Page MenuHomePhabricator

Add a constant-time string comparison function to defuse timing and type-juggling attacks
ClosedPublic

Authored by epriestley on Sep 1 2015, 2:18 AM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Dec 20, 8:17 PM
Unknown Object (File)
Fri, Dec 20, 4:01 PM
Unknown Object (File)
Tue, Dec 10, 6:21 PM
Unknown Object (File)
Sat, Dec 7, 4:06 PM
Unknown Object (File)
Nov 27 2024, 2:06 PM
Unknown Object (File)
Nov 25 2024, 9:53 AM
Unknown Object (File)
Nov 25 2024, 12:37 AM
Unknown Object (File)
Nov 23 2024, 12:26 PM
Subscribers
None

Details

Summary

There are two theoretical attacks possible against some of our comparisons, where we check if some user-provided hash matches some secret hash.

The first is a timing attack, which has been previously reported on HackerOne but which I can't demonstrate as feasible even given huge assumptions in favor of the attacker.

In this attack, the attacker provides a secret like "azzz", then "bzzz", then "czzz", etc. They observe how long the responses take. The secret with the correct first charater will take a nanosecond longer because the computer must do more work to compare two bytes intead of 1. By making billions (trillions? quadrillions?) of requests and using statistical methods, they can slowly figure out the secret string, at least in theory.

The second is a type-juggling attack, where the attacker provides "0" and hopes to hit a hash in the form "0e1239847934892" so PHP can do nonsense with the string comparison by casting it to a float. This is possible in theory but the window for it is time-bounded in all known cases (e.g., CSRF tokens have 1-hour windows decades or centuries apart, and the times can not be predicted).

Still, we can defuse these completely and make them impossible rather than merely impractical with bytewise, constant time comparisons.

These defuse the timing attack by always taking the same amount of time to compare strings (regardless of how many bytes they have in common) and defuse the type juggling attack by avoiding invocation of type juggling comparisons.

Test Plan

Added and executed unit tests.

Diff Detail

Repository
rPHU libphutil
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

epriestley retitled this revision from to Add a constant-time string comparison function to defuse timing and type-juggling attacks.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added a reviewer: chad.
chad edited edge metadata.
This revision is now accepted and ready to land.Sep 1 2015, 2:20 AM
This revision was automatically updated to reflect the committed changes.