Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

(No)SQL Timing Attacks for Data Retrieval

1,065 views

Published on

Published in: Technology
  • Login to see the comments

(No)SQL Timing Attacks for Data Retrieval

  1. 1. (no)SQL timing attacks PHDays IV, Moscow, 22/05/14 research
  2. 2. Timing attacks basics time to execution of Function(UserData,PrivateData) depends from UserData and PrivateData this time can be use to determine PrivateData by UserData
  3. 3. What is Function(UserData,PrivateData) ? Basically - SELECT, but not only no(SQL) timing attacks
  4. 4. Timing attacks intro execution time of search operation depends on: ● search string ● data on which searches for attack concept is determine data by timings on different search strings
  5. 5. Timing attacks intro execution time of search operation depends on: ● search string ● data on which searches for attack concept is determine data by timings on different search strings
  6. 6. ● BH-USA-07 “Timing Attacks for Recovering Private Entries From Database Engines” ● Attacking page split on update operation https://www.blackhat.com/presentations/bh- usa- 07/Waissbein_Futoransky_and_Saura/Whitepa per/bh-usa-07- Related work
  7. 7. ● Indexed data (CREATE INDEX …) ● Non-indexed data (exhaustive search) + cache mechanism SQL search basics
  8. 8. ● Cache does not prevent timing attacks ● Cache remove disk operations noises Non-indexed data ● Really rare ● Full list iterations ● Strings comparation
  9. 9. Data indexing mechanism ● Hash ● B-Tree (not binary tree) variations ● GiST variations (GIN/GiST/SP-GIST) + cache mechanism SQL search basics
  10. 10. Database INDEX algo Hash type Cache MySQL B-Tree (all storage angines)/HASH (only for memory/heap and NDB) Fowler/Noll/Vo hash + Postgres B- Tree/GiST/GIN and SP-GiST (9.2+), HASH ? + SQL databases index overview
  11. 11. Database INDEX algo Hash type Cache memcache HASH Jenkins/murmur3 Really? ) redis HASH murmur2->SipHash - mongodb HASH murmur3 + noSQL databases index overview
  12. 12. Hash performance http://blog.teamleadnet. com/2012/08/murmurhash3- ultra-fast-hash-algorithm.html
  13. 13. ● Cache does not prevent timing attacks ● Cache remove disk operations noises To cache or not to cache
  14. 14. ● Data from disk to memory ● Memory size can not afford to store all data ● Attacker can do cache warmup anytime Cache warmup
  15. 15. Cache warmup ● Attacker can do cache warmup anytime
  16. 16. Hash table reconstructions ● What we measured
  17. 17. Hash table reconstructions ● What we expected
  18. 18. Hash table reconstructions ● What we measured N 2N
  19. 19. Hash table reconstructions ● 0x01020304 ○ SESSION1 ○ SESSION2 ○ SESSION3 ○ SESSION4 ○ SESSION5
  20. 20. PoC ● Simple tool that can demonstrate timing anomaly ● Just PoC, not a framework ● Framework soon ;) https://github. com/wallarm/researches/blob/master/no- and-sqli-timing/timing.c
  21. 21. Real case from a wild ● Session entropy reduction ● Formatted logins checks (user-<N>) ● Passwords hash reduction. Fill the difference: ○ SELECT id,role,password FROM users WHERE login=... ○ SELECT id,role FROM users WHERE login=... AND password=... ● ...
  22. 22. The end Contacts: @wallarm, @d0znpp http://github.com/wallarm research

×