Peter Eisentraut wrote:
Am Donnerstag, 2. August 2007 13:31 schrieb Robert Bernier:
New timing attack doesn't need application bugs to work
http://www.computerworlduk.com/management/security/cybercrime/news/index.cf
m?RSS&newsid=4344
This is complete BS, as evidenced by this statement:
"""
their attack involves performing record insertion operations, typically
available to all database users - including anonymous users of front-end web
applications - and analysing the time it takes to perform different kinds of
insertions.
"""
In principle, attacks of this kind would be possible, but it's not quite as
simple as they make it appear.
In addition, the only information I can see getting out of this sort of attack is the number of entries in the table, and *maybe* the sizes (but not the contents) of the individual fields or rows. In the cryptographic sense, this is leaking information, but I'm not sure most people would be that worried about this information leaking. Foobar Inc. may be very secretive about their customer list- but knowning that they have exactly 12,345 customers, and that customer 1's name is 12 characters long, etc., doesn't tell their competitors much.
In addition, I bet the presence of optimizations, like the WAL or vacuuming in Postgresql, signifigantly complicate the analysis. At which point you don't need to be all that vigilant against this sort of attack- for it to work, the attacker would have to run so many queries and/or inserts against the database that they'd be blatantly obvious. If someone wants to suck down all your database bandwidth for months at a shot, then you probably need to talk to them, even if they're not trying to perform a timing attack on the database...
Brian