{"id":13845333,"url":"https://github.com/DistriNet/timeless-timing-attacks","last_synced_at":"2025-07-12T02:30:40.075Z","repository":{"id":54800485,"uuid":"271901632","full_name":"DistriNet/timeless-timing-attacks","owner":"DistriNet","description":"A Python implementation that facilitates finding timeless timing attack vulnerabilities.","archived":false,"fork":false,"pushed_at":"2023-10-09T05:21:43.000Z","size":6,"stargazers_count":117,"open_issues_count":3,"forks_count":20,"subscribers_count":10,"default_branch":"master","last_synced_at":"2024-08-05T17:44:19.436Z","etag":null,"topics":["attack","timing","vulnerability-detection"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/DistriNet.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-06-12T22:35:47.000Z","updated_at":"2024-07-17T09:28:29.000Z","dependencies_parsed_at":"2022-08-14T03:20:11.594Z","dependency_job_id":null,"html_url":"https://github.com/DistriNet/timeless-timing-attacks","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DistriNet%2Ftimeless-timing-attacks","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DistriNet%2Ftimeless-timing-attacks/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DistriNet%2Ftimeless-timing-attacks/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DistriNet%2Ftimeless-timing-attacks/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/DistriNet","download_url":"https://codeload.github.com/DistriNet/timeless-timing-attacks/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225784414,"owners_count":17523640,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["attack","timing","vulnerability-detection"],"created_at":"2024-08-04T17:03:20.532Z","updated_at":"2024-11-21T18:31:13.507Z","avatar_url":"https://github.com/DistriNet.png","language":"Python","funding_links":[],"categories":["Python"],"sub_categories":[],"readme":"## h2time\n\n`h2time.py` is a Python implementation that can be used to test HTTP/2 servers for [Timeless Timing Attack](https://tom.vg/papers/timeless-timing-attack_usenix2020.pdf) vulnerabilities.\n\n### Requirements\n\n* Python 3.7.x or higher - tested with Python 3.8.5\n* The [hyper-h2](https://github.com/python-hyper/hyper-h2) Python package (`pip install h2`) - tested with 3.2.0\n* OpenSSL\n\n### Usage\n\nA very basic example is given below, for additonal examples, please refer to [examples.py](examples.py).\n\n```python\nfrom h2time import H2Request, H2Time\n\nr1 = H2Request('GET', 'https://tom.vg/?1')\nr2 = H2Request('GET', 'https://tom.vg/?2')\nasync with H2Time(r1, r2) as h2t:\n    results = await h2t.run_attack()\n    print('\\n'.join(map(lambda x: ','.join(map(str, x)), results)))\n```\n\nFirst two `H2Request` objects are created, which are then passed on to `H2Time`.\nNote that both requests should be to the same server (as this is the basic requirement to perform timeless timing attacks).\nWhen the `run_attack()` method is called, the client will start sending request-pairs and will try to ensure that both arrive at the same time at the server (the final bytes of each request should be placed in a single TCP packet).\nOn the first request, additional parameters are added to the URL to offset the difference in time when requests can start being processed (the number is defined by the `num_padding_params` parameter - default: 40).\n\n`H2Time` can operate in a sequential mode, where it waits to send the next request-pair until the response for the previous one has been received.\nWhen the `sequential` is set to `False`, all request-pairs will be sent at once, at an interval of a number of milliseconds defined by the `inter_request_time_ms` parameter.\n\nThe results that are returned is a list of tuples with 3 elements: (0) difference of response time (in nanoseconds) between the second request and the first one, (1): response status of the first request, (2): response status of the second request.\n\nIf the difference in response time is negative, this means that a response for the second request was received first.\nTo perform a timeless timing attack, one should only need to take into account whether the result is positive or negative (positive indicates that the processing time of the first request takes less time than processing the second request). \n\n### Timing attack best practices\n\nTiming attacks can be quite tricky to exploit, so it's best to follow these best practices:\n\n* Alternate between choosing which request to send first: change between `H2Time(r1, r2)` and `H2Time(r2, r1)` to avoid bias that may be introduced by the first request (support for this in `h2time.py` is planned)\n* The number of request parameters that are needed may be server-dependent, so it's best to first experiment with what values work best (for 2 requests that have the same processing time, the distribution of positive \u0026 negative timing result should be 50/50)\n\n### A word of caution\n\nPlease be aware that this Python implementation may still be a bit rough around the edges.\nAs it will be further developed, it is likely that there will be breaking changes.\nIf you encounter any issue with it, please [file an issue](https://github.com/DistriNet/timeless-timing-attacks/issues/new)!\nFor any other questions, suggestions and remarks, feel free to [contact me](https://twitter.com/tomvangoethem).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FDistriNet%2Ftimeless-timing-attacks","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FDistriNet%2Ftimeless-timing-attacks","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FDistriNet%2Ftimeless-timing-attacks/lists"}