Upgrade to Pro — share decks privately, control downloads, hide ads and more …

All in the Timing: Side-Channel Attacks

All in the Timing: Side-Channel Attacks

Here, you’ll learn about a category of security issue known as side channel attacks. You’ll be amused to see how features like automatic data compression, short-circuit execution, and deterministic hashing can be abused to bypass security systems. No security background knowledge is required.

“Never write your own cryptography!” is an oft-heard cry in the computer security space. But why is that? In this talk, we’ll cover some of the ways you can write software using algorithms and approaches that are mathematically perfect, but which, due to implementation artifacts, leave your applications exposed.

We’ll start with the mother of all timing attacks, password forms and non-constant time, to give the audience a foundation on what timing attacks are. From there, we’ll explore real-world attacks in the KeyCzar library, the BREACH attack, and PYTHONHASHSEED. All examples will show python code or pseudocode where appropriate, and will be abased on real-world attacks.

We’ll finish with a discussion of Spectre, a recent class of side channel attack that required patches and reboots across the majority of computers on the web – including the complete reboot of many cloud providers.

Our hope is that the audience will come away with a clearer understanding of this corner of the world of computer security, and will have a better answer to “Why shouldn’t I build my own cryptography software?”

Philip James

August 25, 2018
Tweet

More Decks by Philip James

Other Decks in Technology

Transcript

  1. All in the Timing
    Philip James
    @[email protected]
    PyCon AU 2018

    View full-size slide

  2. •Explain @ming aAacks
    •Timing aAacks in Python soDware
    •Side channel aAacks in general

    View full-size slide

  3. https://example.com
    Username
    Password
    Submit

    View full-size slide

  4. 2,821,109,907,456 combinations

    = ~89 years
    p a s s w o r d
    _ _ _ _ _ _ _ _
    36 36 36 36 36 36 36 36

    View full-size slide

  5. https://example.com
    Username
    Password
    Submit

    View full-size slide

  6. https://example.com
    Username
    Password
    Submit

    View full-size slide

  7. m a s s w o r d
    p a s s 1 2 3 4
    p a s s w o r d
    p a s s w o r d

    View full-size slide

  8. m a s s w o r d
    p a s s 1 2 3 4
    p a s s w o r d
    p a s s w o r d

    View full-size slide

  9. m a s s w o r d
    p a s s 1 2 3 4
    p a s s w o r d
    p a s s w o r d

    View full-size slide

  10. m a s s w o r d
    p a s s 1 2 3 4
    p a s s w o r d
    p a s s w o r d

    View full-size slide

  11. m a s s w o r d
    p a s s 1 2 3 4
    p a s s w o r d
    p a s s w o r d

    View full-size slide

  12. m a s s w o r d
    p a s s 1 2 3 4
    p a s s w o r d
    p a s s w o r d

    View full-size slide

  13. m a s s w o r d
    p a s s 1 2 3 4
    p a s s w o r d
    p a s s w o r d

    View full-size slide

  14. m a s s w o r d
    p a s s 1 2 3 4
    p a s s w o r d
    p a s s w o r d

    View full-size slide

  15. m a s s w o r d
    p a s s 1 2 3 4
    p a s s w o r d
    p a s s w o r d

    View full-size slide

  16. m a s s w o r d
    p a s s 1 2 3 4
    p a s s w o r d
    p a s s w o r d

    View full-size slide

  17. m a s s w o r d
    p a s s 1 2 3 4
    p a s s w o r d
    p a s s w o r d

    View full-size slide

  18. m a s s w o r d
    p a s s 1 2 3 4
    p a s s w o r d
    p a s s w o r d

    View full-size slide

  19. m a s s w o r d
    p a s s 1 2 3 4
    p a s s w o r d
    p a s s w o r d

    View full-size slide

  20. m a s s w o r d
    p a s s 1 2 3 4
    p a s s w o r d
    p a s s w o r d

    View full-size slide

  21. m a s s w o r d
    p a s s 1 2 3 4
    p a s s w o r d
    p a s s w o r d

    View full-size slide

  22. m a s s w o r d
    p a s s 1 2 3 4
    p a s s w o r d
    p a s s w o r d

    View full-size slide

  23. m a s s w o r d
    p a s s 1 2 3 4
    p a s s w o r d
    p a s s w o r d

    View full-size slide

  24. m a s s w o r d
    p a s s 1 2 3 4
    p a s s w o r d
    p a s s w o r d

    View full-size slide

  25. 144 tries
    18 + 18 + 18 + 18 + 18 + 18 + 18 + 18

    View full-size slide

  26. 144 tries
    18 + 18 + 18 + 18 + 18 + 18 + 18 + 18
    = 144ms

    View full-size slide

  27. 0 1 2 3 4 5 6 7 8 9
    1
    2
    3
    4
    5
    6

    View full-size slide

  28. In [1]: password = 'password'
    In [2]: %timeit 'massword'.encode('utf-8') == password.encode('utf-8')
    306 ns ± 3.65 ns per loop (…)
    In [3]: %timeit 'pass1234'.encode('utf-8') == password.encode('utf-8')
    314 ns ± 4.5 ns per loop (…)
    In [4]: %timeit 'password'.encode('utf-8') == password.encode('utf-8')
    325 ns ± 12.8 ns per loop (…)
    Data-dependent @me

