CWE-208: Observable Timing Discrepancy

Description

Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

Submission Date :

July 19, 2006, midnight

Modification Date :

2023-10-26 00:00:00+00:00

Organization :

MITRE
Extended Description

In security-relevant contexts, even small variations in timing can be exploited by attackers to indirectly infer certain details about the product's internal operations. For example, in some cryptographic algorithms, attackers can use timing differences to infer certain properties about a private key, making the key easier to guess. Timing discrepancies effectively form a timing side channel.

Example Vulnerable Codes

Example - 1

Consider an example hardware module that checks a user-provided password to grant access to a user. The user-provided password is compared against a golden value in a byte-by-byte manner.





assign check_pass[i] = 1;continue;

assign check_pass[i] = 0;break;
if (entered_pass[(i*8 - 1) : i] eq golden_pass([i*8 - 1) : i])elseend
assign check_pass[3:0] = 4'b0;for (i = 0; i < 4; i++) beginassign grant_access = (check_pass == 4'b1111) ? 1'b1: 1'b0;
always_comb @ (posedge clk)beginend

Since the code breaks on an incorrect entry of password, an attacker can guess the correct password for that byte-check iteration with few repeat attempts.

To fix this weakness, either the comparison of the entire string should be done all at once, or the attacker is not given an indication whether pass or fail happened by allowing the comparison to run through all bits before the grant_access signal is set.





assign check_pass[i] = 1;continue;

assign check_pass[i] = 0;continue;
if (entered_pass[(i*8 - 1) : i] eq golden_pass([i*8 -1) : i])elseend
assign check_pass[3:0] = 4'b0;for (i = 0; i < 4; i++) beginassign grant_access = (check_pass == 4'b1111) ? 1'b1: 1'b0;
always_comb @ (posedge clk)beginend

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-203: Observable Discrepancy
Go to
CWE-327: Use of a Broken or Risky Cryptographic Algorithm
Go to
CWE-385: Covert Timing Channel
Go to
CWE-1254: Incorrect Comparison Logic Granularity
Go to

Visit http://cwe.mitre.org/ for more details.