Timing-based assault does not require vulnerabilities to breach system
Researchers at Core Security Technologies demonstrated an attack that could allow hackers to extract private information from databases — without requiring any bugs in the database management software.
The demonstration, on Wednesday at Black Hat USA in Las Vegas, involved timing attacks, a technique for breaking ciphers. It’s effective against databases using BTREE, the most popular database indexing algorithm and data structure, and will use MySQL for demonstration purposes, Core researchers said.
Currently, data breaches are usually the result of bugs in front-end web applications or misconfigured authorization and access control permissions, Core said, but the timing attack doesn’t need any such bugs to work.
“The new attack relies solely on the inherent characteristics of the indexing algorithms used by most commercial database management systems,” said Core researchers Ariel Waissbein and Pablo Damian Saura in a note on the presentation.
In cryptography, the timing attack is a technique where the attacker analyses the time taken to execute cryptographic algorithms, using the analysis to discover information about how the cryptographic system is implemented and help find a way to crack the system.
Saura and Waissbein’s approach is similar: their attack involves performing record insertion operations, typically available to all database users — including anonymous users of front-end web applications — and analyzing the time it takes to perform different kinds of insertions.
By analyzing the different timings, attackers can deduce what was inserted previous to the attack, Core said.
On the plus side for organizations with database systems, Core said the attack is “theoretical” and would be difficult to implement, since the attacker would need to have information about the structure and settings of the database to carry it off.
Another complicating factor is that on a “live” database other users could be making insertions at the same time, affecting the results of the timing analysis.
The point is for organizations to be aware that such attacks are possible, so that they can be on their guard, Core said.
The demonstration will include a review of BTREE and will explain how Saura and Waissbein discovered the vulnerability, Core said.