Upgrade to Pro — share decks privately, control downloads, hide ads and more …

All in the Timing: Side-Channel Attacks

Philip James
August 25, 2018
Technology
0
48

All in the Timing: Side-Channel Attacks

Here, you’ll learn about a category of security issue known as side channel attacks. You’ll be amused to see how features like automatic data compression, short-circuit execution, and deterministic hashing can be abused to bypass security systems. No security background knowledge is required.

“Never write your own cryptography!” is an oft-heard cry in the computer security space. But why is that? In this talk, we’ll cover some of the ways you can write software using algorithms and approaches that are mathematically perfect, but which, due to implementation artifacts, leave your applications exposed.

We’ll start with the mother of all timing attacks, password forms and non-constant time, to give the audience a foundation on what timing attacks are. From there, we’ll explore real-world attacks in the KeyCzar library, the BREACH attack, and PYTHONHASHSEED. All examples will show python code or pseudocode where appropriate, and will be abased on real-world attacks.

We’ll finish with a discussion of Spectre, a recent class of side channel attack that required patches and reboots across the majority of computers on the web – including the complete reboot of many cloud providers.

Our hope is that the audience will come away with a clearer understanding of this corner of the world of computer security, and will have a better answer to “Why shouldn’t I build my own cryptography software?”

Philip James

August 25, 2018
Tweet

More Decks by Philip James

See All by Philip James
Frog and Toad Learn about Django Security - NBT6
phildini
0
19
The Elephant and the Serpent (PyLatam 2019)
phildini
0
42
Account Security for the Fashionable App Developer
phildini
1
59
Giving Thanks
phildini
0
39
All in the Timing: Side-Channel Attacks in Python
phildini
0
370
API-Driven Django
phildini
1
320
Type uWSGI; Press Enter; What Happens?
phildini
0
93
Type uWSGI; Press Enter; What Happens?
phildini
1
73
Oops I Committed My Secret Key
phildini
0
370

Other Decks in Technology

See All in Technology
自己改善からチームを動かす! 「セルフエンジニアリングマネージャー」のすゝめ
shoota
6
390
SIEMを用いて、セキュリティログ分析の可視化と分析を実現し、PDCAサイクルを回してみた
coconala_engineer
0
280
開発パフォーマンスを最大化するための開発体制
ham0215
2
300
20分で完全に理解するGrafanaダッシュボード
hamadakoji
3
390
非同期推論システムによるコスト削減と信頼性向上
koki_nishihara
0
220
一生覚えておきたい「システム開発=コミュニケーション」〜初めての実務案件振り返りLT〜
maimyyym
0
120
Cracking the KubeCon CfP
inductor
2
240
AWSに詳しくない人でも始められるコスト最適化ガイド
yuhta28
0
180
web-application-security
matsuihidetoshi
0
160
JSON攻略法.pdf
miyakemito
8
5k
複雑な構成要素を持つUIとの向き合い方 〜新・支出グラフでの実例〜 / B43 TECH TALK
nakamuuu
0
140
アクセス制御にまつわる改善 / Improving access control
itkq
0
530

Featured

See All Featured
The Mythical Team-Month
searls
216
42k
A better future with KSS
kneath
231
16k
Bash Introduction
62gerente
604
210k
Facilitating Awesome Meetings
lara
42
5.6k
A designer walks into a library…
pauljervisheath
200
23k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
357
22k
Mobile First: as difficult as doing things right
swwweet
216
8.6k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
227
16k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
121
39k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
187
16k
Building Applications with DynamoDB
mza
88
5.6k
Code Reviewing Like a Champion
maltzj
514
39k

