Security Watch | Matt Hines » Countdown to database timing attacks

August 16, 2007 | Comments: (0)

Countdown to database timing attacks

TAGS: Security

I didn't have a chance to see Core Security Researcher Ariel Waissbein's presentation on database timing attacks at Black Hat, but he promised to explain it to me in detail when we bumped into each other here in Boston last week at the Usenix Security Symposium.

The affable researcher's approach -- a proof-of-concept exercise that allows an attacker to extract private data from a database by performing mere record insertion operations -- is a pretty interesting, and fairly low-tech example of how someone can potentially scoop credit card numbers or passwords from a commercially-available database by using not much more than their own smarts and a little technical footwork.

Carried out successfully thus far in Core's labs against a MySQL database, Waissbein said that the company is currently testing the same technique against popular Oracle and Microsoft databases, among others, to see if it will work, but he said he thinks it should.

Core is also developing similar test attacks that may find their way into future iterations of its automated pen testing products.

Here's how it works, according to Ariel:

"Usually the way that a database works with applications is that it holds the information and can be searched, but has only a few controls that can be carried out by unprivileged users, such as for creating new users accounts."

"We created attacks that create new tables, and by doing this and measuring the timing of the insertion process, an attacker can deduce where the secret entries might be, such as for usernames and passwords."

"So, say you register to a site supported by the database several times. By inserting a table and storing several passwords -- you can then essentially measure the timing and get access to all the passwords."

"You could try to do the same thing using a brute force attack, but this is far less time consuming."

Basically, Waissbein highlights the fact that databases are typically designed in a way, using so-called B-Trees, the most common indexing data structured used by database engines, to make sensitive information -- such as credit card data in an e-commerce transaction database -- available for use by applications in the most efficient manner possible.

All the entries in a particular column in the database typically have the same values, so they can be unearthed by going after the stored information in the different nodes of a tree.

Those structures can then be exploited to guess how many values there might be in one node -- with each node typically storing several hundred passwords or credit card records.

By narrowing down the possible values for each node and starting an attack by giving all the possible values, one can pretty easily get a fix on where the values/records are located, he said.

By repeating this process over and over again, you can narrow it down to a set of possible values and pick one that's most likely to hold the data the hacker is after.

One of the challenges in carrying out the technique is that it becomes harder to do in databases where there is a lot of user noise, so a savvy hacker using the approach might try to determine when there is little activity in a database to make their move, such as when a company's business day is over.

There also needs to be a fair amount of customization of the attack for each type of database, but someone could do the work fairly easily once they decide what company they want to attack and monitor their database activity, he said.

Once that groundwork is completed, the attack itself could be carried out in as little as ten minutes, said the researcher.

"Every user has option not to use B-Trees, there are a lot of alternative structures, but B-Trees work very efficiently," Waissbein said. "Sometimes being inefficient is more secure, this technique takes advantage of a lot of features that have been in use for over 30 years."

Posted by Matt Hines on August 16, 2007 10:37 AM

RATE THIS ARTICLE: