Observable Timing Discrepancy

• Rule ID: go_lang_observable_timing
• Languages: go
• Source: observable_timing.yml

Description

Observable Timing Discrepancy occurs when the time it takes for certain operations to complete can be measured and observed by attackers. This vulnerability is particularly concerning when operations involve sensitive information, such as password checks or secret comparisons. If attackers can analyze how long these operations take, they might be able to deduce confidential details, putting your data at risk.

Remediations

• Do implement algorithms that process sensitive information, such as password checks, to run in constant time. This approach helps in mitigating timing attacks by ensuring that operations take the same amount of time regardless of the input.
• Do use built-in cryptographic libraries that offer functions safe against timing attacks for comparing secret values. These libraries are designed to prevent timing discrepancies that could leak sensitive information.
• Do not use direct string comparisons for sensitive information. This method can result in early termination of the comparison function, leading to timing discrepancies based on the first mismatched character.
• Do not design application logic that alters execution paths in a manner that could introduce observable timing differences, particularly when processing user input or comparing secret values.

References

• OWASP Guide to Cryptography

Associated CWE

• CWE-208: Observable Timing Discrepancy

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_lang_observable_timing

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_lang_observable_timing