Homec4science

Add a constant-time string comparison function to defuse timing and type…

Authored by epriestley <git@epriestley.com> on Sep 2 2015, 00:42.

Description

Add a constant-time string comparison function to defuse timing and type-juggling attacks

Summary:
There are two theoretical attacks possible against some of our comparisons, where we check if some user-provided hash matches some secret hash.

The first is a timing attack, which has been previously reported on HackerOne but which I can't demonstrate as feasible even given huge assumptions in favor of the attacker.

In this attack, the attacker provides a secret like "azzz", then "bzzz", then "czzz", etc. They observe how long the responses take. The secret with the correct first charater will take a nanosecond longer because the computer must do more work to compare two bytes intead of 1. By making billions (trillions? quadrillions?) of requests and using statistical methods, they can slowly figure out the secret string, at least in theory.

The second is a type-juggling attack, where the attacker provides "0" and hopes to hit a hash in the form "0e1239847934892" so PHP can do nonsense with the string comparison by casting it to a float. This is possible in theory but the window for it is time-bounded in all known cases (e.g., CSRF tokens have 1-hour windows decades or centuries apart, and the times can not be predicted).

Still, we can defuse these completely and make them impossible rather than merely impractical with bytewise, constant time comparisons.

These defuse the timing attack by always taking the same amount of time to compare strings (regardless of how many bytes they have in common) and defuse the type juggling attack by avoiding invocation of type juggling comparisons.

Test Plan: Added and executed unit tests.

Reviewers: chad

Reviewed By: chad

Differential Revision: https://secure.phabricator.com/D14025

Details

Committed
epriestley <git@epriestley.com>Sep 2 2015, 00:42
Pushed
aubortMar 17 2017, 12:03
Parents
rPHUe25f49d45494: Fix XHPAST Makefile on OS X
Branches
Unknown
Tags
Unknown

Event Timeline

epriestley <git@epriestley.com> committed rPHUece08d9d1300: Add a constant-time string comparison function to defuse timing and type… (authored by epriestley <git@epriestley.com>).Sep 2 2015, 00:42