8311034 2002-04-18 09:45 -0500 /347 rader/ Mauro Lacy <maurol@mail.com> Sänt av: joel@lysator.liu.se Importerad: 2002-04-19 04:13 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <21944> Ärende: Remote Timing Techniques over TCP/IP ------------------------------------------------------------ From: "Mauro Lacy" <maurol@mail.com> To: bugtraq@securityfocus.com Message-ID: <20020418144616.97515.qmail@mail.com> Please consider this paper for publication. Thanks, Mauro P.S.: here is a pdf version http://maurol.com.ar/security/RTT.pdf REMOTE TIMING TECHNIQUES Introduction This paper describes remote timing techniques based on TCP/IP intrinsic operation and options. The techniques are used for careful observation of the TCP/IP data stream to detect timing differences in the operation of the remote application and relate them to selected data and/or phenomena. Basics The methods will be made clear with a practical example, developed in this paper. Suppose that we want to know if a given username exists or not in a remote system. What we can attempt to do is to carefully look for processing timing differences in the remote logon process, between the path taken by the remote application when a given username exists, and when it doesn't. If we find a statistical difference (no matter how small) between the two instances, we can determine if the username exists or not. For this method to work, some conditions must be met. First of all, a relatively appreciable difference in the processing times of the two different processing paths must exist. If this difference exists, the problem now is, how can we get a detailed estimation of the remote processing times of each processing path, given such facts as variable network latency and packet loss, variable loads on the remote system, local factors, and such. Causes of Appreciable Processing Time Differences The initial cause of timing differences must be, of course, the application's different processing paths itself. Now, for this difference to become appreciable, some slow event must occur in one of the paths and not in the other. A typical "slow event" in a computer, is disk access. Other main cause of "slowness" is the computer itself. The examples in this paper were tested on relatively "slow" (old) computers, and could not be reproducible in all environments. Remote Timing Techniques (RTT) Timestamps Timestamps were added to TCP to allow precise estimation of the Round Trip Time (RTT), which is necessary on high bandwidth networks to avoid data loss and/or congestion. As a side effect, they also allow (at least in some implementations), "precise" estimation of remote processing times, given birth to a series of new techniques, which we will also denominate RTT (Remote Timing Techniques). For a detailed description of timestamps, see RFC 1323. The precision of the estimation depends on the frequency of the timestamp clock, which according to the RFC can vary from 1ms to 1sec. The implementation differences in the frequency of this clock are what render the method useful (or not) with respect to the techniques described here. In Appendix A you will find a table with the different timestamp clock frequencies by operating system. Incidentally, timestamps can also be used in some cases to know the uptime of the remote system, and/or to distinguish between different systems in a load balanced environment. See Appendix B for references. Timestamps are a relatively new addition to the TCP/IP protocols (1992, see RFC 1323), and are consequently not supported by all operating systems, are also not enabled by default in some OSs, and lastly, their implementation make timestamps not always useful with regard to the techniques described here. TCP Intrinsic Operation The other method found, which is in some cases much more "precise" (and therefore useful) than timestamps to discriminate between two different remote paths of execution, is related to the intrinsic operation of the TCP/IP protocol. It is simply the fact that the ACK and "PUSH" flags can be sent together in the same packet, depending on if the application layer had passed the data or not to the TCP stack for delivery before the stack "ACKs" a previously received segment from the client. That is, if the server stack has something to ACK and at the same time has some data to send to the client, it "ACKs" and "PUSH" at the same time (in the same packet), but if the application is busy doing some other slow thing (like