Tuesday, July 21, 2015

Timing attacks

What are the timing attacks?

The timing attacks are the ones that are applicable when it takes different time for an application to compare the provided secret with the original one. When does it take the different time? When comparison is performed symbol by symbol and stops once the current symbols in the provided secret is different from the current symbol in the original one.

def compare_secrets(secret_original, secret_provided):
  if len(secret_original) != len(secret_provided):
    return False

  for x in secret_original:
    for y in secret_provided:
      if x != y:
        return False

  return True


It takes one amount of time to compare the same passwords or strings, for the different ones it takes another, less, amount.

One can, however, argue that the time difference is so negligible so that it's impossible to exploit this vulnerability. Against all the odds, it is possible. My code had this vulnerability https://github.com/GildedHonour/rust-jwt/issues/1

How to exploit it?

Try to brute-force the password and measure the time it takes for the application to respond. When the current attempt takes less time than the previous one, it implies that the current password partially matches the original one. That is, the less time is takes, the larger amount of symbols match. By keeping brute-forcing the password and analyzing the response time, you can eventually find the password.

How to protect your code?

Don't break the process when the symbols are different. When it comes to performance, it's, indeed, not efficient. However, from the point of view of security this code is safe.


 def compare_secrets(secret_original, secret_provided):
  res = True
  for x in secret_original:
    for y in secret_provided:
      if x != y and res == True:
        res = False

  return res

Thursday, July 9, 2015

Deploying a Rails 4 application on Heroku.com with the assets on Amazon S3

I had a task to deploy a Rails 4 application to heroku.com and make it serve the assets from Amazon S3. After a couple of days trying to do that through trial and error I eventually made it work. Here's how to do that:

1) Precompile the assets locally

rake asset:precompile

What this command does is:

a) Combines them into the single css and js files
b) Copies them to public/assets
c) Creates public/assets/manifest-.json


2) Upload them to S3 manually. I suggest avoid using gems when possible. The less gem and dependencies you use, the better it is. This is because using gems makes our job even more difficult: not only do they require us to learn their interfaces, they may have errors in them.

For example, the latest version of the most popular gem asset_sync for synchronizing assets was in the state "tests failed" when I was working on the task.

And in general, in order to better understand what's going on under the hood, you have to avoid using high-level stuff.

To upload assets to S3 you can use an utility called s3cmd. I think that's the only way to do it and there's no way to do it via a browser.


cd public

s3cmd . s3://your-bucket-name

where the "." denotes your current directory being public.