On 2023-02-22 Gilbert Detillieux wrote:
As if we didn't already have enough issues with OpenSSL, what with buffer overrun vulnerabilities in new/recent code*, and more direct coding flaws (pointer free/dereference and such) that were recently announced**.
To be fair, "password timing" attacks are a relatively new class of attack vectors. And by new I mean maybe 10-15 years old? Many projects are still finding buffer overrun and null-pointer deref bugs 40 years after that class was identified.
And the tools to combat timing attacks are still (relatively) in their infancy, in terms of language support and standardized libraries. So programmers have (had) little help. Many will just put their heads in the sand.
Even worse, you can find these vulnerabilities in places that aren't readily apparent (like SSL). We all thought "password" when really it's comparing any strings in an auth (or even encryption?) scenario.
I remember a few years back when PHP was starting to address this that to solve it immediately in my own projects I had to write custom password comparison code, because it was going to be years before the PHP tools showed up on our production boxes. It was one of the most challenging, and fun, projects I've ever worked on, though I hated the fact I had to waste time on mitigating the minds of autist hackers.
The disturbing thing I see in the industry these days is that it's not new bugs people are finding, it's entirely new classes of bugs. Ones that no one really thought of before (a blessing?). Like the Spectre- class gift that will forever keep on giving. And password timing attacks. As we fix those, shudder to think what new class has yet to be discovered...