Techly NewsGet the app

Get the latest tech news

String Comparison Timing Attacks


Strings that have more characters in common take longer to compare. This can result in a timing attack. However, in practice strings are often not compared one byte at a time, and time differences are very small. Therefore, timing attacks are not necessarily possible, even when using strcmp or == to compare strings.

For modern CPUs, glibc has strcmp variations for AVX2 and EVEX instruction sets, that can compare 32 bytes at a time. If systems use memcmp instead of strcmp, e.g. because they store the length of the string instead of relying on a terminating null-byte, they are unlikely to be vulnerable to a timing attack. The time differences for individual characters are often below one nanosecond, making it virtually impossible to detect remotely.

Get the Android app

Or read this on Hacker News

« Donald E. Knuth's Homepage
Big Tech goes on AI charm offensive in Europe as regulators circle »