Stochastic Models for Remote Timing Attacks
Authors: Simone Bozzolan (Università Ca' Foscari Venezia), Diletta Olliaro (Università Ca' Foscari Venezia), Stefano Calzavara (Università Ca' Foscari Venezia), Andrea Marin (Università Ca' Foscari Venezia), Gianfranco Balbo (Università di Torino), Matteo Sereno (Università di Torino)
Volume: 2025
Issue: 3
Pages: 545–559
DOI: https://doi.org/10.56553/popets-2025-0112
Abstract: In this paper, we present the first remote timing attack based on formal stochastic models. Our attack uses queuing models from the field of performance evaluation to estimate the service times of different classes of network requests. By using Bayesian statistics, we then identify opportunities for remote timing attacks by answering the following inverse question: what is the probability that a given network request belongs to a target class, given an estimate of its service time? Our experimental evaluation on popular web applications and websites shows that our investigation is not just a theoretical exercise, because our attack outperforms existing empirical approaches in terms of standard performance figures. We believe that the formal foundations put forward in this paper can be successfully applied to the creation of principled remote timing attacks which are more effective, because better equipped to deal with the complexity of the problem they are trying to solve.
Keywords: web privacy, queuing theory, remote timing attacks
Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.
