Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72670
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 18114 invoked from network); 18 Feb 2014 00:14:04 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 18 Feb 2014 00:14:04 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.49 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.215.49 mail-la0-f49.google.com  
Received: from [209.85.215.49] ([209.85.215.49:49304] helo=mail-la0-f49.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id D9/CA-64799-9C5A2035 for <internals@lists.php.net>; Mon, 17 Feb 2014 19:14:03 -0500
Received: by mail-la0-f49.google.com with SMTP id y1so11656433lam.36
        for <internals@lists.php.net>; Mon, 17 Feb 2014 16:13:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=vzlTEsauWQxZK1dBgdJddR3v4Ft3uu8NELCXqtsM3YU=;
        b=DYg+3/z+94yxD2xGUKigKE9b6NBLh/f67EMEA3avflM8dHX8rGQokGsvMIyWsEtPde
         UUP2I1owMbx70g/vQpuyoDFq0UKVr0qLrl2yMhe/YSgkx8bVQ1KjxxUrLt0R2AASUF2h
         CQY5nYNfe4LNyko4ZLV+SFLIX66ZqMHQOnoRGRnQkA8oZQTCK/4GcFoXAbR3RRTsIk2K
         dzMeaTkwayzI/eLuoy2FIZFJ7W+Ys0CKsk2qlEKYMvfK71WrUsYF/CMmn7ZkNCRCoRAn
         uVjSnKxwO85hIIXlcwUjgYP+PiDcT3QHf62a/cLQH3dB0M3nYPqHByEY0Ifq+SDb7UjT
         QaPQ==
X-Received: by 10.152.143.231 with SMTP id sh7mr19549397lab.26.1392682438850;
 Mon, 17 Feb 2014 16:13:58 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.112.199.37 with HTTP; Mon, 17 Feb 2014 16:13:18 -0800 (PST)
In-Reply-To: <CAPhkiZx2sFqDmvdAsxOqqcrN6P09HW7MzFOA0cZbZ_2ruN4izw@mail.gmail.com>
References: <CAPhkiZxqmUVR3MhdMUBUuKxxkXndoTdoffbfuQ0oGc5JMvQ8dg@mail.gmail.com>
 <CAGa2bXbBnPQHqBUxe=S3HZtvQHQLdomEM4CEF3F+O0mf4oaktA@mail.gmail.com> <CAPhkiZx2sFqDmvdAsxOqqcrN6P09HW7MzFOA0cZbZ_2ruN4izw@mail.gmail.com>
Date: Tue, 18 Feb 2014 09:13:18 +0900
X-Google-Sender-Auth: KvkWUtFxBxDx60GnkT6GgeA-Hcc
Message-ID: <CAGa2bXZbiTk_a=aJJY4iUPPaNQbv0yhyU2t6dXv2hAo0atiTdA@mail.gmail.com>
To: Andrey Andreev <narf@devilix.net>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a1136c0980d7fb204f2a32671
Subject: Re: [PHP-DEV] [VOTE] Secure Session Module Options/Internal by Default
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a1136c0980d7fb204f2a32671
Content-Type: text/plain; charset=UTF-8

Hi Andrey,

On Mon, Feb 17, 2014 at 10:22 PM, Andrey Andreev <narf@devilix.net> wrote:

> This still doesn't explain how it would work.
> And why is it necessary as a setting instead of auto-detecting it? The
> valid length should be easy to calculate.
>

Valid length is easy to detect as well as valid chars.
Current session module only detects and discards "if session has invalid
chars"
i.e. Invalid chars are only few chars. Stricter check is up to session save
handlers.
http://lxr.php.net/xref/PHP_5_6/ext/session/session.c#1605
(It would be better to have stricter check in module. IMO. It's BC...)

Length check is trivial, then why not check  and discard by module instead
of
accepting invalid session ID and let users check and discard? It addresses
bug
like null session ID raises annoying error also.

Timing attack could be done with liner directory search. With liner
directory
search, file names are compared one by one, character by character.
Therefore,
attacker can exploit timing if sent session ID matches or not.

Modern file systems like ext4 have htree that hashes file names. Timing
cannot be
used such file systems because it is the same as "hash strings, then
compare".
Characters are not compared one by one.

XFS uses B+tree. B+tree is one by one comparison basically. B+tree would be
harder to exploit since its structure may change a lot during attack, but
it might
be vulnerable if attacker considers tree structure change during attack.
i.e. Tree
structure may change after GC or new sessions are added. (This is also
applicable to liner directory search file system. Structure change is more
obvious
and easy to handle with simple liner search.)

There is threat and it could be removed with length check.
Let's have the check and forget about timing attack!

Regards,

P.S. The reason why Python adopts "hash comparison" with ==/=== is the
same reason, I suppose. PHP 5.6 may do the same or similar, and forget
about timing attack.

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a1136c0980d7fb204f2a32671--