Upgrade to Pro — share decks privately, control downloads, hide ads and more …

All in the Timing: Side-Channel Attacks in Python

All in the Timing: Side-Channel Attacks in Python

Talk given at PyCon 2018

Philip James

May 11, 2018
Tweet

More Decks by Philip James

Other Decks in Programming

Transcript

  1. All in the Timing
    Asheesh Laroia & Philip James
    PyCon 2018

    View full-size slide

  2. •Explain >ming a?acks
    •Timing a?acks in Python soBware
    •Side channel a?acks in general

    View full-size slide

  3. https://example.com
    Username
    Password
    Submit

    View full-size slide

  4. 2,821,109,907,456 combinations

    = ~89 years
    p a s s w o r d
    _ _ _ _ _ _ _ _
    36 36 36 36 36 36 36 36

    View full-size slide

  5. https://example.com
    Username
    Password
    Submit

    View full-size slide

  6. m a s s w o r d
    p a s s 1 2 3 4
    p a s s w o r d
    p a s s w o r d

    View full-size slide

  7. m a s s w o r d
    p a s s 1 2 3 4
    p a s s w o r d
    p a s s w o r d

    View full-size slide

  8. m a s s w o r d
    p a s s 1 2 3 4
    p a s s w o r d
    p a s s w o r d

    View full-size slide

  9. 144 tries

    18 + 18 + 18 + 18 + 18 + 18 + 18 + 18

    = 144ms

    View full-size slide

  10. 0 1 2 3 4 5 6 7 8 9
    1
    2
    3
    4
    5
    6

    View full-size slide

  11. In [1]: password = 'password'
    In [2]: %timeit 'massword'.encode('utf-8') == password.encode('utf-8')
    306 ns ± 3.65 ns per loop (…)
    In [3]: %timeit 'pass1234'.encode('utf-8') == password.encode('utf-8')
    314 ns ± 4.5 ns per loop (…)
    In [4]: %timeit 'password'.encode('utf-8') == password.encode('utf-8')
    325 ns ± 12.8 ns per loop (…)
    Data-dependent >me

    View full-size slide

  12. In [1]: from django.utils.crypto import constant_time_compare
    In [2]: %timeit constant_time_compare('massword', 'password')
    93.5 ms ± 426 µs per loop (...)
    In [3]: %timeit constant_time_compare('pass1234', 'password')
    92.5 ms ± 550 µs per loop (...)
    In [4]: %timeit constant_time_compare('password', 'password')
    93.3 ms ± 479 µs per loop (…)
    Constant >me

    View full-size slide

  13. VERIFICATION GENERATION

    View full-size slide

  14. HMAC/ KeyCzar

    View full-size slide

  15. def check(msg, maybe_sig):
    sig = hmac.Sign(msg)
    return sig == maybe_sig

    View full-size slide

  16. def check(msg, maybe_sig):
    sig = hmac.Sign(msg)
    return sig == maybe_sig

    View full-size slide

  17. if len(sig_bytes) != len(mac_bytes):
    return False
    result = 0
    for x, y in zip(mac_bytes, sig_bytes):
    result |= ord(x) ^ ord(y)
    return result == 0
    https://github.com/google/keyczar/blob/master/python/src/keyczar/keys.py#L582

    View full-size slide

  18. Timing A2acks
    Side-Channel
    A2acks

    View full-size slide

  19. GZip
    h?ps:/
    /www.djangoproject.com/weblog/2013/aug/06/breach-and-django/

    View full-size slide

  20. Cross site request forgery
    protec>on

    View full-size slide

  21. Cross site request forgery
    protec>on
    http://example.com
    Username
    Password
    Submit

    View full-size slide

  22. Cross site request forgery
    protec>on
    http://example.com
    Username
    Password
    Submit

    View full-size slide

  23. Cross site request forgery
    protec>on
    https://example.com
    Username
    Password
    Submit

    View full-size slide

  24. Cross site request forgery
    protec>on
    https://example.com
    Username
    Password
    Submit
    10Kb

    View full-size slide

  25. Cross site request forgery
    protec>on
    https://example.com
    Username
    Password
    Submit
    3Kb
    GZipped!

    View full-size slide

  26. Cross site request forgery
    protec>on
    https://example.com
    10Kb




    View full-size slide

  27. Cross site request forgery
    protec>on
    https://example.com
    3Kb
    GZipped!

    View full-size slide

  28. Cross site request forgery
    protec>on
    https://example.com

    3Kb
    GZipped!
    “_________”

    View full-size slide

  29. Cross site request forgery
    protec>on
    https://example.com?q=cleveland

    3Kb
    GZipped!
    “_________”
    You searched for: cleveland

    View full-size slide

  30. 0 1 2 3 4 5 6 7 8 9
    1
    2
    3
    4
    5
    6

    View full-size slide

  31. Interlude:
    PYTHONHASHSEED

    View full-size slide

  32. /search?
    q=bananas&
    page=3&
    country=us&
    coupon=yay
    request.GET = {
    'q': 'bananas',
    'page': 3,
    'country': 'us',
    'coupon': 'yay',
    }

    View full-size slide

  33. Lists vs. Dicts

    View full-size slide

  34. hash(data)
    hash(rand, data)

    View full-size slide

  35. PEP 456 (2012)
    Secure and interchangeable
    hash algorithm (SipHash)

    View full-size slide

  36. 0 1 2 … 2^64

    View full-size slide

  37. 0 1 2 … 2^64

    View full-size slide

  38. 0 1 2 … 2^64
    print(memory[2])

    View full-size slide

  39. 0 1 2 … 2^64
    print(memory[2])
    print(memory[2])

    View full-size slide

  40. 0 1 2 10 … 2^64
    print(memory[1])

    View full-size slide

  41. data = memory[1]
    if data % 2 == 0:
    message = memory[10]
    else:
    message = memory[11]
    print message
    ¯\_(ツ)_/¯
    0 1 2 2^64

    View full-size slide

  42. •Explain >ming a?acks
    •Timing a?acks in Python soBware
    •Side channel a?acks in general
    Thanks!
    Asheesh Laroia
    @asheeshlaroia
    Philip James
    @phildini

    View full-size slide