Your SlideShare is downloading. ×
0
(No)SQL Timing Attacks for Data Retrieval
(No)SQL Timing Attacks for Data Retrieval
(No)SQL Timing Attacks for Data Retrieval
(No)SQL Timing Attacks for Data Retrieval
(No)SQL Timing Attacks for Data Retrieval
(No)SQL Timing Attacks for Data Retrieval
(No)SQL Timing Attacks for Data Retrieval
(No)SQL Timing Attacks for Data Retrieval
(No)SQL Timing Attacks for Data Retrieval
(No)SQL Timing Attacks for Data Retrieval
(No)SQL Timing Attacks for Data Retrieval
(No)SQL Timing Attacks for Data Retrieval
(No)SQL Timing Attacks for Data Retrieval
(No)SQL Timing Attacks for Data Retrieval
(No)SQL Timing Attacks for Data Retrieval
(No)SQL Timing Attacks for Data Retrieval
(No)SQL Timing Attacks for Data Retrieval
(No)SQL Timing Attacks for Data Retrieval
(No)SQL Timing Attacks for Data Retrieval
(No)SQL Timing Attacks for Data Retrieval
(No)SQL Timing Attacks for Data Retrieval
(No)SQL Timing Attacks for Data Retrieval
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

(No)SQL Timing Attacks for Data Retrieval

386

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
386
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
24
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. (no)SQL timing attacks PHDays IV, Moscow, 22/05/14 research
  • 2. Timing attacks basics time to execution of Function(UserData,PrivateData) depends from UserData and PrivateData this time can be use to determine PrivateData by UserData
  • 3. What is Function(UserData,PrivateData) ? Basically - SELECT, but not only no(SQL) timing attacks
  • 4. Timing attacks intro execution time of search operation depends on: ● search string ● data on which searches for attack concept is determine data by timings on different search strings
  • 5. Timing attacks intro execution time of search operation depends on: ● search string ● data on which searches for attack concept is determine data by timings on different search strings
  • 6. ● BH-USA-07 “Timing Attacks for Recovering Private Entries From Database Engines” ● Attacking page split on update operation https://www.blackhat.com/presentations/bh- usa- 07/Waissbein_Futoransky_and_Saura/Whitepa per/bh-usa-07- Related work
  • 7. ● Indexed data (CREATE INDEX …) ● Non-indexed data (exhaustive search) + cache mechanism SQL search basics
  • 8. ● Cache does not prevent timing attacks ● Cache remove disk operations noises Non-indexed data ● Really rare ● Full list iterations ● Strings comparation
  • 9. Data indexing mechanism ● Hash ● B-Tree (not binary tree) variations ● GiST variations (GIN/GiST/SP-GIST) + cache mechanism SQL search basics
  • 10. Database INDEX algo Hash type Cache MySQL B-Tree (all storage angines)/HASH (only for memory/heap and NDB) Fowler/Noll/Vo hash + Postgres B- Tree/GiST/GIN and SP-GiST (9.2+), HASH ? + SQL databases index overview
  • 11. Database INDEX algo Hash type Cache memcache HASH Jenkins/murmur3 Really? ) redis HASH murmur2->SipHash - mongodb HASH murmur3 + noSQL databases index overview
  • 12. Hash performance http://blog.teamleadnet. com/2012/08/murmurhash3- ultra-fast-hash-algorithm.html
  • 13. ● Cache does not prevent timing attacks ● Cache remove disk operations noises To cache or not to cache
  • 14. ● Data from disk to memory ● Memory size can not afford to store all data ● Attacker can do cache warmup anytime Cache warmup
  • 15. Cache warmup ● Attacker can do cache warmup anytime
  • 16. Hash table reconstructions ● What we measured
  • 17. Hash table reconstructions ● What we expected
  • 18. Hash table reconstructions ● What we measured N 2N
  • 19. Hash table reconstructions ● 0x01020304 ○ SESSION1 ○ SESSION2 ○ SESSION3 ○ SESSION4 ○ SESSION5
  • 20. PoC ● Simple tool that can demonstrate timing anomaly ● Just PoC, not a framework ● Framework soon ;) https://github. com/wallarm/researches/blob/master/no- and-sqli-timing/timing.c
  • 21. Real case from a wild ● Session entropy reduction ● Formatted logins checks (user-<N>) ● Passwords hash reduction. Fill the difference: ○ SELECT id,role,password FROM users WHERE login=... ○ SELECT id,role FROM users WHERE login=... AND password=... ● ...
  • 22. The end Contacts: @wallarm, @d0znpp http://github.com/wallarm research

×