Security News > 2020 > July > New Attack Leverages HTTP/2 for Effective Remote Timing Side-Channel Leaks
Since measuring the time taken to execute cryptographic algorithms is crucial to carrying out a timing attack and consequently leak information, the jitter on the network path from the attacker to the server can make it impractical to successfully exploit timing side-channels that rely on a small difference in execution time.
The new method, called Timeless Timing Attacks by researchers from DistriNet Research Group and New York University Abu Dhabi, instead leverages multiplexing of network protocols and concurrent execution by applications, thus making the attacks immune to network conditions.
"These concurrency-based timing attacks infer a relative timing difference by analyzing the order in which responses are returned, and thus do not rely on any absolute timing information," the researchers said.
Using HTTP/2's Request Multiplexing to Reduce Jitter Unlike the typical timing-based attacks, wherein the execution times are measured independently and sequentially, the latest technique attempts to extract information from the order and the relative timing difference between two concurrently executed requests without relying on any timing information.
"The smallest timing difference that we could observe in a traditional timing attack over the Internet was 10μs, 100 times higher than our concurrency-based attack."
News URL
http://feedproxy.google.com/~r/TheHackersNews/~3/5dvftYNf1vo/http2-timing-side-channel-attacks.html