Timeless Timing Attack – Exploiting HTTP/2 For Effective Remote Attacks

A new attack strategy has surfaced online that can enhance the effectiveness of remote timing-based attacks. What they call the timeless timing attack, these attacks execute without being affected by network conditions.

About Timeless Timing Attacks

In a white paper, researchers have shared details about their study on timeless timing attack. This attack strategy remains unaffected by conditions that would otherwise hinder a remote attack. Hence, the strategy enhances the effectiveness of remote-based timing attacks.

Attackers make use of timing attacks to extract sensitive data by exploiting the measurable time difference of execution. These attacks can also target web apps and servers to extract information.

Remote timing-based attacks usually suffer issues because of various technicalities. For instance, the distance between the target server and the adversary, the network congestion at any specified time, and the jitter on the network connection.

However, timeless timing attacks do not rely on timing. Rather they extract information leveraging the concurrency of the execution of two tasks.

Though, this concurrency is again an essential requirement for a successful attack. However, the researchers have devised means to trick network protocols to combine concurrent HTTP/2 requests in a single data packet.

Hence, as the requests arrive one after the other, the tasks execute simultaneously, thus giving the desired concurrency. So, even in case of a network delay, the attack remains unaffected. Then, measuring the time difference between the two provides the desired information.

The researchers presented two threat models, direct and cross-site, to execute the attacks. While direct attacks directly target a website, cross-site attacks exploit victims’ browsers to send malicious JavaScript via cookies.

Through this technique, an adversary can observe the timing difference as small as 100ns.

The researchers demonstrated this attack’s effectiveness for various targets, such as web apps served over HTTP/2 or Tor Onion, and WiFi authentication.

Details about concurrency-based timeless timing attacks are available in the researchers’ white paper.

Attack Limitations

Despite being effective, timeless timing attack also has some pre-requisites for success.

At first, for a successful attack, the concurrent arrival of requests at the target server is necessary. Then, the simultaneous execution of the requests is important. Thirdly, the success depends on the order of the response received to the attacker.

As for the primary limitation of this attack, the baseline requests, the researchers state,

Consider the attack scenario where the timing of a search query is related to the number of returned results. In a sequential timing attack, the adversary would observe higher measurements (barring jitter) for queries returning more results, and from this may be able to estimate the number of search results. Achieving the same with concurrency-based timing attacks is more complicated: instead of inferring the number of search results directly from the timing measurements, the adversary would need to leverage several baseline queries that return a known number of results…
If the adversary is unable to construct baseline requests that return a given number of search results, it would be infeasible to perform the timing attack by levering concurrency.

Likewise, to exploit a TLS handshake, an attacker must have to start two separate TCP connections as concurrent handshakes over a single TCP isn’t possible.

The researchers have developed and shared a Python tool to test HTTP/2 servers for vulnerability to Timeless Timing attacks.

Besides, they will present their findings at the 29th USENIX Security Symposium. It will be a virtual event (due to COVID-19) to be held on August 12-14, 2020.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients