Re: Fwd: little request :)

From: Date: Thu, 06 Feb 2014 00:42:29 +0000
Subject: Re: Fwd: little request :)
References: 1 2 3 4  Groups: php.internals 
Request: Send a blank email to [email protected] to get a copy of this message
Hi

On 5 Feb 2014, at 22:57, Yasuo Ohgaki <[email protected]> wrote:
>> This is fixed-length, so the issue of hiding a length does not arise,
>> and OpenBSD comes with and is built by a particular C compiler.  I am
>> not aware of them trying to introduce a similar function for variable
>> length strings (OK, this may be in part because of the way strings are
>> commonly stored in C, where even to determine the string length you'd
>> have to be non-constant time already).
>> 
>> Hiding a string length is really tricky, and only possible to a more
>> limited extent than hiding byte value differences.
> 
> I agree that hiding string length is hard.
> Another way to protect from timing attack is have a random sleep, but
> this is tricky also. Too short or too long sleep doesn't help.
> 

Using time delays with a random distribution will simply average out since it would have a minimal
min to max range. Would work for a few requests but not the thousands an exploit would possibly use
to get a statistical sample for analysis.

Paddy


Thread (42 messages)

« previous php.internals (#72309) next »