writing to disk) and didn't pass the data to the TCP stack quickly, the TCP stack sends a packet with only the pending ACKS (no data) and this difference can be easily detected on the client side. This technique is in some cases even better than timestamps, due to the fact that its "frequency" depends on the implementation of the TCP stack itself, and must be much faster (I don't know with certainty) than typical timestamp clocks. Moreover, this "frequency" is probably not fixed (i.e.: 100/se! c) but depends on the speed of the processor, and its "precision" increases accordingly when the processing speed increases. The other advantage of this technique is that is common to all TCP implementations, and is therefore always "enabled" and available in all systems with a TCP stack. Due that the timestamp information and the ACK and PUSH states depend completely on the operation of the remote system, and are passed to the client side as a kind of "snapshot" of the remote system, these methods are completely immune to network latency variations. They are also statistically immune to packet loss and load variations, and to other variable factors (disk IO, buffer cache, etc) being anyways necessary to increase the number of probes in case of small differences and/or great variations in the aforementioned factors. Through careful examination of the behavior of the TCP data flow, observing the TCP headers at the right moments, is possible to statistically determine (by example) if a given username exists or not on a remote system, under the particular circumstances detailed below. Proof of Concept This example was tried successfully in two Linux boxes, one with Suse 7.0 (kernel 2.2.16) and the other with RedHat 6.2 with kernel 2.2.12. Both machines are relatively "old" machines, a Pentium II 366 and a Pentium MMX 233, both with standard IDE disks. Many tests remain to be done, but I dare to say that the essential point seems to be mostly software related, that is, related to the way the remote application or service is written, than to the hardware used. The techniques can be tried on any type of authentication process over TCP. Other uses of these techniques can also be found. Linux has a timestamp clock frequency of 1000/s (1ms), which isn't very good, but is anyways useful. Delays greater than 1ms are typical of hard disks, and from the point of view of the application they remain statistically greater than 1ms independently of the buffer cache (at least with IDE disks). Apropos, Cisco IOS implements a timestamp clock period of .1ms(!), although timestamps are disabled by default. Description of Operation Tcpdump is run in the background to capture the specific data flow (a telnet logon session) and an automated telnet session is initiated against the remote system, with a chosen username/password pair. The password is used as a mark in the stream. The specific point at which the analysis must be made is detected (using the password mark), and the script outputs the TCP flags and the remote timestamp differences at that point. The later is possible due to the fact that Linux had timestamps enabled by default (2.2.x kernels) and also because it sends timestamps in both directions (encouraged by the RFC for simplicity). If you note statistical differences between probes with a known to exist username (root, bin, lp, sys, etc) and probes with a known to be un-existent username (i.e.: dskhjgfjh), the remote system is vulnerable. The number of probes doesn't need to be very large (between 1 and 20) but in case of small differences, could be necessary to increase them. The probes will generate logs in the remote system (indeed, the processing time involved with these logs could be one of the causes of the timing differences) and, as long as you made more probes, more logs will be generated. Statistical Differences Detected - In this particular example, in case that the username exits on the remote system, the first packet sent by the remote system after the password was sent by the client, tends to be an "empty" (no data) ACK packet. This does not happen always, and some probes need to be done. Due to the fact that the data arrives almost always just a little bit later from the application layer to the TCP stack, and is then almost immediately sent to the client, the difference of the timestamps of the data packet and the previous ACK packet tends to zero in these cases. - In case that the username does not exist, the packet