Observable Timing Discrepancy

Description

Observable Timing Discrepancy refers to vulnerabilities arising from attackers being able to observe differences in the time it takes to perform certain operations. These discrepancies can lead to the exposure of sensitive information, as attackers can use timing analysis to infer secrets based on the execution time of algorithms, particularly during comparisons of user input against secret values.

Remediations

Implement Constant Time Algorithms

Ensure algorithms that process sensitive information, such as password comparisons, execute in constant time to prevent timing attacks.

Use Built-in Security Features

Leverage built-in cryptographic libraries that include timing-attack safe functions for comparing secrets.

Minimize Client-Side Checks

Avoid sensitive comparisons directly in client-side JavaScript where possible, as the execution environment is more exposed to timing analysis by attackers.

Avoid Direct Comparisons

Do not use direct string comparisons for sensitive information that can lead to early function termination based on the first incorrect character.

Do Not Rely on Execution Time for Logic

Ensure the application's logic does not change execution paths in a way that could introduce observable timing differences based on user input or secret values.

Resources

Associated CWE

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_observable_timing

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_observable_timing