Your SlideShare is downloading. ×
(No)SQL Timing Attacks for Data Retrieval
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

(No)SQL Timing Attacks for Data Retrieval

348

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
348
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
20
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. (no)SQL timing attacks PHDays IV, Moscow, 22/05/14 research
  • 2. Timing attacks basics time to execution of Function(UserData,PrivateData) depends from UserData and PrivateData this time can be use to determine PrivateData by UserData
  • 3. What is Function(UserData,PrivateData) ? Basically - SELECT, but not only no(SQL) timing attacks
  • 4. Timing attacks intro execution time of search operation depends on: ● search string ● data on which searches for attack concept is determine data by timings on different search strings
  • 5. Timing attacks intro execution time of search operation depends on: ● search string ● data on which searches for attack concept is determine data by timings on different search strings
  • 6. ● BH-USA-07 “Timing Attacks for Recovering Private Entries From Database Engines” ● Attacking page split on update operation https://www.blackhat.com/presentations/bh- usa- 07/Waissbein_Futoransky_and_Saura/Whitepa per/bh-usa-07- Related work
  • 7. ● Indexed data (CREATE INDEX …) ● Non-indexed data (exhaustive search) + cache mechanism SQL search basics
  • 8. ● Cache does not prevent timing attacks ● Cache remove disk operations noises Non-indexed data ● Really rare ● Full list iterations ● Strings comparation
  • 9. Data indexing mechanism ● Hash ● B-Tree (not binary tree) variations ● GiST variations (GIN/GiST/SP-GIST) + cache mechanism SQL search basics
  • 10. Database INDEX algo Hash type Cache MySQL B-Tree (all storage angines)/HASH (only for memory/heap and NDB) Fowler/Noll/Vo hash + Postgres B- Tree/GiST/GIN and SP-GiST (9.2+), HASH ? + SQL databases index overview
  • 11. Database INDEX algo Hash type Cache memcache HASH Jenkins/murmur3 Really? ) redis HASH murmur2->SipHash - mongodb HASH murmur3 + noSQL databases index overview
  • 12. Hash performance http://blog.teamleadnet. com/2012/08/murmurhash3- ultra-fast-hash-algorithm.html
  • 13. ● Cache does not prevent timing attacks ● Cache remove disk operations noises To cache or not to cache
  • 14. ● Data from disk to memory ● Memory size can not afford to store all data ● Attacker can do cache warmup anytime Cache warmup
  • 15. Cache warmup ● Attacker can do cache warmup anytime
  • 16. Hash table reconstructions ● What we measured
  • 17. Hash table reconstructions ● What we expected
  • 18. Hash table reconstructions ● What we measured N 2N
  • 19. Hash table reconstructions ● 0x01020304 ○ SESSION1 ○ SESSION2 ○ SESSION3 ○ SESSION4 ○ SESSION5
  • 20. PoC ● Simple tool that can demonstrate timing anomaly ● Just PoC, not a framework ● Framework soon ;) https://github. com/wallarm/researches/blob/master/no- and-sqli-timing/timing.c
  • 21. Real case from a wild ● Session entropy reduction ● Formatted logins checks (user-<N>) ● Passwords hash reduction. Fill the difference: ○ SELECT id,role,password FROM users WHERE login=... ○ SELECT id,role FROM users WHERE login=... AND password=... ● ...
  • 22. The end Contacts: @wallarm, @d0znpp http://github.com/wallarm research

×