tends to be a data packet (ACK+"PUSH"). The timestamp differences with the next packet (typically other ACK+data packet, the next "login:" banner) tend to be relatively big. So, when the username exists, the mean of the timestamp differences of the probes tend to be smaller than the mean of the differences if the username does not exist. If timestamps are not enabled, you can detect the difference anyway (!): The number of times you'll see an "empty" (no application data) ACK packet (again at the right place of the data stream) will be greater if the username exist than the number of times you'll see it if the username doesn't exist. Of course, even without this information, the difference could be statistically detected anyway. More (maybe many more) probes will be necessary, to overcome the measurement errors introduced mainly by network latency variations. On networks with high latency variations, this could yield the "attack" highly unpractical. The techniques described here are useful to diminish the measurement errors over TCP network links, diminishing then the number of probes or samples necessary to detect a timing difference, thus yielding some otherwise unfeasible or expensive attacks feasible. Other Services Other tested services known to be vulnerable to this kind of "attack" are: - rlogin: rlogind also gives us the same information, but after two passwords are entered. (In the pause between the second password entry and the "Login incorrect" message. As long as the standard rlogin command "clears" its standard input before asking for a password, no automation is possible without replacing it with other version or reproducing the protocol manually. - ftp: wu-ftp seems to be vulnerable also, just after entering the username (after the USER command). A slight difference of around 1ms was statistically detected using the timestamp information, on the Suse distribution. Services that remain to be tested: - imap - pop - rexec - Auth services over http. - ssh: ssh (or any other encrypted protocol) is a particular case, due to the fact that an eavesdropping attack makes sense in these cases. The techniques described here could be used (by example) to extend Paul Kocher attack (see References) over a network protocol (i.e. to make the attack remotely possible). - ... All tests were done only on Linux, mainly on the machine with the Suse distribution. Other operating systems and services remain to be tested. Probable cause of the differences The probable cause (not verified) of the differences in both systems seems to be the difference in the logging done trough syslog if the username exists or if not. In the Suse distribution, particularly, faillog logging is enabled by default, and this logging occurs only if the username exists (and the logon failed, of course). Other probable (also unverified) cause of the differences could lie inside the implementation of the various pam modules on which Linux authentication depends. If pam were the cause, the same effect would have to be observable in all the services that relay on pam for authentication (the default). Possible Solutions As long as at least one of the techniques depends on the intrinsic operation of the TCP stacks, no easy solution seems to be available. With regard to timestamps, a partial solution would be to increase the period of the timestamp clock, let's say, to 50ms or more. But probably, statistical differences would show up in the long term. The "problem" of the intrinsic operation of the TCP stack would still remain. The only definitive solution seems to be to modify the code of the vulnerable services, in order to avoid the "leaking" of timing information, by example introducing random delays, or better, always sending data packets to the client with no pending ACKS in them (and random delays for timestamps). A "send" function with these characteristics wouldn't be so difficult to write and use. Other Applications And Uses I'll quote here a comment by Paul Kocher, who told me in a private communication "You might want to try some ... statistical attacks ... ... -- using them, even very tiny differences (<1 us) can be resolved even if there is quite a lot of measurement error (>1 ms)... . The general math required is quite simple - you'd want to look for the difference between the *average* time when [for example] n bytes of a password are correct and the average time when n+1 bytes of the password are correct." That is, the only necessary