This document discusses timing attacks on (no)SQL databases. It begins by explaining how the execution time of a database function like SELECT can depend on both the search string and private data, allowing an attacker to determine private data by measuring timing differences for different search strings. It then provides examples of related work on timing attacks and an overview of indexing algorithms and hash types used by various SQL and noSQL databases. The document discusses how caching, cache warming, and hash table reconstruction can be used in timing attacks. It concludes by mentioning a proof-of-concept tool for timing attacks and an example of a real timing attack case involving session entropy reduction and password hash reduction.

1. (no)SQL timing attacks
PHDays IV, Moscow, 22/05/14
research

2. Timing attacks basics
time to execution of
Function(UserData,PrivateData)
depends from UserData and PrivateData
this time can be use to determine PrivateData
by UserData

3. What is
Function(UserData,PrivateData)
?
Basically - SELECT, but not only
no(SQL) timing attacks

4. Timing attacks intro
execution time of search operation depends on:
● search string
● data on which searches for
attack concept is determine data by timings on
different search strings

5. Timing attacks intro
execution time of search operation depends on:
● search string
● data on which searches for
attack concept is determine data by timings on
different search strings

6. ● BH-USA-07 “Timing Attacks for Recovering
Private Entries From Database Engines”
● Attacking page split on update operation
https://www.blackhat.com/presentations/bh-
usa-
07/Waissbein_Futoransky_and_Saura/Whitepa
per/bh-usa-07-
Related work

7. ● Indexed data (CREATE INDEX …)
● Non-indexed data (exhaustive search)
+ cache mechanism
SQL search basics

8. ● Cache does not prevent
timing attacks
● Cache remove disk
operations noises
Non-indexed data
● Really rare
● Full list iterations
● Strings comparation

9. Data indexing mechanism
● Hash
● B-Tree (not binary tree) variations
● GiST variations (GIN/GiST/SP-GIST)
+ cache mechanism
SQL search basics

10. Database INDEX algo Hash type Cache
MySQL B-Tree (all storage
angines)/HASH (only
for memory/heap and
NDB)
Fowler/Noll/Vo
hash
+
Postgres B-
Tree/GiST/GIN
and SP-GiST
(9.2+), HASH
? +
SQL databases index overview

11. Database INDEX algo Hash type Cache
memcache HASH Jenkins/murmur3 Really? )
redis HASH murmur2->SipHash -
mongodb HASH murmur3 +
noSQL databases index overview

12. Hash performance
http://blog.teamleadnet.
com/2012/08/murmurhash3-
ultra-fast-hash-algorithm.html

13. ● Cache does not prevent
timing attacks
● Cache remove disk
operations noises
To cache or not to cache

14. ● Data from disk to memory
● Memory size can not afford to
store all data
● Attacker can do cache
warmup anytime
Cache warmup

15. Cache warmup
● Attacker can do cache
warmup anytime

16. Hash table reconstructions
● What we measured

17. Hash table reconstructions
● What we expected

18. Hash table reconstructions
● What we measured
N 2N

19. Hash table reconstructions
● 0x01020304
○ SESSION1
○ SESSION2
○ SESSION3
○ SESSION4
○ SESSION5

20. PoC
● Simple tool that can demonstrate timing
anomaly
● Just PoC, not a framework
● Framework soon ;)
https://github.
com/wallarm/researches/blob/master/no-
and-sqli-timing/timing.c

21. Real case from a wild
● Session entropy reduction
● Formatted logins checks (user-<N>)
● Passwords hash reduction. Fill the difference:
○ SELECT id,role,password FROM users WHERE login=...
○ SELECT id,role FROM users WHERE login=... AND
password=...
● ...

22. The end
Contacts:
@wallarm, @d0znpp
http://github.com/wallarm
research