BLOG /
Have you ever wondered what a security probe of a computer sounded like? I’d guess probably not, because on the face of it that doesn’t make a whole lot of sense. But there was a time when I could very clearly discern the sound of a computer being scanned. It sounded like a small mechanical heart beat: Click-click… click-click… click-click…
Prior to 2010, I had a computer under my desk with what at the time
were not unheard-of properties: Its storage was based on a stack of
spinning metal platters (a now-antiquated device known as a “hard
drive”), and it had a publicly routable IPv4 address with an
unfiltered connection to the Internet. Naturally it ran Linux and an
ssh server. As was common in those days, service logging was handled
by a syslog daemon. The syslog daemon would sort log messages based
on various criteria and record them somewhere. In most simple
environments, “somewhere” was simply a
file on local storage.
When writing to a local file, syslog daemons can be optionally
configured to use the
fsync()
system call to ensure that writes are flushed to disk. Practically
speaking, what this meant is that a page of disk-backed memory would
be written to the disk as soon as an event occurred that triggered a
log message. Because of potential performance implications, fsync()
was not typically enabled for most log files. However, due to the
more sensitive nature of authentication logs, it was often enabled for
/var/log/auth.log
.
In the first decade of the 2000’s, there was a fairly unsophisticated worm loose on the Internet that would probe sshd with some common username/password combinations. The worm would pause for a second or so between login attempts, most likely in an effort to avoid automated security responses. The effect was that a system being probed by this worm would generate disk write every second, with a very distinct audible signature from the hard drive.
I think this situation is a fun demonstration of a side-channel data leak. It’s primitive and doesn’t leak very much information, but it was certainly enough to make some inference about the state of the system in question. Of course, side-channel leakage issues have been a concern for ages, but I like this one for its simplicity. It was something that could be explained and demonstrated easily, even to somebody with relatively limited understanding of “how computers work”, unlike, for instance measuring electromagnetic emanations from CPU power management units.
For a different take on the sounds of a computing infrastructure, Peep (The Network Auralizer) won an award at a USENIX conference long, long ago. I’d love to see a modern deployment of such a system. I’m sure you could build something for your cloud deployment using something like AWS EventBridge or Amazon SQS fairly easily.
For more on research into actual real-world side-channel attacks, you can read A Survey of Microarchitectural Side-channel Vulnerabilities, Attacks and Defenses in Cryptography or A Survey of Electromagnetic Side-Channel Attacks and Discussion on their Case-Progressing Potential for Digital Forensics.