Skip to content
VigilGuard Logo VigilGuard
Contact Us
EASM Platform VendorGuard ITRM Platform

Side-Channel Research

Side-Channel Research

Section titled “Side-Channel Research”

5 automated security scanners

Timing Attacks

Section titled “Timing Attacks”

Purpose: The Timing Attacks Scanner is designed to identify potential vulnerabilities in cryptographic operations and password validation processes by analyzing response times across various domains. It aims to detect crypto timing leaks, password comparison timing vulnerabilities, HTTP response time anomalies, TLS/SSL timing inconsistencies, and DNS query timing issues that could be exploited through side-channel attacks.

What It Detects:

  • Cryptographic Operation Timing Leaks: Analyzes variations in response times during cryptographic operations to identify potential side-channel attacks and detect sensitive information leakage.
  • Password Comparison Timing Vulnerabilities: Measures the time taken for password validation processes to uncover discrepancies that could be exploited by attackers, particularly when valid passwords take significantly longer than invalid ones.
  • HTTP Response Time Analysis: Examines HTTP response times for different requests to identify any anomalies suggesting timing-based attacks and potential security headers or content indicating vulnerabilities.
  • TLS/SSL Timing Anomalies: Inspects TLS/SSL handshake processes to detect irregularities in timing that might reveal sensitive information, including deprecated cipher suites and protocol versions that could be exploited through timing attacks.
  • DNS Query Timing Analysis: Analyzes DNS query response times to identify potential vulnerabilities related to DNS-based side-channel attacks and detects patterns of inconsistencies in DNS record responses.

Inputs Required:

  • domain (string): The primary domain to analyze, such as acme.com.

Business Impact: This scanner is crucial for organizations aiming to secure their cryptographic implementations and password management processes against potential timing attack vulnerabilities. By identifying and mitigating these leaks and vulnerabilities, the organization can enhance its overall security posture and protect sensitive information from unauthorized access.

Risk Levels:

  • Critical: Timing attacks that lead to immediate disclosure of sensitive data or significant delays in critical operations.
  • High: Significant delays in processing legitimate requests due to timing-based vulnerabilities, potentially impacting service availability.
  • Medium: Minor inconsistencies in response times that could be exploited with more sophisticated techniques but do not significantly impact security.
  • Low: Minimal detectable anomalies that are unlikely to be exploited by attackers without significant effort and resources.
  • Info: Informal findings indicating potential areas for improvement or further investigation, which may require manual verification for confirmation.

If specific risk levels are not detailed in the README, they have been inferred based on the scanner’s purpose and impact.

Example Findings:

  1. A cryptographic operation consistently shows a response time that is significantly longer than other operations, potentially indicating a side-channel attack vector.
  2. Password validation for “admin” takes only half the time compared to validation for a standard user account, suggesting potential timing-based password guessing vulnerabilities.

Speculative Execution Attacks

Section titled “Speculative Execution Attacks”

Purpose: The Speculative Execution Attacks Scanner is designed to identify vulnerabilities related to Spectre and Meltdown variants by analyzing DNS, HTTP, TLS, and port configurations of a given domain. These attacks exploit speculative execution capabilities in modern processors to leak sensitive information through side-channel attacks.

What It Detects:

  • Security Headers Analysis: Checks for the presence of security headers that mitigate side-channel attacks such as strict-transport-security, content-security-policy, x-frame-options, and x-content-type-options.
  • TLS/SSL Configuration Issues: Identifies outdated or insecure TLS versions and cipher suites, including TLSv1.0, TLSv1.1, RC4, DES, and MD5.
  • DNS Record Analysis: Examines DNS records for security-related configurations, such as SPF (Sender Policy Framework), DMARC (Domain-based Message Authentication Reporting and Conformance), and DKIM (DomainKeys Identified Mail) records.
  • Port Scanning and Service Fingerprinting: Scans common ports to identify open services that may be vulnerable, including HTTP (port 80), HTTPS (port 443), FTP (port 21), and SSH (port 22).
  • API Security Checks: Analyzes APIs for potential security misconfigurations or vulnerabilities.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com)

Business Impact: This scanner is crucial for organizations aiming to secure their digital assets against speculative execution attacks, which can lead to unauthorized data leakage and significant security breaches. Detecting and mitigating these vulnerabilities helps in maintaining the confidentiality, integrity, and availability of sensitive information processed by applications and services accessed over the internet.