thing to detect a timing difference is to take enough samples or to make enough probes for the difference to become statistically appreciable. The number of probes or samples will be directly proportional to the measurement error (that is, to the variance of the measurements), and inversely proportional to the variance of the timing difference to detect (from Kocher paper). I want to make clear here, before generating unnecessary alarms, that Mr. Kocher is talking about an hypothetical case. At least in Unix, passwords can't be revealed this way due to the fact that in the encryption process the correlation between clear text and encrypted password is lost; an incorrect clear text password "closer" to a correct one, does not yield an encrypted password closer to the real encrypted password. Thus, no "password approximation" is possible. An obvious practical use of these techniques is as an addition to, for example, a brute force username/password tester, to avoid trying username/password combinations with an inexistent username. The program could start testing username/password pairs normally, at the same time that it monitors the data flow to statistically detect the actual username existence or inexistence, changing its behavior accordingly. Timestamps could also be used to precisely measure inter keystroke timings of an interactive encrypted session; so, they can be used, by example, to greatly improve the efficiency and precision of the "Herbivore" system (see Wagner et al), especially over networks links with big latency variations. Other uses of these techniques could be discovered or developed. (directory and/or file discovery?, fingerprinting issues?, ...?). Generally speaking, whenever a timing difference is identified(by source code analysis, by example), RTT could be used to "measure" or detect that difference remotely over TCP. Source code The appendix B contains scripts that will do the hard work for you. You probably would have to make some manual adjustments, mainly the interface name(s), needed by tcpdump. The scripts were written without taking into account security practices (i.e. writing "secure" code). They are probably even remotely exploitable. Conclusions Although the particular example shown here does not yield a great deal of information (just the knowledge of if a given user exists or not on a remote system) and is successful only if a series of conditions are met, the techniques used to know this little bit of information are new (as far as I know), and probably they could be used in many other ways. TCP timestamps could yield a "precise" timing of the remote processing paths, what can be potentially useful for many different purposes. In particular, some operating systems seem to have a much more precise timestamp clock than Linux, and this open new possibilities to experimentation. On the other side, given the fact that one of the techniques (observing TCP flags) is intrinsic to TCP operation, its application is feasible wherever a TCP connection is being used. Acknowledgments Thanks to David Wagner, Paul Kocher and Brett McDanel for their suggestions and comments. Appendix A: Table of Operating Systems and Timestamp Clock Frequency. See Bret McDanel Work (Appendix B) Appendix B: References and Related Works RFC 1323 http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc1323.html Bret McDanel Paper on Timestamps http://www.mcdanel.com/bret/research/tcp_timestamp.jsp Paul Kocher Timing Attack Paper http://www.cryptography.com/timingattack/paper.html Dawn Xiaodong Song, David Wagner and Xuqing Tian Paper on Timing Attacks on SSH http://www.usenix.org/publications/library/proceedings/sec01/song.html PDF Version of this Paper http://www.maurol.com.ar/security/RTT.pdf Appendix C: Source Code -------------------------------------------------------------rtt.sh----------------------------------------------------------------------- #!/bin/bash # Probe a telnet service using remote timing techniques # to determine if a user exist or not. # Proof of Concept code. # (C) 2002 maurol (maurol@mail.com) # Customize these if needed: LOOPBACK=lo LAN=eth0 #WAN=eth0 WAN=ppp0 # Default interface to listen to #IFACE=$LAN IFACE=$WAN # Default port PORT=23 # Default number of probes COUNT=10 # Time in seconds to wait before sending the username. For slow links # and/or no reverse dns resolution this could be as big as 25. LAN_SLEEP=1 WAN_SLEEP=6 #SLEEP=$LAN_SLEEP SLEEP=$WAN_SLEEP if [ $# -lt 2 ] then echo "Usage: $0 <ip> <user> [count] [sleep]" echo "ip : IP address of remote system." echo "user : Username to probe." echo "count: Number of probes." echo "sleep: Initial sleep in seconds." exit 1 fi HOST=$1 USER=$2 [ "$HOST" = "127.0.0.1" ] && IFACE=$LOOPBACK if echo $HOST | grep -E "^10\.