New attack forces HTTP/2 to leak information from target system through timing information


Researchers discover a new attack forces HTTP/2 to leak information from the target system through timing information

Researchers have discovered a new technique that uses remote timing-based side-channel attack which is claimed to be more effective in collecting the information regardless of the network congestion between the adversary and the target server.

As defined by Portswigger, The new method, called Timeless Timing Attacks (TTAs) by researchers from DistriNet Research Group and New York University Abu Dhabi, instead leverages multiplexing of network protocols and concurrent execution by applications, thus making the attacks immune to network conditions.

The technique developed by Goethem and his colleagues performs remote timing attacks in a way that cancels the effect of the network jitter. The idea behind the timeless timing attack is simple: Make sure the requests reach the server at the exact same time instead of sending them sequentially.

Concurrency ensures that both requests enjoy the same network conditions and their performance is unaffected by the path between the attacker and the server. Afterward, the order in which the responses arrive will give you all the information you need to compare computation times.

“The main advantage of the timeless timing attacks is that these are much more accurate, so much fewer requests are needed. This allows an attacker to detect differences in execution time as small as 100ns,” Van Goethem says.

Moreover, unlike the typical timing-based attacks, the execution times are specifically measured independently and sequentially, however, as the research says the latest technique attempts to extract information from the order and the relative timing difference between two concurrently executed requests without relying on any timing information.

As a result, security researchers explore timeless attacks in three different settings.

  1. Direct Timing attacks
  2. Cross-site Timing attacks
  3. Timeless attacks on the WPA3 WiFi protocol

As reported by Portswigger, In the direct timing attacks, the malicious actor directly connects to the server and tries to leak secret, application-specific information. “As most web applications are not written with the idea in mind that timing attacks can be highly practical and accurate, we believe many websites are susceptible to timing attacks,” Van Goethem says.

In cross-site timing attacks, the attacker triggers requests to other websites from a victim’s browser and infers private information by observing the sequence of responses. The attackers used this scheme to exploit a vulnerability in the HackerOne bug bounty program and extract information such as keywords used in private reports about unfixed vulnerabilities. “I looked for cases where a timing attack was previously reported but was not considered effective,” Van Goethem says.

“With the new timeless timing attacks, we show that it is in fact possible to exploit the WiFi authentication handshake (EAP-PWD) against servers, even if they use performant hardware,” Van Goethem says.

Timing attack best practices

The researchers have also mentioned the best practices for the timing attack in a GitHub Repository. Timing attacks can be quite tricky to exploit, so it’s best to follow these best practices:

  • Alternate between choosing which request to send first: change between H2Time(r1, r2) and H2Time(r2, r1) to avoid bias that may be introduced by the first request (support for this in is planned)
  • The number of request parameters that are needed may be server-dependent, so it’s best to first experiment with what values work best (for 2 requests that have the same processing time, the distribution of positive & negative timing result should be 50/50)

For more news on tech and cybersecurity stay tuned on Android Rookies by subscribing to our newsletter from here.


About Author

Be Ready for the challenge

Notify of
Inline Feedbacks
View all comments