    View full-size slide

  29. In [1]: from django.utils.crypto import constant_time_compare
    In [2]: %timeit constant_time_compare('massword', 'password')
    93.5 ms ± 426 µs per loop (...)
    In [3]: %timeit constant_time_compare('pass1234', 'password')
    92.5 ms ± 550 µs per loop (...)
    In [4]: %timeit constant_time_compare('password', 'password')
    93.3 ms ± 479 µs per loop (…)
    Constant @me

    View full-size slide

  30. In [1]: from django.utils.crypto import constant_time_compare
    In [2]: %timeit constant_time_compare('massword', 'password')
    93.5 ms ± 426 µs per loop (...)
    In [3]: %timeit constant_time_compare('pass1234', 'password')
    92.5 ms ± 550 µs per loop (...)
    In [4]: %timeit constant_time_compare('password', 'password')
    93.3 ms ± 479 µs per loop (…)
    Constant @me
    O(1)

    View full-size slide

  31. VERIFICATION GENERATION

    View full-size slide

  32. HMAC/ KeyCzar

    View full-size slide

  33. def check(msg, maybe_sig):
    sig = hmac.Sign(msg)
    return sig == maybe_sig

    View full-size slide

  34. def check(msg, maybe_sig):
    sig = hmac.Sign(msg)
    return sig == maybe_sig

    View full-size slide

  35. if len(sig_bytes) != len(mac_bytes):
    return False
    result = 0
    for x, y in zip(mac_bytes, sig_bytes):
    result |= ord(x) ^ ord(y)
    return result == 0
    https://github.com/google/keyczar/blob/master/python/src/keyczar/keys.py#L582

    View full-size slide

  36. Timing A(acks
    Side-Channel
    A(acks

    View full-size slide

  37. GZip
    hAps:/
    /www.djangoproject.com/weblog/2013/aug/06/breach-and-django/

    View full-size slide

  38. Cross site request forgery
    protec@on

    View full-size slide

  39. Cross site request forgery
    protec@on
    http://example.com
    Username
    Password
    Submit

    View full-size slide

  40. Cross site request forgery
    protec@on
    http://example.com
    Username
    Password
    Submit

    View full-size slide

  41. Cross site request forgery
    protec@on
    https://example.com
    Username
    Password
    Submit

    View full-size slide

  42. Cross site request forgery
    protec@on
    https://example.com
    Username
    Password
    Submit
    10Kb

    View full-size slide

  43. Cross site request forgery
    protec@on
    https://example.com
    Username
    Password
    Submit
    3Kb
    GZipped!

    View full-size slide

  44. Cross site request forgery
    protec@on
    https://example.com
    10Kb




    View full-size slide

  45. Cross site request forgery
    protec@on
    https://example.com
    3Kb
    GZipped!

    View full-size slide

  46. Cross site request forgery
    protec@on
    https://example.com

    3Kb
    GZipped!
    “_________”

    View full-size slide

  47. Cross site request forgery
    protec@on
    https://example.com?q=australia

    3Kb
    GZipped!
    “_________”
    You searched for: australia

    View full-size slide

  48. 0 1 2 3 4 5 6 7 8 9
    1
    2
    3
    4
    5
    6

    View full-size slide

  49. Interlude:
    PYTHONHASHSEED

    View full-size slide

  50. /search?
    q=bananas&
    page=3&
    country=us&
    coupon=yay

    View full-size slide

  51. /search?
    q=bananas&
    page=3&
    country=us&
    coupon=yay
    request.GET = {
    'q': 'bananas',
    'page': 3,
    'country': 'us',
    'coupon': 'yay',
    }

    View full-size slide

  52. Lists vs. Dicts

    View full-size slide

  53. hash(data)
    hash(rand, data)

    View full-size slide

  54. PEP 456 (2012)
    Secure and interchangeable
    hash algorithm (SipHash)

    View full-size slide

  55. 0 1 2 … 2^64

    View full-size slide

  56. 0 1 2 … 2^64

    View full-size slide

  57. 0 1 2 … 2^64
    print(memory[2])

    View full-size slide

  58. 0 1 2 … 2^64
    print(memory[2])

    View full-size slide

  59. 0 1 2 … 2^64
    print(memory[2])
    print(memory[2])

    View full-size slide

  60. 0 1 2 … 2^64
    print(memory[2])
    print(memory[2])

    View full-size slide

  61. 0 1 2 10 … 2^64
    print(memory[1])

    View full-size slide

  62. 0 1 2 10 … 2^64
    print(memory[1])

    View full-size slide

  63. data = memory[1]
    if data % 2 == 0:
    message = memory[10]
    else:
    message = memory[11]
    print message
    0 1 2 2^64

    View full-size slide

  64. data = memory[1]
    if data % 2 == 0:
    message = memory[10]
    else:
    message = memory[11]
    print message
    ¯\_(ツ)_/¯
    0 1 2 2^64

    View full-size slide

  65. data = memory[1]
    if data % 2 == 0:
    message = memory[10]
    else:
    message = memory[11]
    print message
    ¯\_(ツ)_/¯
    0 1 2 2^64

    View full-size slide

  66. •Explain @ming aAacks
    •Timing aAacks in Python soDware
    •Side channel aAacks in general

    View full-size slide

  67. •Explain @ming aAacks
    •Timing aAacks in Python soDware
    •Side channel aAacks in general
    Thanks!
    Philip James
    @[email protected]

    View full-size slide