Corgea LogoCorgea Security Hub

CWE-208: Observable Timing Discrepancy

Learn about CWE-208 (Observable Timing Discrepancy), its security impact, exploitation methods, and prevention guidelines.

What is Observable Timing Discrepancy?

• Overview: Observable Timing Discrepancy occurs when different operations in a software product take varying amounts of time to complete, revealing security-sensitive information based on these timing differences. This can allow attackers to infer details about the system's internal state or operations.

• Exploitation Methods:

  • Attackers can measure the time taken by different operations to gather clues about sensitive information, such as whether an operation was successful.
  • Common attack patterns include timing attacks where attackers repeatedly measure response times to deduce private cryptographic keys or authentication credentials.

• Security Impact:

  • Direct consequences include unauthorized access to sensitive information, such as cryptographic keys or user credentials.
  • Potential cascading effects include further compromise of system integrity and privacy violations if foundational security mechanisms are breached.
  • Business impact may involve data breaches, financial loss, legal issues, and reputational damage due to the exposure of confidential information.

• Prevention Guidelines:

  • Specific code-level fixes involve ensuring that execution time does not vary based on sensitive information, such as using constant-time algorithms for cryptographic operations.
  • Security best practices include minimizing information leakage through side channels and conducting thorough security testing to identify timing discrepancies.
  • Recommended tools and frameworks include using libraries and frameworks that implement secure coding practices and offer built-in protection against timing attacks, such as cryptographic libraries that ensure constant-time execution.
Corgea can automatically detect and fix Observable Timing Discrepancy in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: Not specified

Affected Languages: Not Language-Specific

Affected Technologies: Not specified

Vulnerable Code Example

import time

def authenticate(user_input, valid_password):
    # This comparison will take a varying amount of time depending on whether the input matches the password
    if user_input == valid_password:
        return True
    else:
        return False

# Example usage
user_input = "user_password_attempt"
valid_password = "secure_password"

if authenticate(user_input, valid_password):
    print("Authenticated")
else:
    print("Authentication Failed")

Explanation:

  • Timing Attack Vulnerability: The comparison user_input == valid_password is vulnerable to timing attacks because the time it takes to complete depends on how much of the input matches the valid password. An attacker could exploit this by measuring the response time to deduce the correct password character by character.

How to fix Observable Timing Discrepancy?

To mitigate this vulnerability, we need to ensure that the time taken to compare two strings is constant, regardless of how many characters match. This can be achieved by using a timing-safe comparison function that processes all characters in both strings and ensures that the timing does not depend on the actual content of the strings.

Fix Approach:

  • Use a Constant-Time Comparison Function: Implement a function that compares two strings and ensures the same execution time for all input cases by iterating through all characters and performing operations that do not short-circuit.

Fixed Code Example

import hmac

def authenticate(user_input, valid_password):
    # Use hmac.compare_digest for a constant-time comparison
    # This function is designed to prevent timing attacks by ensuring the comparison time
    # does not vary with the number of matching characters.
    if hmac.compare_digest(user_input, valid_password):
        return True
    else:
        return False

# Example usage remains the same
user_input = "user_password_attempt"
valid_password = "secure_password"

if authenticate(user_input, valid_password):
    print("Authenticated")
else:
    print("Authentication Failed")

Explanation:

  • HMAC Constant-Time Comparison: The hmac.compare_digest() function is used to compare the strings in a way that is resistant to timing attacks. This function ensures that the time taken to compare the strings is not dependent on the contents of the strings, thus eliminating the timing discrepancy vulnerability. This is a best practice for secure string comparisons in Python, especially when dealing with sensitive data like passwords.
Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-208: Observable Timing Discrepancy and get remediation guidance

Start for free and no credit card needed.