Risk Levels:

  • Critical: Conditions that directly lead to critical severity findings include outdated or insecure TLS versions (e.g., using RC4 or DES cipher suites) and presence of MD5 in security headers.
  • High: Conditions involving DNS records not configured properly, such as incorrect SPF or DMARC configurations, can lead to high severity issues.
  • Medium: Issues related to open ports serving potentially vulnerable services are considered medium risk.
  • Low: Informational findings may include outdated but still secure TLS versions and minor misconfigurations in API endpoints.
  • Info: Minimal impact on security posture, such as presence of deprecated but still functional TLS ciphers.

Example Findings:

  1. A domain using RC4 for its SSL/TLS configuration is flagged as a critical issue due to the inherent vulnerability of this cipher suite to attacks.
  2. An improperly configured SPF record that does not include all authorized mail servers can lead to high risk, allowing potential email forgery and unauthorized access.

Acoustic Optical Side Channels

Section titled “Acoustic Optical Side Channels”

Purpose: The Acoustic Optical Side Channels Scanner is designed to assess the presence of acoustic and optical side channels that could potentially leak sensitive information from a target domain. This comprehensive tool evaluates DNS, HTTP, TLS/SSL configurations, and network ports for vulnerabilities that might facilitate such leaks.

What It Detects:

  • Insecure DNS Configurations: The scanner identifies missing or weak TXT records, as well as insecure settings in MX, NS, CAA, and DMARC records.
  • Weak HTTP Security Headers: It checks for the absence of critical security headers such as Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options.
  • Vulnerable TLS/SSL Configurations: The tool detects outdated TLS versions (e.g., TLSv1.0, TLSv1.1) and weak cipher suites (e.g., RC4, DES, MD5).
  • Open Ports and Services: By performing port scanning and service fingerprinting, the scanner identifies open ports that could be exploited and determines the services running on these ports.
  • API Vulnerabilities: The scanner analyzes APIs for potential security issues such as insecure endpoints or lack of authentication mechanisms.

Inputs Required:

  • domain (string): The primary domain to analyze (e.g., acme.com).

Business Impact: Assessing the presence of acoustic and optical side channels is crucial for maintaining the confidentiality, integrity, and availability of sensitive information across networks. This tool helps organizations identify and mitigate vulnerabilities that could be exploited by adversaries to gain unauthorized access or data leakage.

Risk Levels:

  • Critical: The scanner identifies missing SPF record and weak DMARC policy as critical issues.
  • High: Outdated TLS versions, weak cipher suites, and insecure DNS configurations are considered high-risk findings.
  • Medium: Weak HTTP security headers and open ports that could potentially be exploited are classified as medium risk.
  • Low: Informational findings such as outdated API endpoints fall under the low severity category.
  • Info: The scanner’s primary purpose is to detect vulnerabilities, so informational findings primarily serve as awareness indicators of potential issues.

Example Findings:

  1. A domain with an insecure DMARC policy that allows for “none” or “quarantine” actions could be at risk of significant data leakage if misused by adversaries.
  2. An outdated TLS version such as TLSv1.0, which is inherently less secure compared to newer versions like TLSv1.2 and TLSv1.3, poses a high risk for data protection breaches.

Cache Attacks

Section titled “Cache Attacks”

Purpose: The Cache Attacks Scanner is designed to identify potential vulnerabilities in a target domain’s infrastructure that could be exploited by attackers through side-channel attacks such as prime+probe, flush+reload, and evict+time. This tool assesses the security posture of domains by examining HTTP headers, TLS/SSL configurations, DNS records, and other network interactions for indicators of these sophisticated attack techniques.

What It Detects:

  • Prime+Probe Attack Indicators: Identifies specific HTTP headers or content that may suggest prime+probe techniques are being used to leak data through cache timing discrepancies.
  • Flush+Reload Attack Indicators: Analyzes TLS/SSL configurations and certificate details for potential weaknesses exploited by flush+reload attacks, which manipulate cache states to infer sensitive information.
  • Evict+Time Attack Indicators: Searches for evidence of cache eviction strategies used to extract data from DNS records and responses, indicating evict+time techniques.
  • Security Header Vulnerabilities: Checks the presence and strength of security headers like Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options for outdated or weak configurations that could be exploited by side-channel attacks.
  • TLS/SSL Configuration Weaknesses: Inspects TLS/SSL certificates for deprecated protocols (e.g., TLSv1.0, TLSv1.1) and cipher suites (e.g., RC4, DES, MD5), evaluating the overall security posture of the domain’s TLS/SSL implementation.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com). This parameter is essential for all detection methods as it defines the scope and target of the scan.

