> We have shown that, even though the Internet induces significant timing jitter, we can reliably distinguish remote timing differences as low as 20µs.
Server CPU = 2GHz, 2 instructions per cycle, time for instruction=1/4 ns. Does comparing a byte in a Java array really require 80,000 instructions? How does this work?
It's tens of nanoseconds per byte in JDK6; multiple orders of magnitude slower than C memcmp, because Java implements the compare in Java, not just as a wrapper around C.
It's exploitable "on LAN, but not over the Internet", which is deceptive because "on LAN" also means "anywhere from within the same hosting center"; attackers can get on the "same LAN" as most servers for tens of dollars.
Additionally Sidechannel timing attacks against EC2 instances have been very successful. The attackers have been able to get very close to the machines and in some instances on the actual box.
Server CPU = 2GHz, 2 instructions per cycle, time for instruction=1/4 ns. Does comparing a byte in a Java array really require 80,000 instructions? How does this work?