Observable Timing Discrepancy

• Rule ID: java_lang_observable_timing
• Languages: java
• Source: observable_timing.yml

Description

Observable Timing Discrepancy occurs when the time it takes for certain operations to complete can be measured and observed by attackers. This vulnerability is particularly concerning when operations involve sensitive information, such as password checks or secret comparisons. If attackers can analyze how long these operations take, they might be able to deduce confidential details, putting your data at risk.

Remediations

• Do implement algorithms that process sensitive information in constant time. This approach helps prevent attackers from guessing secrets based on the duration of operations.
• Do use built-in security features and cryptographic libraries that offer functions safe from timing attacks for comparing secret values.
• Do not use direct string comparisons for sensitive information, as this can lead to early termination of the function if a mismatch is found, revealing timing information.

    boolean isAdmin = "admin".equals(username); // unsafe

• Do not design application logic that changes execution paths in a manner that could introduce timing discrepancies based on user input or secret values.

References

• OWASP Guide to Cryptography

Associated CWE

• CWE-208: Observable Timing Discrepancy

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_observable_timing

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_observable_timing