Re: Black Hat: New database attack revealed

Peter Eisentraut wrote:

>Am Donnerstag, 2. August 2007 13:31 schrieb Robert Bernier:
>
>
>>New timing attack doesn't need application bugs to work
>>
>>http://www.computerworlduk.com/management/security/cybercrime/news/index.cf
>>m?RSS&newsid=4344
>>
>>
>
>This is complete BS, as evidenced by this statement:
>
>"""
>their attack involves performing record insertion operations, typically
>available to all database users - including anonymous users of front-end web
>applications - and analysing the time it takes to perform different kinds of
>insertions.
>"""
>
>In principle, attacks of this kind would be possible, but it's not quite as
>simple as they make it appear.
>
>
>
In addition, the only information I can see getting out of this sort of
attack is the number of entries in the table, and *maybe* the sizes (but
not the contents) of the individual fields or rows. In the
cryptographic sense, this is leaking information, but I'm not sure most
people would be that worried about this information leaking. Foobar
Inc. may be very secretive about their customer list- but knowning that
they have exactly 12,345 customers, and that customer 1's name is 12
characters long, etc., doesn't tell their competitors much.

In addition, I bet the presence of optimizations, like the WAL or
vacuuming in Postgresql, signifigantly complicate the analysis. At
which point you don't need to be all that vigilant against this sort of
attack- for it to work, the attacker would have to run so many queries
and/or inserts against the database that they'd be blatantly obvious.
If someone wants to suck down all your database bandwidth for months at
a shot, then you probably need to talk to them, even if they're not
trying to perform a timing attack on the database...

Brian