(No)SQL Timing Attacks for Data Retrieval
-
Upload
positive-hack-days -
Category
Technology
-
view
368 -
download
1
Transcript of (No)SQL Timing Attacks for Data Retrieval
(no)SQL timing attacksPHDays IV, Moscow, 22/05/14
research
Timing attacks basics
time to execution ofFunction(UserData,PrivateData)depends from UserData and PrivateData
this time can be use to determine PrivateData by UserData
What isFunction(UserData,PrivateData)?
Basically - SELECT, but not only
no(SQL) timing attacks
Timing attacks intro
execution time of search operation depends on:● search string● data on which searches for
attack concept is determine data by timings on different search strings
Timing attacks intro
execution time of search operation depends on:● search string● data on which searches for
attack concept is determine data by timings on different search strings
● BH-USA-07 “Timing Attacks for Recovering Private Entries From Database Engines”
● Attacking page split on update operation
https://www.blackhat.com/presentations/bh-usa-07/Waissbein_Futoransky_and_Saura/Whitepaper/bh-usa-07-waissbein_futoransky_and_saura-WP.pdf
Related work
● Indexed data (CREATE INDEX …)● Non-indexed data (exhaustive search)
+ cache mechanism
SQL search basics
● Cache does not prevent
timing attacks
● Cache remove disk
operations noises
Non-indexed data
● Really rare● Full list iterations● Strings comparation
Data indexing mechanism● Hash● B-Tree (not binary tree) variations● GiST variations (GIN/GiST/SP-GIST)
+ cache mechanism
SQL search basics
Database INDEX algo Hash type Cache
MySQL B-Tree (all storage angines)/HASH (only for memory/heap and NDB)
Fowler/Noll/Vo hash
+
Postgres B-Tree/GiST/GIN and SP-GiST (9.2+), HASH
? +
SQLite B+-Tree - +
SQL databases index overview
Database INDEX algo Hash type Cache
memcache HASH Jenkins/murmur3 Really? )
redis HASH murmur2->SipHash -
mongodb HASH murmur3 +
noSQL databases index overview
Hash performance
http://blog.teamleadnet.com/2012/08/murmurhash3-ultra-fast-hash-algorithm.html
● Cache does not prevent
timing attacks
● Cache remove disk
operations noises
To cache or not to cache
● Data from disk to memory
● Memory size can not afford to
store all data
● Attacker can do cache
warmup anytime
Cache warmup
Cache warmup● Attacker can do cache
warmup anytime
Hash table reconstructions● What we measured
Hash table reconstructions● What we expected
Hash table reconstructions● What we measured
N 2N
Hash table reconstructions● 0x01020304
○ SESSION1
○ SESSION2
○ SESSION3
○ SESSION4
○ SESSION5
PoC● Simple tool that can demonstrate timing
anomaly● Just PoC, not a framework● Framework soon ;)
https://github.com/wallarm/researches/blob/master/no-and-sqli-timing/timing.c
Real case from a wild● Session entropy reduction● Formatted logins checks (user-<N>)● Passwords hash reduction. Fill the difference:
○ SELECT id,role,password FROM users WHERE login=...○ SELECT id,role FROM users WHERE login=... AND
password=...● ...
The endContacts:
@wallarm, @d0znpp
http://github.com/wallarm
research