Empirical Analysis of Software Vulnerabilities Causing Timing Side Channels

TL;DR

This study empirically analyzes vulnerabilities causing timing side-channel attacks in non-cryptographic software, revealing that most are due to insecure coding practices, to better understand and mitigate such risks.

Contribution

It provides the first comprehensive empirical analysis of timing attack vulnerabilities in non-cryptographic software using data from the NVD.

Findings

Most vulnerabilities stem from insecure coding practices.

Timing attack vulnerabilities have persisted over nearly two decades.

Empirical evidence aids in understanding and preventing timing side-channel attacks.

Abstract

Timing attacks are considered one of the most damaging side-channel attacks. These attacks exploit timing fluctuations caused by certain operations to disclose confidential information to an attacker. For instance, in asymmetric encryption, operations such as multiplication and division can cause time-varying execution times that can be ill-treated to obtain an encryption key. Whilst several efforts have been devoted to exploring the various aspects of timing attacks, particularly in cryptography, little attention has been paid to empirically studying the timing attack-related vulnerabilities in non-cryptographic software. By inspecting these software vulnerabilities, this study aims to gain an evidence-based understanding of weaknesses in non-cryptographic software that may help timing attacks succeed. We used qualitative and quantitative research approaches to systematically study the timing attack-related vulnerabilities reported in the National Vulnerability Database (NVD) from March 2003 to December 2022. Our analysis was focused on the modifications made to the code for patching the identified vulnerabilities. We found that a majority of the timing attack-related vulnerabilities were introduced due to not following known secure coding practices. The findings of this study are expected to help the software security community gain evidence-based information about the nature and causes of the vulnerabilities related to timing attacks.