Better qhelp for timing attacks

Author: artem-smotrakov

java/ql/src/experimental/Security/CWE/CWE-208/NonConstantTimeCheckOnSignature.qhelp

@@ -10,13 +10,7 @@ A successful attack may uncover a valid signature that in turn can result in aut
 </p>
 </overview>
 
-<recommendation>
-<p>
-Use <code>MessageDigest.isEqual()</code> method to check MACs and signatures.
-If this method is used, then the calculation time depends only on the length of input byte arrays,
-and does not depend on the contents of the arrays.
-</p>
-</recommendation>
+<include src="NonConstantTimeCheckRecommendation.inc.qhelp" />
 
 <example>
 <p>
@@ -29,25 +23,8 @@ This method implements a non-constant-time algorithm:
 The next example uses a safe constant-time algorithm for validating a MAC:
 </p>
 <sample src="SafeMacComparison.java" />
-
 </example>
 
-<references>
-<li>
-  Wikipedia:
-  <a href="https://en.wikipedia.org/wiki/Timing_attack">Timing attack</a>.
-</li>
-<li>
-  Coursera:
-  <a href="https://www.coursera.org/lecture/crypto/timing-attacks-on-mac-verification-FHGW1">Timing attacks on MAC verification</a>
-</li>
-<li>
-  NCC Group:
-  <a href="https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/TimeTrial.pdf">Time Trial: Racing Towards Practical Remote Timing Attacks</a>
-</li>
-<li>
-  Java API Specification:
-  <a href="https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/security/MessageDigest.html#isEqual(byte[],byte[])">MessageDigest.isEqual() method</a>
-</li>
-</references>
+<include src="NonConstantTimeCheckReferences.inc.qhelp" />
+
 </qhelp>

java/ql/src/experimental/Security/CWE/CWE-208/NonConstantTimeCheckOnSignature.ql

@@ -1,9 +1,9 @@
 /**
  * @name Using a non-constant-time algorithm for checking a signature
- * @description When checking a signature, a constant-time algorithm should be used.
- *              Otherwise, an attacker may be able to implement a timing attack.
- *              A successful attack may uncover a valid signature
- *              that in turn can result in authentication bypass.
+ * @description When checking a signature over a message, a constant-time algorithm should be used.
+ *              Otherwise, there is a risk of a timing attack that allows an attacker
+ *              to forge a valid signature for an arbitrary message. For a successful attack,
+ *              the attacker has to be able to send to the validation procedure both the message and the signature.
  * @kind path-problem
  * @problem.severity warning
  * @precision medium

java/ql/src/experimental/Security/CWE/CWE-208/NonConstantTimeCheckOnSignatureQuery.qll

@@ -292,7 +292,7 @@ class NonConstantTimeComparisonSink extends DataFlow::Node {
 
   NonConstantTimeComparisonSink() {
     (
-      isNonConstantEqualsCall(this.asExpr(), anotherParameter)
+      isNonConstantTimeEqualsCall(this.asExpr(), anotherParameter)
       or
       isNonConstantTimeComparisonCall(this.asExpr(), anotherParameter)
       or

java/ql/src/experimental/Security/CWE/CWE-208/NonConstantTimeCheckRecommendation.inc.qhelp

@@ -0,0 +1,10 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+<recommendation>
+<p>
+Use <code>MessageDigest.isEqual()</code> method to check MACs and signatures.
+If this method is used, then the calculation time depends only on the length of input byte arrays,
+and does not depend on the contents of the arrays.
+</p>
+</recommendation>
+</qhelp>

java/ql/src/experimental/Security/CWE/CWE-208/NonConstantTimeCheckReferences.inc.qhelp

@@ -0,0 +1,21 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+<references>
+<li>
+  Wikipedia:
+  <a href="https://en.wikipedia.org/wiki/Timing_attack">Timing attack</a>.
+</li>
+<li>
+  Coursera:
+  <a href="https://www.coursera.org/lecture/crypto/timing-attacks-on-mac-verification-FHGW1">Timing attacks on MAC verification</a>
+</li>
+<li>
+  NCC Group:
+  <a href="https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/TimeTrial.pdf">Time Trial: Racing Towards Practical Remote Timing Attacks</a>
+</li>
+<li>
+  Java API Specification:
+  <a href="https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/security/MessageDigest.html#isEqual(byte[],byte[])">MessageDigest.isEqual() method</a>
+</li>
+</references>
+</qhelp>

java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSignature.qhelp

@@ -5,23 +5,17 @@
 <p>
 A constant-time algorithm should be used for checking a MAC or a digital signature.
 In other words, the comparison time should not depend on the content of the input. 
-Otherwise, an attacker may be able to implement a timing attack if they control inputs
-for the cryptographic operation and the checking prodedure.
-A successful attack may uncover a valid signature that in turn can result in authentication bypass.
+Otherwise, an attacker may be able to forge a valid signature for an arbitrary message
+by running a timing attack if they can send to the validation procedure
+both the message and the signature. A successful attack can result in authentication bypass.
 </p>
 </overview>
 
-<recommendation>
-<p>
-Use <code>MessageDigest.isEqual()</code> method to check MACs and signatures.
-If this method is used, then the calculation time depends only on the length of input byte arrays,
-and does not depend on the contents of the arrays.
-</p>
-</recommendation>
+<include src="NonConstantTimeCheckRecommendation.inc.qhelp" />
 
 <example>
 <p>
-The following example uses <code>Arrays.equals()</code> method for validating a MAC over a messgae.
+The following example uses <code>Arrays.equals()</code> method for validating a MAC over a message.
 This method implements a non-constant-time algorithm.
 Both the message and the signature come from an untrusted HTTP request:
 </p>
@@ -31,25 +25,7 @@ Both the message and the signature come from an untrusted HTTP request:
 The next example uses a safe constant-time algorithm for validating a MAC:
 </p>
 <sample src="SafeMacComparisonWithRemoteInputs.java" />
-
 </example>
 
-<references>
-<li>
-  Wikipedia:
-  <a href="https://en.wikipedia.org/wiki/Timing_attack">Timing attack</a>.
-</li>
-<li>
-  Coursera:
-  <a href="https://www.coursera.org/lecture/crypto/timing-attacks-on-mac-verification-FHGW1">Timing attacks on MAC verification</a>
-</li>
-<li>
-  NCC Group:
-  <a href="https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/TimeTrial.pdf">Time Trial: Racing Towards Practical Remote Timing Attacks</a>
-</li>
-<li>
-  Java API Specification:
-  <a href="https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/security/MessageDigest.html#isEqual(byte[],byte[])">MessageDigest.isEqual() method</a>
-</li>
-</references>
+<include src="NonConstantTimeCheckReferences.inc.qhelp" />
 </qhelp>

java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSignature.ql

@@ -1,10 +1,10 @@
 /**
  * @name Timing attack against signature validation
- * @description When checking a signature, a constant-time algorithm should be used.
- *              Otherwise, an attacker may be able to implement a timing attack
- *              if they control inputs for the cryptographic operation and the checking procedure.
- *              A successful attack may uncover a valid signature
- *              that in turn can result in authentication bypass.
+ * @description When checking a signature over a message, a constant-time algorithm should be used.
+ *              Otherwise, an attacker may be able to forge a valid signature for an arbitrary message
+ *              by running a timing attack if they can send to the validation procedure
+ *              both the message and the signature.
+ *              A successful attack can result in authentication bypass.
  * @kind path-problem
  * @problem.severity error
  * @precision high