|^192\.168\." >/dev/null then IFACE=$LAN fi [ "$IFACE" = "$LOOPBACK" ] && SLEEP=$LAN_SLEEP [ "$IFACE" = "$LAN" ] && SLEEP=$LAN_SLEEP [ "$IFACE" = "$WAN" ] && SLEEP=$WAN_SLEEP PASS=zzzzz export PASS [ -z "$3" ] || COUNT=$3 [ -z "$4" ] || SLEEP=$4 export IFACE HOST PORT USER MEAN=./mean VAR=./var [ -x $MEAN ] || cc -o mean mean.c #[ -x $VAR ] || cc -o var -lm var.c >tests.$USER c=0 while [ $c -lt $COUNT ] do # Launch the capture script in the background (./capture.sh >/tmp/regs.$$ ; ./dif.sh /tmp/regs.$$ | tee -a tests.$USER; rm -f /tmp/regs.$$) & # Start telnet session (sleep $SLEEP; echo $USER; sleep 1 ; echo $PASS ; sleep 3)| telnet $HOST c=`expr $c + 1` sleep 1 done echo ( cat tests.$USER | egrep -v "^[ ]*$" echo -n "mean: " ; cat tests.$USER | egrep -v "^[ ]*$" | $MEAN 2 ;echo #echo -n "var.: " ; cat tests.$USER | egrep -v "^[ ]*$" | ./var.sh 2 ;echo ) | tee stats.$USER ; rm -f tests.$USER ----------------------------------------------------------------capture.sh--------------------------------------------------------------------- #!/bin/bash # Captures the telnet session and seeks the useful timestamps and flags. HEX=/usr/bin/hex TCPDUMP=/usr/sbin/tcpdump if [ -x $HEX ] then PATTERN=`echo $PASS | $HEX -w 3 -g | head -1 | sed "s/^[^ ]* //;s/ //" | cut -c-7| sed "s/[ ]*$//"` else PATTERN="7a7a 7a" # "zz z" ;-) fi if [ -x $TCPDUMP ] then $TCPDUMP -l -n -n -i $IFACE -x port $PORT > /tmp/lst & else echo "$TCPDUMP not found or not executable!" exit 1 fi sleep 2 while ! grep "$PATTERN" /tmp/lst >/dev/null do sleep 1 done sleep 3 sed -n "/$PATTERN/,\$p" /tmp/lst | grep "$HOST.$PORT >" | sort -u | head -2 | sed "s/^.*$HOST.$PORT >//" | awk '{print $2" "$8" "$9}' killall tcpdump rm -f /tmp/lst --------------------------------------------------------------------dif.sh---------------------------------------------------------------------- #!/bin/bash FLG1=`head -1 $1 |awk '{print $1}'` TS1=`head -1 $1 | grep timestamp | awk '{print $3}'` FLG2=`head -2 $1 |tail -1 |awk '{print $1}'` TS2=`head -2 $1 |tail -1 | grep timestamp | awk '{print $3}'` DIF1="-" [ -z "$TS1" ] || [ -z "$TS2" ] || DIF1=`expr $TS2 - $TS1` echo "$FLG1 $DIF1" --------------------------------------------------------------------mean.c---------------------------------------------------------------------- #include <stdio.h> #include <stdlib.h> #define MAXLINE 1024 #define MAXVAL MAXLINE main(int argc, char **argv) { int col=1,c=0,v=0; float s=0; float va; char *line,*pline, *val; line=(char *)malloc(MAXLINE); val =(char *)malloc(MAXVAL); pline=line; if (argc>1) col=atoi(argv[1]); while (line=fgets(line, MAXLINE, stdin)) { for(v=0;v<col;v++) val=strsep(&line, " "); line=pline; if (val[0] == '\0') continue; va=strtod(val,NULL); s=s+va; c++; } printf("%.6f ", s/c); } Source Code Download http://www.maurol.com.ar/security/rtt.tgz Author Mauro Lacy (maurol@mail.com) -- _______________________________________________ Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signup (8311034) /Mauro Lacy <maurol@mail.com>/--(Ombruten) Kommentar i text 8311037 av Exportören 8314953 2002-04-19 06:06 +0200 /39 rader/ Syzop <syz@dds.nl> Sänt av: joel@lysator.liu.se Importerad: 2002-04-19 20:30 av Brevbäraren Extern mottagare: Mauro Lacy <maurol@mail.com> Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <21955> Kommentar till text 8311034 av Mauro Lacy <maurol@mail.com> Ärende: Re: Remote Timing Techniques over TCP/IP ------------------------------------------------------------ From: Syzop <syz@dds.nl> To: Mauro Lacy <maurol@mail.com>, bugtraq@securityfocus.com Message-ID: <3CBF97B9.5150735@dds.nl> Hi, Mauro Lacy wrote: > This paper describes remote timing techniques based on TCP/IP intrinsic operation and options. The techniques are used for careful observation of the TCP/IP data stream to detect timing differences in the operation of the remote application and relate them to selected data and/or phenomena. This reminds me of http://online.securityfocus.com/archive/82/185167 (+see the thread) which also discusses something like this (timing techniques) and the "additional noise" such as task switches, etc. > I'll quote here a comment by Paul Kocher, who told me in a private