~
pipeep
Seeing as it's static, it's not part of the public API. Apparently it was used
in Ruby at one point:
[https://groups.google.com/forum/#!topic/mailing.openssl.dev/...](https://groups.google.com/forum/#!topic/mailing.openssl.dev/7kcdEa5lpLI)

I think it's probably a piece of dead code at this point, but there might be
some legacy stuff using it (with an old version of OpenSSL), which could lead
to a vulnerability. Regardless, the function should probably be rewritten or
removed.

EDIT: It looks like the latest version of Ruby (MRI) actually copied this
function from OpenSSL so they could keep using it:
[https://github.com/ruby/ruby/blob/1aa54bebaf274bc08e72f9ad38...](https://github.com/ruby/ruby/blob/1aa54bebaf274bc08e72f9ad3854c7ad592c344a/ext/openssl/ossl_ssl_session.c#L76)

~~~
chomp
Yeah, I'm thinking it's dead code. It's not exposed in modern OpenSSLs, and I
can't find any services we use (Pure-FTP, httpd, etc) that use this function.

OpenSSL devs should probably remove this code.

~~~
pipeep
It looks like there's some github projects using it:
[https://github.com/search?q=SSL_SESSION_cmp&ref=cmdform&type...](https://github.com/search?q=SSL_SESSION_cmp&ref=cmdform&type=Code)

------
ksoderstrom
Is it actually feasible to do a timing attack using memcpy?

I've been testing a bit locally, as in within the same process, without any
luck. I have a hard to seeing how this would work, especially when you add
network latency.

Does anyone have any proof-of-concept code that actually exploits memcpy with
a timing attack?

------
Nexxxeh
Heartbleed I just about understand, as despite this not being my field, smart
people successfully summarized it in an easily digestible way so that I could
even explain it to my mum. Can someone ELI5 this too please?

~~~
pipeep
memcmp compares two blocks of memory byte-by-byte. If the first two bytes
don't match, the function can return early, otherwise it has to check the next
byte. By measuring the execution times for all 256 possible bytes, one should
be able to guess the first byte. Repeat this for the length of the memory
being compared, and you should be able to essentially read the entire block of
memory you're being compared against.

These attacks are usually done over a fast connection (maybe buy a machine in
the same datacenter as your target), and through lots of measurements averaged
together and measured for statistical significance.

We don't know where this function is used, so this might actually be a non-
issue. We need someone more familiar with OpenSSL to comment.

~~~
solarexplorer
What kind of connection is fast enough to detect the difference of a single
loop iteration inside memcmp()? I get that this is type of attack is possible
if you share the same machine with the attacker. But over the network? Are
there any credible sources for this?

~~~
gsnedders
You don't need fast — you need predictable latency, that's all. Once you have
predictable latency, you can work out compute time. And latency can become
predictable through a large number of samples.

Brumley and Boneh's 2003 paper ("Remote timing attacks are practical") on this
is the typical reference: [http://crypto.stanford.edu/~dabo/papers/ssl-
timing.pdf](http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf)

~~~
solarexplorer
My point is that to receive a single packet, you have an external interrupt,
you go through the device driver, the ip stack, etc. And in all that you are
looking for a difference of a single cycle. That won't work. Even with a zero
latency network. There is just too much code involved.

You can measure differences of thousands or maybe even hundreds of cycles, but
not single cycles. That's below the noise level of a modern computer.

~~~
nitrogen
Noise can be filtered out by averaging many samples.

