Ejecuta análisis estático (SAST) sobre el código buscando el patrón inseguro en el flujo de datos.
CWE-385 Base Incompleto
Covert Timing Channel
A covert timing channel is a security flaw where an attacker can deduce secret information by observing how long certain operations take to execute. Instead of directly reading data, they analyze…
Definición
What is CWE-385?
A covert timing channel is a security flaw where an attacker can deduce secret information by observing how long certain operations take to execute. Instead of directly reading data, they analyze timing variations in system behavior to infer protected details.
Attackers can exploit timing differences to learn secrets they shouldn't have access to. For instance, if a cryptographic function or a database query takes slightly longer under specific conditions, that delay can leak information about the internal state of the operation or the data being processed. Monitoring these subtle time variations allows an attacker to piece together sensitive information.
This type of vulnerability is a classic example of a side-channel attack, specifically a timing channel. Common real-world signals include variations in a system's paging rate, the execution time of a transaction, or the delay in accessing a shared resource. Defending against these attacks requires ensuring that operations complete in constant time, regardless of the input or secret data involved.
Impacto en el mundo real
Real-world CVEs caused by CWE-385
Todavía no hay CVEs públicos enlazados a esta CWE en el catálogo de MITRE.
Cómo lo explotan los atacantes
Ruta del atacante paso a paso
- 1
In this example, the attacker observes how long an authentication takes when the user types in the correct password.
- 2
When the attacker tries their own values, they can first try strings of various length. When they find a string of the right length, the computation will take a bit longer, because the for loop will run at least once. Additionally, with this code, the attacker can possibly learn one character of the password at a time, because when they guess the first character right, the computation will take longer than a wrong guesses. Such an attack can break even the most sophisticated password with a few hundred guesses.
- 3
Note that in this example, the actual password must be handled in constant time as far as the attacker is concerned, even if the actual password is of an unusual length. This is one reason why it is good to use an algorithm that, among other things, stores a seeded cryptographic one-way hash of the password, then compare the hashes, which will always be of the same length.
Ejemplo de código vulnerable
Vulnerable Python
When the attacker tries their own values, they can first try strings of various length. When they find a string of the right length, the computation will take a bit longer, because the for loop will run at least once. Additionally, with this code, the attacker can possibly learn one character of the password at a time, because when they guess the first character right, the computation will take longer than a wrong guesses. Such an attack can break even the most sophisticated password with a few hundred guesses.
def validate_password(actual_pw, typed_pw):
if len(actual_pw) <> len(typed_pw):
return 0
for i in len(actual_pw):
if actual_pw[i] <> typed_pw[i]:
return 0
return 1 Ejemplo de código seguro
Secure pseudo
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
const safe = validateAndEscape(input);
return executeWithGuards(safe);
} What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Lista de prevención
How to prevent CWE-385
- Architecture and Design Whenever possible, specify implementation strategies that do not introduce time variances in operations.
- Implementation Often one can artificially manipulate the time which operations take or -- when operations occur -- can remove information from the attacker.
- Implementation It is reasonable to add artificial or random delays so that the amount of CPU time consumed is independent of the action being taken by the application.
Señales de detección
How to detect CWE-385
Ejecuta pruebas dinámicas de seguridad de aplicaciones (DAST) contra el endpoint en vivo.
Vigila los logs en tiempo de ejecución para detectar trazas de excepción inusuales, entradas malformadas o intentos de bypass de autorización.
Revisión de código: marca cualquier código nuevo que maneje entrada desde esta superficie sin usar los helpers validados del framework.
Plexicus detecta automáticamente CWE-385 y abre un PR de corrección en menos de 60 segundos.
Codex Remedium escanea cada commit, identifica esta debilidad concreta y entrega un pull request listo para revisión con el parche. Sin tickets. Sin traspasos.
Preguntas frecuentes ¿Qué es CWE-385?
¿Qué gravedad tiene CWE-385?
¿Qué lenguajes o plataformas se ven afectados por CWE-385?
¿Cómo puedo prevenir CWE-385?
¿Cómo detecta y corrige Plexicus CWE-385?
¿Dónde puedo aprender más sobre CWE-385?
Frequently asked questions
¿Qué es CWE-385?
A covert timing channel is a security flaw where an attacker can deduce secret information by observing how long certain operations take to execute. Instead of directly reading data, they analyze timing variations in system behavior to infer protected details.
¿Qué gravedad tiene CWE-385?
MITRE califica la probabilidad de explotación como Media — la explotación es realista pero suele requerir condiciones específicas.
¿Qué lenguajes o plataformas se ven afectados por CWE-385?
MITRE no ha especificado plataformas afectadas para esta CWE — puede aplicar a la mayoría de los stacks de aplicaciones.
¿Cómo puedo prevenir CWE-385?
Whenever possible, specify implementation strategies that do not introduce time variances in operations. Often one can artificially manipulate the time which operations take or -- when operations occur -- can remove information from the attacker.
¿Cómo detecta y corrige Plexicus CWE-385?
El motor SAST de Plexicus detecta la firma de flujo de datos para CWE-385 en cada commit. Cuando hay coincidencia, nuestro agente Codex Remedium abre un PR de corrección con el código corregido, las pruebas y un resumen de una línea para el revisor.
¿Dónde puedo aprender más sobre CWE-385?
MITRE publica la definición canónica en https://cwe.mitre.org/data/definitions/385.html. También puedes consultar la documentación de OWASP y NIST para guías relacionadas.
Debilidades relacionadas
Weaknesses related to CWE-385
CWE-514 Padre
Covert Channel
A covert channel is a hidden communication path that allows data to be transmitted in a way that bypasses the system's intended security…
CWE-515 Hermano
Covert Storage Channel
A covert storage channel is a type of security flaw where one process secretly encodes data into a shared system resource (like a file,…
Recursos
Further reading
- MITRE — CWE-385 oficial https://cwe.mitre.org/data/definitions/385.html
- The CLASP Application Security Process https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf
- A Taxonomy of Computer Program Security Flaws, with Examples https://cwe.mitre.org/documents/sources/ATaxonomyofComputerProgramSecurityFlawswithExamples%5BLandwehr93%5D.pdf
Listo cuando tú lo estés
Deja de pagar por desarrollador.
Empieza a cerrar el bucle.
Plexicus es el ASPM nativo de IA que escanea, filtra, corrige, pentestea y explica — de forma autónoma. Desarrolladores ilimitados, repos ilimitados, acciones de IA de uso justo. Nivel gratuito real, €269/mo anual cuando estés listo.