duanlaofu4108 2018-01-14 19:25
浏览 31

使用PHP进行定时攻击

Im trying to produce a timing attack in php Using php 7.1 with the following script

<?php
$find = "hello";
$length = array_combine(range(1, 10), array_fill(1, 10, 0));
for ($i = 0; $i < 1000000; $i++) {
    for ($j = 1; $j <= 10; $j++) {
        $testValue = str_repeat('a', $j);
        $start = microtime(true);
        if ($find === $testValue) {
            //do Nothing
        }
        $end = microtime(true);
        $length[$j] += $end - $start;
    }
}

arsort($length);
$length = key($length);
var_dump($length . " found");

$found = '';
$alphabet = array_combine(range('a', 'z'), array_fill(1, 26, 0));
for ($len = 0; $len < $length; $len++) {
    $currentIteration = $alphabet;
    $filler = str_repeat('a', $length - $len - 1);
    for ($i = 0; $i < 1000000; $i++) {
        foreach ($currentIteration as $letter => $time) {
            $testValue = $found . $letter . $filler;
            $start = microtime(true);
            if ($find === $testValue) {
                //do Nothing
            }
            $end = microtime(true);
            $currentIteration[$letter] += $end - $start;
        }
    }
    arsort($currentIteration);
    $found .= key($currentIteration);
}
var_dump($found);

This is searching for a word with the following constraints

a-z only up to 10 chars

the script finds the length of the word with no issue but the value of the word never comes back as expected with a timing attack.

Is there something I am doing wrong ?

The script loops though lengths, Correctly identifies the length. it then loops though each letter (a-z) and checks the speed on these, In theory 'haaaa' should be slightly slower than 'aaaaa' due to the first letter being a h, It then carries on for each of the 5 letters.

Running gives something like 'brhas' which is clearly wrong (Its different each time, but always wrong)

  • 写回答

1条回答 默认 最新

  • ds2321 2018-01-23 14:46
    关注

    Is there something I am doing wrong?

    I don't think so. I tried your code and I too, like you and the other people who tried in the comments, get completely random results for the second loop. The first one (the length) is mostly reliable, though not 100% of the times. By the way, the $argv[1] trick suggested didn't really improve the consistency of the results, and honestly I don't really see why it should.

    Since I was curious I had a look at the PHP 7.1 source code. The string identity function (zend_is_identical) looks like this:

        case IS_STRING:
        return (Z_STR_P(op1) == Z_STR_P(op2) ||
            (Z_STRLEN_P(op1) == Z_STRLEN_P(op2) &&
             memcmp(Z_STRVAL_P(op1), Z_STRVAL_P(op2), Z_STRLEN_P(op1)) == 0));

    Now it's easy to see why the first timing attack on the length works great. If the length is different then memcmp is never called and therefore it returns a lot faster. The difference is easily noticeable, even without too many iterations.

    Once you have the length figured out, in your second loop you are basically trying to attack the underlying memcmp. The problem is that the difference in timing highly depends on:

    1. the implementation of memcmp
    2. the current load and interfering processes
    3. the architecture of the machine.

    I recommend this article titled "Benchmarking memcmp for timing attacks" for more detailed explanations. They did a much more precise benchmark and still were not able to get a clear noticeable difference in timing. I'm simply going to quote the conclusion of the article:

    In conclusion, it highly depends on the circumstances if a memcmp() is subject to a timing attack.

    评论

报告相同问题?

悬赏问题

  • ¥15 虚幻5 UE美术毛发渲染
  • ¥15 CVRP 图论 物流运输优化
  • ¥15 Tableau online 嵌入ppt失败
  • ¥100 支付宝网页转账系统不识别账号
  • ¥15 基于单片机的靶位控制系统
  • ¥15 真我手机蓝牙传输进度消息被关闭了,怎么打开?(关键词-消息通知)
  • ¥15 装 pytorch 的时候出了好多问题,遇到这种情况怎么处理?
  • ¥20 IOS游览器某宝手机网页版自动立即购买JavaScript脚本
  • ¥15 手机接入宽带网线,如何释放宽带全部速度
  • ¥30 关于#r语言#的问题:如何对R语言中mfgarch包中构建的garch-midas模型进行样本内长期波动率预测和样本外长期波动率预测