Timing Attack Threat Analysis
Version: 1.0
Last Updated: 2025-01-02
Security Classification: PUBLIC
Overview
Timing attacks exploit variations in execution time to extract sensitive information. These attacks are particularly dangerous because they can be mounted remotely and leave no trace in system logs.
Attack Vectors
Cache Timing Attacks
- Flush+Reload: Monitor cache lines for access patterns
- Prime+Probe: Fill cache and measure evictions
- Evict+Time: Evict data and measure reload time
Branch Prediction Attacks
- Spectre-style: Exploit speculative execution
- BTB attacks: Branch Target Buffer manipulation
Algorithm-Specific Timing
- Table lookups: AES S-box timing
- Modular operations: RSA/ECC scalar multiplication
- Comparison operations: Password/MAC verification
Vulnerable Operations
| Operation | Risk Level | Common In | Mitigation |
|---|---|---|---|
| Table lookups | High | AES, DES | Bitsliced implementation |
| Conditional branches | High | All algorithms | Constant-time selection |
| Division/Modulo | High | RSA, DSA | Montgomery multiplication |
| Memory access | Medium | All algorithms | Cache-oblivious algorithms |
| Floating-point | Medium | Falcon, NTRU | Fixed-point arithmetic |
Mitigation Strategies
Constant-Time Implementation
// Bad: Timing depends on secret
if (secret_bit) {
operation_a();
} else {
operation_b();
}
// Good: Constant-time selection
result = ct_select(secret_bit, value_a, value_b);
Cache-Line Alignment
- Align sensitive data to cache boundaries
- Use full cache lines for lookups
- Implement scatter-gather techniques
Blinding Techniques
- Add random delays (limited effectiveness)
- Randomize execution order
- Use masking for intermediate values
Platform-Specific Considerations
x86/x64
- Use AES-NI for constant-time AES
- Avoid variable-time instructions (DIV, IDIV)
- Consider TSX for atomic operations
ARM
- Use NEON for constant-time operations
- Beware of early termination in multiplication
- Utilize cryptographic extensions when available
WebAssembly
- Limited timing precision (mitigation)
- No direct cache control
- Rely on runtime protections
Detection Methods
- Statistical Analysis: Measure timing distributions
- Differential Testing: Compare implementations
- Automated Tools: dudect, ctgrind, MemorySanitizer
- Manual Review: Code inspection for branches
Real-World Examples
- Lucky Thirteen (2013): TLS CBC padding oracle
- CacheBleed (2016): OpenSSL RSA key extraction
- Minerva (2019): ECDSA timing attack
- Hertzbleed (2022): Frequency scaling side-channel