Much has been written about timing attacks since they first appeared over 15 years ago. However, many developers still believe that they are only theoretically exploitable and don't make it a priority to fix them.
We have notified vendors who declined to fix timing attacks for this reason. Thus, they won't have any problem with us using their applications as a demo for how to effectively exploit timing attacks, right?
This talk will show how we exploited timing attacks in common frameworks (such as the Java crypto framework). We will provide experimental evidence on what filtering techniques work best for dealing with network and host jitter to decrease attack time.
Finally, we will show the current limits of exploitability and give predictions about whether attackers or defenders will benefit more from future technology advances such as multicore systems and virtualization.