Defense against side-channel micro-timing attacks

[yoid2000]

One of the bounty teams is trying a timing attack based on small differences in computation (in this case, the difference between the DB returning 1 or 0 rows, and the subsequent processing delay in the cloak). The purpose of this issue is simply to document at a high level what a defense against these kind of "micro" timing attacks. The attack hasn't been run yet so we don't know if it will work.

The reason for documenting a general solution is to prevent someone from patenting a solution and forcing us to pay royalties. (A patent won't apply to us if we already have the solution in-house and can prove when the solution was documented.)

The basic solution idea is to add some delay to answer reporting, where the delay length is determined by the noise layer seeds. The amount of delay needs to be enough to effectively mask whatever delay in computation is being exploited.

Ideally, for micro-timing attacks, the exploited computation difference is quite small and so the added delay could be quite small.

As an example, suppose that the computation delay is 100ms worst case. Then the solution might be to add a constant delay of 200 ms, with a noise value using standard deviation of 100ms and mean zero for each noise layer.

It would be helpful is others of you could add additional ideas just to cover our bases.

[sebastian]

At the risk of complicating things, I think we might need two delays? Something like this:

total time = (longer of query time and random delay 1) + random delay 2

This is in case the difference in the execution time of the two queries is dramatic due to one hitting an optimization of some sort which entirely short circuits the execution and therefore is noticeably (statistically significantly so anyway) different from the other even with the addition of a random delay.

[gampleman]

Could a mitigation be simply not reporting query execution time back? I would guess that the several HTTP hops could provide quite a bit of noise to the timing...

(Of course, this is assuming the execution times are short, but presumably the attack would be much less effective if it uses long running queries).

[yoid2000]

Could a mitigation be simply not reporting query execution time back?

Possibly. Any other ideas that come to mind please record them here. The immediate goal is simply to short-circuit any patents that someone else might choose to file.

[sebastian]

Could a mitigation be simply not reporting query execution time back? I would guess that the several HTTP hops could provide quite a bit of noise to the timing...

We have a minor mitigation in place for this already through rounding the execution times that are included in the logs. We could add in some additional delay (sticky noisy sleep) to the queries to ensure their execution times don't truly reflect that of the database. These types of mitigations only really address short queries though (as you point out).

The more dangerous timing attacks are the class where a change in the query can alter the runtime by orders of magnitude. Like for example whether a join is taken or optimized away as a noop.

[yoid2000]

The big timing attacks are already being handled (so far as we know). It is the small timing changes that we are unsure of that this issue addresses.