communication > > "You might want to try some ... statistical attacks ... > ... -- using them, even very tiny differences (<1 us) can > be resolved even if there is quite a lot of measurement error > (>1 ms)... . The general math required > is quite simple - you'd want to look for the difference between > the *average* time when [for example] n bytes of a password > are correct and the average time when n+1 bytes of the password > are correct." I also remember this reply with another aproach to this problem: (from http://online.securityfocus.com/archive/82/186161 ) Quote: > Why noise-filtering? Since there seem to be no invalid low numbers, > just take the minimum of a certain amount of tries (1000, 10000) > and check whether those give you a clue -- i.e. try to find > the ones with the lowest noise and compare them. I didn't read this all yet (it's a bit late), but it looks very interresting... Bram Matthys. (8314953) /Syzop <syz@dds.nl>/------------(Ombruten) 8314975 2002-04-19 05:28 +0400 /28 rader/ Solar Designer <solar@openwall.com> Sänt av: joel@lysator.liu.se Importerad: 2002-04-19 20:39 av Brevbäraren Extern mottagare: Mauro Lacy <maurol@mail.com> Extern kopiemottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <21956> Kommentar till text 8311034 av Mauro Lacy <maurol@mail.com> Ärende: Re: Remote Timing Techniques over TCP/IP ------------------------------------------------------------ From: Solar Designer <solar@openwall.com> To: Mauro Lacy <maurol@mail.com> Cc: bugtraq@securityfocus.com Message-ID: <20020419052810.A25205@openwall.com> On Thu, Apr 18, 2002 at 09:45:53AM -0500, Mauro Lacy wrote: > REMOTE TIMING TECHNIQUES It's good to see this kind of weaknesses to start being publicized. I know there's another similar paper to be published soon. We've been discussing the possibility to apply a variation of Kocher's attack against SSH clients w/ RSA/DSA authentication (where a malicious server would obtain the client's private key and be able to use that against another server) with Markus and Niels of OpenSSH just recently. I don't see how a client -> server attack against SSH would be possible (other than on usernames and such). The leak of usernames is of course the most obvious example, pretty much every service is affected. Of course we avoid leaks like that in our code (popa3d, pam_tcb on Owl), but we haven't fixed our system libraries (such as glibc's NSS modules) yet and those are used by all services. -- /sd (8314975) /Solar Designer <solar@openwall.com>/(Ombruten) Kommentar i text 8318473 av stealth <stealth@segfault.net> 8318473 2002-04-20 16:45 +0000 /36 rader/ stealth <stealth@segfault.net> Sänt av: joel@lysator.liu.se Importerad: 2002-04-20 21:04 av Brevbäraren Extern mottagare: Solar Designer <solar@openwall.com> Extern kopiemottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <21979> Kommentar till text 8314975 av Solar Designer <solar@openwall.com> Ärende: Re: Remote Timing Techniques over TCP/IP ------------------------------------------------------------ From: stealth <stealth@segfault.net> To: Solar Designer <solar@openwall.com> Cc: bugtraq@securityfocus.com Message-ID: <20020420164507.GB5408@segfault.net> On Fri, Apr 19, 2002 at 05:28:10AM +0400, Solar Designer wrote: > On Thu, Apr 18, 2002 at 09:45:53AM -0500, Mauro Lacy wrote: > > REMOTE TIMING TECHNIQUES > > It's good to see this kind of weaknesses to start being publicized. I > know there's another similar paper to be published soon. > > We've been discussing the possibility to apply a variation of Kocher's > attack against SSH clients w/ RSA/DSA authentication (where a malicious > server would obtain the client's private key and be able to use that > against another server) with Markus and Niels of OpenSSH just recently. > > I don't see how a client -> server attack against SSH would be possible > (other than on usernames and such). > > The leak of usernames is of course the most obvious example, pretty much > every service is affected. Of course we avoid leaks like that in our > code (popa3d, pam_tcb on Owl), but we haven't fixed our system libraries > (such as glibc's NSS modules) yet and those are used by all services. Probably speaking of http://stealth.7350.org/epta.tgz which describes timing-weaknesses in UNIX daemons+libs. ;-) It also contains some sourcecode which demonstrates that these attacks are possible. Maybe one is able to join all the stuff ;-) regards, S. (8318473) /stealth <stealth@segfault.net>/----------