Proceedings of the 7th ACM conference on Computer and communications security
A fast string searching algorithm
Communications of the ACM
Efficient string matching: an aid to bibliographic search
Communications of the ACM
A note on the confinement problem
Communications of the ACM
A Timing Attack against RSA with the Chinese Remainder Theorem
CHES '00 Proceedings of the Second International Workshop on Cryptographic Hardware and Embedded Systems
ISSTA '04 Proceedings of the 2004 ACM SIGSOFT international symposium on Software testing and analysis
The Art of Computer Virus Research and Defense
The Art of Computer Virus Research and Defense
Exposing private information by timing web applications
Proceedings of the 16th international conference on World Wide Web
Timing analysis of keystrokes and timing attacks on SSH
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Remote timing attacks are practical
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Static analysis of executables to detect malicious patterns
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Remote detection of virtual machine monitors with fuzzy benchmarking
ACM SIGOPS Operating Systems Review
Opportunities and Limits of Remote Timing Attacks
ACM Transactions on Information and System Security (TISSEC)
Predictive black-box mitigation of timing channels
Proceedings of the 17th ACM conference on Computer and communications security
The impact of the antivirus on the digital evidence
International Journal of Electronic Security and Digital Forensics
Hi-index | 0.00 |
Remote attackers use network reconnaissance techniques, such as port scanning, to gain information about a victim machine and then use this information to launch an attack. Current network reconnaissance techniques, that are typically below the application layer, are limited in the sense that they can only give basic information, such as what services a victim is running. Furthermore, modern remote exploits typically come from a server and attack a client that has connected to it, rather than the attacker connecting directly to the victim. In this paper, we raise this question and answer it: Can the attacker go beyond the traditional techniques of network reconnaissance and gain high-level, detailed information? We investigate remote timing channel attacks against ClamAV antivirus and show that it is possible, with high accuracy, for the remote attacker to check how up-to-date the victim's antivirus signature database is. Because the strings the attacker uses to do this are benign (i.e., they do not trigger the antivirus) and the attack can be accomplished through many different APIs, the attacker has a large amount of flexibility in hiding the attack.