RE: const time authentication in bozohttpd

To: "'shm'" <shm%netbsd.org@localhost>, <tech-security%netbsd.org@localhost>, <tech-userlevel%netbsd.org@localhost>
Subject: RE: const time authentication in bozohttpd
From: "Terry Moore" <tmm%mcci.com@localhost>
Date: Wed, 25 Jun 2014 07:02:09 -0500

Perhaps this is a silly comment; but wouldn't it be easier to simply time
stamp the incoming request, and then spin for any authentication failure
until a suitable fixed time has elapsed after the inbound arrival? Or are
you worried about local cache-interference attacks as well? 

--Terry

> -----Original Message-----
> From: tech-security-owner%NetBSD.org@localhost [mailto:tech-security-
> owner%NetBSD.org@localhost] On Behalf Of shm
> Sent: Wednesday, June 25, 2014 02:35
> To: tech-security%netbsd.org@localhost; tech-userlevel%netbsd.org@localhost
> Subject: const time authentication in bozohttpd
> 
> Hello,
> 
>  bozohttpd currently checks password using strcmp, which may leak
> information
> about compared data, my patch [1] introduces following countermeasures:
> 
>  - username / password is now compared using introduced timing safe
> function
>    (which run time depends on the known string)
>  - remove username/password from the memory as it's no longer needed
>  - avoid username leak by checking all records in the auth file
(previously
>    when we found valid username but user sent invalid password we break
> from
>    the loop, so other records from the .htpassword weren't checked, thus
an
>    attacker basing on response time could be able to figure out if
username
>    exists) by checking all records in the file.
> 
>  This might sounds a bit paranoid, but I've got real world example that
the
> problem really exists:
> 
>  192.168.1.105 is a bozohttpd (built from HEAD):
> 
>   executed by: : /usr/libexec/httpd -d -c cgi-bin -bf -X -I 8080 .
> 192.168.1.105
> 
>   shm@netbsd-dev ~/www $ cat .htpasswd
>   bla:$sha1$22983$EVXICHNn$wnulZLsEKwnbZTwGRD0vi/8n5rzP
>   test:$sha1$22983$EVXICHNn$wnulZLsEKwnbZTwGRD0vi/8n5rzP
>   test2:$sha1$22983$EVXICHNn$wnulZLsEKwnbZTwGRD0vi/8n5rzP
>   test3:$sha1$22983$EVXICHNn$wnulZLsEKwnbZTwGRD0vi/8n5rzP
>   test4:$sha1$22983$EVXICHNn$wnulZLsEKwnbZTwGRD0vi/8n5rzP
>   test6:$sha1$22983$EVXICHNn$wnulZLsEKwnbZTwGRD0vi/8n5rzO
> 
>   (password is bla)
> 
>   Response times from the machine in the same LAN:
> 
>   For non-existing user:
> 
> $ for ((i=0;i<100;i++)) ; do time curl
> http://notexists:bla3@192.168.1.105:8080/ ; done 2> /dev/stdout | grep
> real |
> sort | uniq -c
>    1 real 0m0.016s
>    1 real 0m0.017s
>    3 real 0m0.018s
>   13 real 0m0.019s
>   50 real 0m0.020s
>    4 real 0m0.021s
>    1 real 0m0.022s
>    1 real 0m0.023s
>    2 real 0m0.024s
>    5 real 0m0.025s
>    7 real 0m0.030s
>    3 real 0m0.031s
>    1 real 0m0.033s
>    1 real 0m0.034s
>    2 real 0m0.035s
>    2 real 0m0.036s
>    1 real 0m0.037s
>    1 real 0m0.040s
>    1 real 0m0.045s
> 
> For existing user:
> 
> $ for ((i=0;i<100;i++)) ; do time curl
http://test3:bla3@192.168.1.105:8080/ ;
> done 2> /dev/stdout | grep real | sort | uniq -c
>    2 real 0m0.086s
>    3 real 0m0.087s
>    3 real 0m0.088s
>   14 real 0m0.089s
>   43 real 0m0.090s
>   11 real 0m0.091s
>    2 real 0m0.092s
>    2 real 0m0.093s
>    2 real 0m0.094s
>    2 real 0m0.095s
>    3 real 0m0.096s
>    1 real 0m0.097s
>    1 real 0m0.098s
>    1 real 0m0.101s
>    1 real 0m0.102s
>    1 real 0m0.104s
>    5 real 0m0.106s
>    1 real 0m0.108s
>    1 real 0m0.115s
>    1 real 0m0.130s
> 
>    For bozohttpd with my patch results are as follows:
> 
>   For not-existing user:
> 
> shm@selene ~ $ for ((i=0;i<100;i++)) ; do time curl
> http://notexists:bla2@192.168.1.105:8080/ ; done 2> /dev/stdout | grep
> real |
> sort | uniq -c
>    2 real 0m0.087s
>    3 real 0m0.088s
>   13 real 0m0.089s
>   51 real 0m0.090s
>   10 real 0m0.091s
>    2 real 0m0.093s
>    2 real 0m0.094s
>    2 real 0m0.095s
>    1 real 0m0.096s
>    1 real 0m0.097s
>    7 real 0m0.100s
>    1 real 0m0.102s
>    1 real 0m0.104s
>    1 real 0m0.106s
>    1 real 0m0.114s
>    1 real 0m0.115s
>    1 real 0m0.268s
> 
> 
>   For existing user:
> 
> shm@selene ~ $ for ((i=0;i<100;i++)) ; do time curl
> http://bla:bla2@192.168.1.105:8080/ ; done 2> /dev/stdout | grep real |
> sort |
> uniq -c
>    1 real 0m0.087s
>   12 real 0m0.089s
>   54 real 0m0.090s
>   11 real 0m0.091s
>    2 real 0m0.092s
>    2 real 0m0.093s
>    1 real 0m0.094s
>    2 real 0m0.096s
>    5 real 0m0.100s
>    2 real 0m0.101s
>    1 real 0m0.104s
>    5 real 0m0.105s
>    1 real 0m0.115s
>    1 real 0m0.120s
> ----
> 
>  Do you have any thoughts on this? I'd like to commit [1], if there is no
> objections.
> 
>  Kind Regards,
>  shm@
> 
> [1] http://netbsd.org/~shm/patches/bozohttpd/consttime_auth-bozo.diff

Follow-Ups:
- Re: const time authentication in bozohttpd
  - From: Mindaugas Rasiukevicius
- Re: const time authentication in bozohttpd
  - From: shm

References:
- const time authentication in bozohttpd
  - From: shm

Prev by Date: Re: const time authentication in bozohttpd
Next by Date: Re: const time authentication in bozohttpd
Previous by Thread: Re: const time authentication in bozohttpd
Next by Thread: Re: const time authentication in bozohttpd
Indexes:

Home | Main Index | Thread Index | Old Index