You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by Yu Feng <yu...@cs.utexas.edu> on 2017/05/16 20:58:34 UTC

Potential timing channels in RealmBase.java

Hi,

I am a research at UT Austin.

Recently I found a timing channel that will leak the information about the
existence of a user:
https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/realm/
RealmBase.java#L399

Assuming the ServerDigest is sensitive, then doing pure string comparison
will cause another timing channel:
https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/realm/
RealmBase.java#L428


Here is more information about timing attack:
https://codahale.com/a-lesson-in-timing-attacks/

Thanks,
Yu

-- 
Yu Feng
Graduate Research Assistant
UT Austin | Computer Science
512-954-7627 | yufeng@cs.utexas.edu
http://www.cs.utexas.edu/~yufeng/