CINECA IRIS Institutional Research Information System

In this paper, we present the first remote timing attack based on formal stochastic models. Our attack uses queuing models from the field of performance evaluation to estimate the service times of different classes of network requests. By using Bayesian statistics, we then identify opportunities for remote timing attacks by answering the following inverse question: what is the probability that a given network request belongs to a target class, given an estimate of its service time? Our experimental evaluation on popular web applications and websites shows that our investigation is not just a theoretical exercise, because our attack outperforms existing empirical approaches in terms of standard performance figures. We believe that the formal foundations put forward in this paper can be successfully applied to the creation of principled remote timing attacks which are more effective, because better equipped to deal with the complexity of the problem they are trying to solve.

Stochastic Models for Remote Timing Attacks

Bozzolan, Simone;Olliaro, Diletta;Calzavara, Stefano;Marin, Andrea;Balbo, Gianfranco;Sereno, Matteo

2025-01-01

Abstract

In this paper, we present the first remote timing attack based on formal stochastic models. Our attack uses queuing models from the field of performance evaluation to estimate the service times of different classes of network requests. By using Bayesian statistics, we then identify opportunities for remote timing attacks by answering the following inverse question: what is the probability that a given network request belongs to a target class, given an estimate of its service time? Our experimental evaluation on popular web applications and websites shows that our investigation is not just a theoretical exercise, because our attack outperforms existing empirical approaches in terms of standard performance figures. We believe that the formal foundations put forward in this paper can be successfully applied to the creation of principled remote timing attacks which are more effective, because better equipped to deal with the complexity of the problem they are trying to solve.

Scheda breve

Scheda completa

Scheda completa (DC)

	Anno
	
				2025
			
	Titolo dell'evento
	
				5th Privacy Enhancing Technologies Symposium (PETS 2025)
			
	Luogo dell'evento
	
				Washington, USA
			
	Data dell'evento
	
				14-19 July
			
	Titolo del volume
	
				PETS 2025 -  The 25th Privacy Enhancing Technologies Symposium
			
	Nome editore
	
				Published by De Gruyter - Open
			
	N. Volume
	
				2025
			
	Fascicolo
	
				3
			
	Pagine (da)
	
				545
			
	Pagine (a)
	
				559
			
	DOI
	
				https://dx.doi.org/10.56553/popets-2025-0112
			
	URL del prodotto (archivi open access, fulltext su sito editore, etc.)
	
				https://petsymposium.org/popets/2025/popets-2025-0112.php
			
	Parole Chiave
	
				web privacy, queuing theory, remote timing attacks
			
	Tutti gli autori
	
						Bozzolan, Simone; Olliaro, Diletta; Calzavara, Stefano; Marin, Andrea; Balbo, Gianfranco; Sereno, Matteo
					
	Appare nelle tipologie:
	
				04A-Conference paper in volume

File in questo prodotto:

File	Dimensione	Formato
popets-2025-0112.pdf Accesso aperto Tipo di file: PDF EDITORIALE Dimensione 1.39 MB Formato Adobe PDF Visualizza/Apri	1.39 MB	Adobe PDF	Visualizza/Apri

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/2318/2081750

Citazioni

ND

ND

ND

social impact