By Topic

New Side Channels Targeted at Passwords

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$33 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

5 Author(s)
Albert Tannous ; Pennsylvania State Univ., University Park, PA ; Jonathan Trostle ; Mohamed Hassan ; Stephen E. McLaughlin
more authors

Side channels are typically viewed as attacks that leak cryptographic keys during cryptographic algorithm processing, by observation of system side effects. In this paper, we present new side channels that leak password information during X Windows keyboard processing of password input. Keylogging is one approach for stealing passwords, but current keylogging techniques require special hardware or privileged processes. However, we have found that the unprivileged operation of modifying the user key mappings for X Windows clients enables a side channel sufficient for unprivileged processes to steal that user's passwords, even enabling the attacker to gain root access via sudo. We successfully tested one version on Linux 2.6; we were able to obtain a high degree of control over the scheduler, and thus we can obtain accurate timing information. A second version (logon detection) works without depending on accurate clocks or cache effects. Thus, in addition to demonstrating new side channels, we show that (a) side channels cannot be eliminated by removing accurate clocks or hardware cache mechanisms (b) side channels are of continued concern for computer security as well as cryptographic processing.

Published in:

Computer Security Applications Conference, 2008. ACSAC 2008. Annual

Date of Conference:

8-12 Dec. 2008