Business Impact: Identifying vulnerabilities in infrastructure security can significantly impact a company’s risk posture, potentially leading to data breaches or unauthorized access if exploited by attackers. The scanner helps organizations proactively assess and mitigate these risks before they become critical issues.

Risk Levels:

  • Critical: Conditions that directly lead to significant security incidents such as data leakage or complete system compromise are considered critical. These include the detection of deprecated TLS protocols in use and weak cipher suites.
  • High: High-risk findings involve vulnerabilities that can be easily exploited with minimal effort, such as missing X-Frame-Options headers, which could lead to clickjacking attacks.
  • Medium: Medium-risk findings are those that may not directly compromise security but indicate suboptimal configurations or potential future issues, like the presence of certain HTTP headers indicative of prime+probe techniques.
  • Low: Low-risk findings include informational notices about deprecated TLS versions and cipher suites, which while important to address, do not pose an immediate threat.
  • Info: Informational findings are those that provide context but currently do not indicate a significant risk or impact on security posture.

Example Findings:

  1. A domain using outdated TLS protocol versions such as TLSv1.0 and TLSv1.1, which is critical because it directly exposes the system to well-known vulnerabilities and attacks.
  2. The absence of X-Frame-Options headers in security responses, a high-risk finding that could lead to clickjacking attacks if exploited by an attacker.

Power Analysis Attacks

Section titled “Power Analysis Attacks”

Purpose: The Power Analysis Attacks Scanner is designed to identify potential vulnerabilities related to simple and differential power analysis (SPA/DPA) attacks as well as electromagnetic analysis (EMA) vulnerabilities. It evaluates various aspects of a system, including security headers, TLS/SSL configurations, DNS records, HTTP content, and port and service information, to detect weaknesses that could be exploited through such attacks.

What It Detects:

  • Security Headers Analysis: The scanner checks for the presence of critical security headers that can mitigate SPA/DPA risks. It identifies missing or improperly configured headers such as Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options.
  • TLS/SSL Configuration Issues: The scanner scans for outdated TLS versions (e.g., TLSv1.0, TLSv1.1) that are vulnerable to SPA/DPA attacks and detects weak cipher suites (e.g., RC4, DES, MD5) which can be exploited in power analysis attacks.
  • DNS Record Analysis: It examines DNS records like TXT, MX, NS, CAA, and DMARC for potential misconfigurations that could indicate susceptibility to SPA/DPA. The scanner also checks SPF records for overly permissive settings.
  • HTTP Content Analysis: The scanner analyzes HTTP responses for signs of cryptographic implementations that may be vulnerable to power analysis attacks, looking for specific patterns in content indicative of weak security practices.
  • Port and Service Fingerprinting: It scans open ports and identifies services running on the target domain potentially affected by SPA/DPA vulnerabilities through their versions and configurations.

Inputs Required:

  • domain (string): The primary domain to be analyzed, such as acme.com.

Business Impact: This scanner is crucial for organizations aiming to secure their digital assets against sophisticated power analysis attacks. By identifying and addressing weaknesses in security headers, TLS/SSL configurations, DNS settings, cryptographic implementations, and network services, the organization can significantly reduce the risk of data leakage through such attacks.

Risk Levels:

  • Critical: The scanner flags conditions where outdated or missing security headers are present, or when vulnerable cipher suites are used in encryption protocols.
  • High: Issues related to TLS versions that do not meet modern security standards and lack of strong cryptographic practices in HTTP content.
  • Medium: DNS misconfigurations that might expose systems to SPA/DPA attacks, though less critical than the above but still significant vulnerabilities.
  • Low: Informational findings regarding potentially less risky configurations or settings that are not directly linked to SPA/DPA risks but could be part of a broader security assessment.
  • Info: General information about services and their cryptographic implementations without specific severity implications for SPA/DPA attacks.

Example Findings:

  1. The domain example.com is found to lack the Strict-Transport-Security header, which could be exploited in power analysis attacks if accessed over HTTPS.
  2. A TLS configuration on secure.example.org uses RC4 cipher suites that are highly vulnerable to SPA/DPA and should be upgraded immediately for enhanced security.