SideChannel

Description

Solution

1. Step 1Confirm the timing leak
   Running `echo "11111111" | time ./pin_checker` and then tweaking one digit shows the runtime grows whenever the prefix is correct. That leak lets us learn each digit sequentially.
   Learn more

   A timing side-channel attack exploits the fact that a program takes measurably different amounts of time depending on secret data. In this case, the PIN checker validates digits left-to-right and exits early on the first mismatch - so a PIN with 3 correct leading digits takes longer than one with 0 correct digits.

   This is the same class of vulnerability that affects naive string comparison in authentication code. Languages like Python return from == as soon as a character mismatches, which leaks information about how far into the string the comparison succeeded. Secure implementations use constant-time comparison - they always check every byte regardless of where a mismatch occurs, so timing reveals nothing.

   In Python, hmac.compare_digest(a, b) provides constant-time string comparison. In C, memcmp is not constant-time; security libraries provide safe alternatives like CRYPTO_memcmp (OpenSSL) or timingsafe_bcmp (BSD libc).

2. Step 2Automate the measurement
   Use pwntools (or direct `subprocess`) to spawn the checker, send a candidate PIN, and measure the elapsed time with `time.perf_counter()`. For each position 0-7, test digits 0-9 and keep whichever produced the longest runtime, then lock it in before moving to the next index.
   Learn more

   pwntools is a Python library designed for CTF challenges and exploit development. Its process() and remote() classes make it easy to spawn local processes or connect to remote services, send inputs, and read responses. Combined with time.perf_counter()for high-resolution timing, it's the standard toolkit for timing attacks.

   The brute-force strategy here works digit by digit: fix the known-correct prefix, try all 10 digits for the next position, and pick the one that takes longest. This reduces the search space from 10^8 (100 million) combinations to just 10 × 8 = 80 measurements - a massive speedup that makes the attack practical in seconds.

   Real-world timing attacks require careful statistics to handle noise. Network latency introduces variance, so attackers typically repeat each measurement hundreds of times and take the median or minimum. Tools like tlsfuzzer implement statistical timing analysis for remote attacks against TLS implementations, where differences as small as nanoseconds can be detected over a network.

3. Step 3Redeem the PIN
   After the script prints the full PIN, connect to `nc saturn.picoctf.net 53639`, enter the recovered code when prompted, and the service responds with the flag.
   Learn more

   netcat (nc) is a versatile networking tool that opens raw TCP or UDP connections. It's described as the "TCP/IP Swiss Army knife" - you can use it to connect to any open port and send/receive arbitrary data. For CTF challenges, it's the standard way to interact with remote challenge servers that expose a text-based interface.

   Timing side channels have been exploited against major real-world systems: early TLS implementations leaked RSA key bits through timing differences during decryption (Bleichenbacher's attack), and CPU branch prediction has been abused in the Spectre and Meltdown vulnerabilities to leak memory across security boundaries using cache timing.

   The defense against this class of attack is comprehensive: constant-time algorithms, adding random delays (jitter), and rate-limiting repeated authentication attempts. Modern security standards like FIPS 140-3 require constant-time implementations for cryptographic operations precisely because timing leaks can undermine otherwise mathematically sound algorithms.

Flag

picoCTF{t1m1ng_4tt4ck_914c...}

Timing side channels are powerful-even without reading the binary, runtime differences disclosed the entire secret.