Transcript

  1. All in the Timing Philip James @[email protected] PyCon AU 2018

  2. None

  3. •Explain @ming aAacks •Timing aAacks in Python soDware •Side channel

    aAacks in general

  4. https://example.com Username Password Submit

  5. 2,821,109,907,456 combinations = ~89 years p a s s w

    o r d _ _ _ _ _ _ _ _ 36 36 36 36 36 36 36 36

  6. https://example.com Username Password Submit

  7. https://example.com Username Password Submit

  8. m a s s w o r d p a

    s s 1 2 3 4 p a s s w o r d p a s s w o r d

  9. m a s s w o r d p a

    s s 1 2 3 4 p a s s w o r d p a s s w o r d

  10. m a s s w o r d p a

    s s 1 2 3 4 p a s s w o r d p a s s w o r d

  11. m a s s w o r d p a

    s s 1 2 3 4 p a s s w o r d p a s s w o r d

  12. m a s s w o r d p a

    s s 1 2 3 4 p a s s w o r d p a s s w o r d

  13. m a s s w o r d p a

    s s 1 2 3 4 p a s s w o r d p a s s w o r d

  14. m a s s w o r d p a

    s s 1 2 3 4 p a s s w o r d p a s s w o r d

  15. m a s s w o r d p a

    s s 1 2 3 4 p a s s w o r d p a s s w o r d

  16. m a s s w o r d p a

    s s 1 2 3 4 p a s s w o r d p a s s w o r d

  17. m a s s w o r d p a

    s s 1 2 3 4 p a s s w o r d p a s s w o r d

  18. m a s s w o r d p a

    s s 1 2 3 4 p a s s w o r d p a s s w o r d

  19. m a s s w o r d p a

    s s 1 2 3 4 p a s s w o r d p a s s w o r d

  20. m a s s w o r d p a

    s s 1 2 3 4 p a s s w o r d p a s s w o r d

  21. m a s s w o r d p a

    s s 1 2 3 4 p a s s w o r d p a s s w o r d

  22. m a s s w o r d p a

    s s 1 2 3 4 p a s s w o r d p a s s w o r d

  23. m a s s w o r d p a

    s s 1 2 3 4 p a s s w o r d p a s s w o r d

  24. m a s s w o r d p a

    s s 1 2 3 4 p a s s w o r d p a s s w o r d

  25. m a s s w o r d p a

    s s 1 2 3 4 p a s s w o r d p a s s w o r d
  26. None

  27. 144 tries

  28. 144 tries 18 + 18 + 18 + 18 +

    18 + 18 + 18 + 18

  29. 144 tries 18 + 18 + 18 + 18 +

    18 + 18 + 18 + 18 = 144ms

  30. 0 1 2 3 4 5 6 7 8 9

    1 2 3 4 5 6

  31. In [1]: password = 'password' In [2]: %timeit 'massword'.encode('utf-8') ==

    password.encode('utf-8') 306 ns ± 3.65 ns per loop (…) In [3]: %timeit 'pass1234'.encode('utf-8') == password.encode('utf-8') 314 ns ± 4.5 ns per loop (…) In [4]: %timeit 'password'.encode('utf-8') == password.encode('utf-8') 325 ns ± 12.8 ns per loop (…) Data-dependent @me

  32. In [1]: from django.utils.crypto import constant_time_compare In [2]: %timeit constant_time_compare('massword',

    'password') 93.5 ms ± 426 µs per loop (...) In [3]: %timeit constant_time_compare('pass1234', 'password') 92.5 ms ± 550 µs per loop (...) In [4]: %timeit constant_time_compare('password', 'password') 93.3 ms ± 479 µs per loop (…) Constant @me

  33. In [1]: from django.utils.crypto import constant_time_compare In [2]: %timeit constant_time_compare('massword',

    'password') 93.5 ms ± 426 µs per loop (...) In [3]: %timeit constant_time_compare('pass1234', 'password') 92.5 ms ± 550 µs per loop (...) In [4]: %timeit constant_time_compare('password', 'password') 93.3 ms ± 479 µs per loop (…) Constant @me O(1)

