(no)SQL timing attacks
PHDays IV, Moscow, 22/05/14
research
Timing attacks basics
time to execution of
Function(UserData,PrivateData)
depends from UserData and PrivateData
this time ...
What is
Function(UserData,PrivateData)
?
Basically - SELECT, but not only
no(SQL) timing attacks
Timing attacks intro
execution time of search operation depends on:
● search string
● data on which searches for
attack co...
Timing attacks intro
execution time of search operation depends on:
● search string
● data on which searches for
attack co...
● BH-USA-07 “Timing Attacks for Recovering
Private Entries From Database Engines”
● Attacking page split on update operati...
● Indexed data (CREATE INDEX …)
● Non-indexed data (exhaustive search)
+ cache mechanism
SQL search basics
● Cache does not prevent
timing attacks
● Cache remove disk
operations noises
Non-indexed data
● Really rare
● Full list i...
Data indexing mechanism
● Hash
● B-Tree (not binary tree) variations
● GiST variations (GIN/GiST/SP-GIST)
+ cache mechanis...
Database INDEX algo Hash type Cache
MySQL B-Tree (all storage
angines)/HASH (only
for memory/heap and
NDB)
Fowler/Noll/Vo
...
Database INDEX algo Hash type Cache
memcache HASH Jenkins/murmur3 Really? )
redis HASH murmur2->SipHash -
mongodb HASH mur...
Hash performance
http://blog.teamleadnet.
com/2012/08/murmurhash3-
ultra-fast-hash-algorithm.html
● Cache does not prevent
timing attacks
● Cache remove disk
operations noises
To cache or not to cache
● Data from disk to memory
● Memory size can not afford to
store all data
● Attacker can do cache
warmup anytime
Cache war...
Cache warmup
● Attacker can do cache
warmup anytime
Hash table reconstructions
● What we measured
Hash table reconstructions
● What we expected
Hash table reconstructions
● What we measured
N 2N
Hash table reconstructions
● 0x01020304
○ SESSION1
○ SESSION2
○ SESSION3
○ SESSION4
○ SESSION5
PoC
● Simple tool that can demonstrate timing
anomaly
● Just PoC, not a framework
● Framework soon ;)
https://github.
com/...
Real case from a wild
● Session entropy reduction
● Formatted logins checks (user-<N>)
● Passwords hash reduction. Fill th...
The end
Contacts:
@wallarm, @d0znpp
http://github.com/wallarm
research
Upcoming SlideShare
Loading in …5
×

(No)SQL Timing Attacks for Data Retrieval

851 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
851
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
31
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

(No)SQL Timing Attacks for Data Retrieval

  1. 1. (no)SQL timing attacks PHDays IV, Moscow, 22/05/14 research
  2. 2. Timing attacks basics time to execution of Function(UserData,PrivateData) depends from UserData and PrivateData this time can be use to determine PrivateData by UserData
  3. 3. What is Function(UserData,PrivateData) ? Basically - SELECT, but not only no(SQL) timing attacks
  4. 4. Timing attacks intro execution time of search operation depends on: ● search string ● data on which searches for attack concept is determine data by timings on different search strings
  5. 5. Timing attacks intro execution time of search operation depends on: ● search string ● data on which searches for attack concept is determine data by timings on different search strings
  6. 6. ● BH-USA-07 “Timing Attacks for Recovering Private Entries From Database Engines” ● Attacking page split on update operation https://www.blackhat.com/presentations/bh- usa- 07/Waissbein_Futoransky_and_Saura/Whitepa per/bh-usa-07- Related work
  7. 7. ● Indexed data (CREATE INDEX …) ● Non-indexed data (exhaustive search) + cache mechanism SQL search basics
  8. 8. ● Cache does not prevent timing attacks ● Cache remove disk operations noises Non-indexed data ● Really rare ● Full list iterations ● Strings comparation
  9. 9. Data indexing mechanism ● Hash ● B-Tree (not binary tree) variations ● GiST variations (GIN/GiST/SP-GIST) + cache mechanism SQL search basics
  10. 10. Database INDEX algo Hash type Cache MySQL B-Tree (all storage angines)/HASH (only for memory/heap and NDB) Fowler/Noll/Vo hash + Postgres B- Tree/GiST/GIN and SP-GiST (9.2+), HASH ? + SQL databases index overview
  11. 11. Database INDEX algo Hash type Cache memcache HASH Jenkins/murmur3 Really? ) redis HASH murmur2->SipHash - mongodb HASH murmur3 + noSQL databases index overview
  12. 12. Hash performance http://blog.teamleadnet. com/2012/08/murmurhash3- ultra-fast-hash-algorithm.html
  13. 13. ● Cache does not prevent timing attacks ● Cache remove disk operations noises To cache or not to cache
  14. 14. ● Data from disk to memory ● Memory size can not afford to store all data ● Attacker can do cache warmup anytime Cache warmup
  15. 15. Cache warmup ● Attacker can do cache warmup anytime
  16. 16. Hash table reconstructions ● What we measured
  17. 17. Hash table reconstructions ● What we expected
  18. 18. Hash table reconstructions ● What we measured N 2N
  19. 19. Hash table reconstructions ● 0x01020304 ○ SESSION1 ○ SESSION2 ○ SESSION3 ○ SESSION4 ○ SESSION5
  20. 20. PoC ● Simple tool that can demonstrate timing anomaly ● Just PoC, not a framework ● Framework soon ;) https://github. com/wallarm/researches/blob/master/no- and-sqli-timing/timing.c
  21. 21. Real case from a wild ● Session entropy reduction ● Formatted logins checks (user-<N>) ● Passwords hash reduction. Fill the difference: ○ SELECT id,role,password FROM users WHERE login=... ○ SELECT id,role FROM users WHERE login=... AND password=... ● ...
  22. 22. The end Contacts: @wallarm, @d0znpp http://github.com/wallarm research

×