You have things very mixed up.
Let me explain what the RIDL attack against passwd does - by attempting to authenticate with passwd it forces passwd to leak some of its backend file that stores account details into a buffer (LFB) that the RIDL attack can intercept passively but because it can't synchronize with that happening or precisely match the data format it does this over and over slowly piecing the details together by filtering for data that matches a known pattern which would fit with the stored account details. To achieve this it constantly invokes passwd with invalid credentials many many times repeatedly until after about 24 hours it has done it enough times it has all the data to filter out the valid hash from the rest of the noise. The problem here is and omitted from the whitepaper that on a properly configured system repeatedly invoking passwd or the other suggested route via SSH with invalid credentials will quickly get shutdown by systems designed to prevent brute force hacks and RIDL can do nothing to stop that happening - if it could (a) it would already have control over the system (b) synchronization wouldn't be an issue in the first place. While technically you could just wait on 3rd party login attempts which would dodge triggering a lockout you'd have no idea when they happened making the synchronization issue even worse and the rate of normal logins is so low it would take decades rather than 24 hours. The point being to make the proof of concept work requires something that doesn't represent a realworld scenario and more crucially to my point these are factors omitted from the whitepaper that are important to understanding the limits of application to each of these examples and the same is true of all the variants only the passwd one is a bit easier to explain.
And this is why their JavaScript attack for instance was done using just the JS engine core, on the same system against a specially crafted victim process because similarly limitations exist that they've omitted from the whitepaper that stand in the way of a realworld scenario and why they didn't demonstrate it as an intrusion through a real browser against arbitrary privileged information.
So talk of infinite attempts to break the hash is irrelevant here as you simply don't have infinite attempts to get the hash in the first place using the RIDL example they posted in a realworld scenario.
EDIT: That isn't to be dismissive of the fact that some approaches of using RIDL or similar side-channel attacks can be very powerful for an attacker who already has one foot in the door such as could be the case with a server type environment where being able to break out of a VM/VPS would be very useful.
You have things very mixed up.
Let me explain what the RIDL attack against passwd does - by attempting to authenticate with passwd it forces passwd to leak some of its backend file that stores account details into a buffer (LFB) that the RIDL attack can intercept passively but because it can't synchronize with that happening or precisely match the data format it does this over and over slowly piecing the details together by filtering for data that matches a known pattern which would fit with the stored account details. To achieve this it constantly invokes passwd with invalid credentials many many times repeatedly until after about 24 hours it has done it enough times it has all the data to filter out the valid hash from the rest of the noise. The problem here is and omitted from the whitepaper that on a properly configured system repeatedly invoking passwd or the other suggested route via SSH with invalid credentials will quickly get shutdown by systems designed to prevent brute force hacks and RIDL can do nothing to stop that happening - if it could (a) it would already have control over the system (b) synchronization wouldn't be an issue in the first place. While technically you could just wait on 3rd party login attempts which would dodge triggering a lockout you'd have no idea when they happened making the synchronization issue even worse and the rate of normal logins is so low it would take decades rather than 24 hours. The point being to make the proof of concept work requires something that doesn't represent a realworld scenario and more crucially to my point these are factors omitted from the whitepaper that are important to understanding the limits of application to each of these examples and the same is true of all the variants only the passwd one is a bit easier to explain.
And this is why their JavaScript attack for instance was done using just the JS engine core, on the same system against a specially crafted victim process because similarly limitations exist that they've omitted from the whitepaper that stand in the way of a realworld scenario and why they didn't demonstrate it as an intrusion through a real browser against arbitrary privileged information.
So talk of infinite attempts to break the hash is irrelevant here as you simply don't have infinite attempts to get the hash in the first place using the RIDL example they posted in a realworld scenario.
EDIT: That isn't to be dismissive of the fact that some approaches of using RIDL or similar side-channel attacks can be very powerful for an attacker who already has one foot in the door such as could be the case with a server type environment where being able to break out of a VM/VPS would be very useful.
Give your straw man a break, the guy is dying. The RIDL does not steal the password, just the hash. It takes 24 hours as per the video I posted about. The filter part is in the slide I posted above.
You did not read the synchronize section.
The attack shown using EIDL to break security by allowing you to access information that uses the sudo command. When a user.
The video shows the command cat /etc/shadow
reply cat: /etc/shadow: Permission denied
sudo cat /etc/shadow | head -n 1
sudo is superuser so returns the file contents
./hackpasswd root:
runs the attack and steals the information from sudo cat /etc/shadow | head -n 1
sudo (/ˈsuːduː/ or /ˈsuːdoʊ/) is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser.
So when he runs the attack without superuser privileges, the attack works and steals the the secret. We leaks the content of the /etc/shadow file by repeatedly trying to authenticate a user with the passwd utility.
A similar attack can leak the /etc/shadow of a cloud co-tenant by repeatedly opening an SSH connection. I avoided it for a reason but that to is proof of concept, i.e RIDL leaking data that should not be leaked. That's all it is meant to be and security does not work the way you seem to think. The fact is with time you can steal anything.
It really has to be said at this point, with security you plug the hole and you don't wonder for a second how people use the hole. Stating well people might not be able to use it, I don't care and I don't think its realistic. So I will troll some random guy, is both asinine and proof you are no security expert.
The meme destroyed in this thread,
The first rule of cyber security: "Be Paranoid"
Paranoia Reigns Among Security Pros
https://www.lastline.com/blog/security-paranoia-reigns-among-security-pros/
Given you did not view the video I posted, you attacked your own straw man.
