CWE-385
Covert Timing Channel
Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information.
Mitigation
Phase: Architecture and Design
Description:
- Whenever possible, specify implementation strategies that do not introduce time variances in operations.
Mitigation
Phase: Implementation
Description:
- Often one can artificially manipulate the time which operations take or -- when operations occur -- can remove information from the attacker.
Mitigation
Phase: Implementation
Description:
- It is reasonable to add artificial or random delays so that the amount of CPU time consumed is independent of the action being taken by the application.
CAPEC-462: Cross-Domain Search Timing
An attacker initiates cross domain HTTP / GET requests and times the server responses. The timing of these responses may leak important information on what is happening on the server. Browser's same origin policy prevents the attacker from directly reading the server responses (in the absence of any other weaknesses), but does not prevent the attacker from timing the responses to requests that the attacker issued cross domain.