  34. VERIFICATION GENERATION

  35. HMAC/ KeyCzar

  36. def check(msg, maybe_sig): sig = hmac.Sign(msg) return sig == maybe_sig

  37. def check(msg, maybe_sig): sig = hmac.Sign(msg) return sig == maybe_sig

  38. if len(sig_bytes) != len(mac_bytes): return False result = 0 for

    x, y in zip(mac_bytes, sig_bytes): result |= ord(x) ^ ord(y) return result == 0 https://github.com/google/keyczar/blob/master/python/src/keyczar/keys.py#L582

  39. Timing A(acks Side-Channel A(acks

  40. GZip hAps:/ /www.djangoproject.com/weblog/2013/aug/06/breach-and-django/

  41. Cross site request forgery protec@on

  42. Cross site request forgery protec@on http://example.com Username Password Submit

  43. Cross site request forgery protec@on http://example.com Username Password Submit <input

    type=”hidden” value=”abc123xyz” name=”csrf_token”>

  44. Cross site request forgery protec@on https://example.com Username Password Submit <input

    type=”hidden” value=”abc123xyz” name=”csrf_token”>

  45. Cross site request forgery protec@on https://example.com Username Password Submit 10Kb

    <input type=”hidden” value=”abc123xyz” name=”csrf_token”>

  46. Cross site request forgery protec@on https://example.com Username Password Submit 3Kb

    GZipped! <input type=”hidden” value=”abc123xyz” name=”csrf_token”>

  47. Cross site request forgery protec@on https://example.com 10Kb <input type=”hidden” value=”abc123xyz”

    name=”csrf_token”> </... </... </... </...

  48. Cross site request forgery protec@on https://example.com 3Kb GZipped! <input type=”hidden”

    value=”abc123xyz” name=”csrf_token”> </...

  49. Cross site request forgery protec@on https://example.com <input type=”hidden” value=”abc123xyz” name=”csrf_token”>

    3Kb GZipped! “_________”

  50. Cross site request forgery protec@on https://example.com?q=australia <input type=”hidden” value=”abc123xyz” name=”csrf_token”>

    3Kb GZipped! “_________” You searched for: australia

  51. 0 1 2 3 4 5 6 7 8 9

    1 2 3 4 5 6

  52. Interlude: PYTHONHASHSEED

  53. None

  54. /search? q=bananas& page=3& country=us& coupon=yay

  55. /search? q=bananas& page=3& country=us& coupon=yay request.GET = { 'q': 'bananas',

    'page': 3, 'country': 'us', 'coupon': 'yay', }

  56. Lists vs. Dicts

  57. 2s -> 6506s

  58. hash(data) hash(rand, data)

  59. PEP 456 (2012) Secure and interchangeable hash algorithm (SipHash)

  60. None

  61. 0 1 2 … 2^64

  62. 0 1 2 … 2^64

  63. 0 1 2 … 2^64 print(memory[2])

  64. 0 1 2 … 2^64 print(memory[2])

  65. 0 1 2 … 2^64 print(memory[2]) print(memory[2])

  66. 0 1 2 … 2^64 print(memory[2]) print(memory[2])

  67. 0 1 2 10 … 2^64 print(memory[1])

  68. 0 1 2 10 … 2^64 print(memory[1])

  69. data = memory[1] if data % 2 == 0: message

    = memory[10] else: message = memory[11] print message 0 1 2 2^64

  70. data = memory[1] if data % 2 == 0: message

    = memory[10] else: message = memory[11] print message ¯\_(ツ)_/¯ 0 1 2 2^64

  71. data = memory[1] if data % 2 == 0: message

    = memory[10] else: message = memory[11] print message ¯\_(ツ)_/¯ 0 1 2 2^64

  72. •Explain @ming aAacks •Timing aAacks in Python soDware •Side channel

    aAacks in general

  73. •Explain @ming aAacks •Timing aAacks in Python soDware •Side channel

    aAacks in general Thanks! Philip James @[email protected]