All in the Timing: Side-Channel Attacks in Python

All in the Timing Asheesh Laroia & Philip James PyCon
2018

•Explain >ming a?acks •Timing a?acks in Python soBware •Side channel
a?acks in general

https://example.com Username Password Submit

2,821,109,907,456 combinations = ~89 years p a s s w
o r d _ _ _ _ _ _ _ _ 36 36 36 36 36 36 36 36

https://example.com Username Password Submit

m a s s w o r d p a
s s 1 2 3 4 p a s s w o r d p a s s w o r d

144 tries 18 + 18 + 18 + 18 +
18 + 18 + 18 + 18 = 144ms

0 1 2 3 4 5 6 7 8 9
1 2 3 4 5 6

In [1]: password = 'password' In [2]: %timeit 'massword'.encode('utf-8') ==
password.encode('utf-8') 306 ns ± 3.65 ns per loop (…) In [3]: %timeit 'pass1234'.encode('utf-8') == password.encode('utf-8') 314 ns ± 4.5 ns per loop (…) In [4]: %timeit 'password'.encode('utf-8') == password.encode('utf-8') 325 ns ± 12.8 ns per loop (…) Data-dependent >me

In [1]: from django.utils.crypto import constant_time_compare In [2]: %timeit constant_time_compare('massword',
'password') 93.5 ms ± 426 µs per loop (...) In [3]: %timeit constant_time_compare('pass1234', 'password') 92.5 ms ± 550 µs per loop (...) In [4]: %timeit constant_time_compare('password', 'password') 93.3 ms ± 479 µs per loop (…) Constant >me

VERIFICATION GENERATION

HMAC/ KeyCzar

def check(msg, maybe_sig): sig = hmac.Sign(msg) return sig == maybe_sig

if len(sig_bytes) != len(mac_bytes): return False result = 0 for
x, y in zip(mac_bytes, sig_bytes): result |= ord(x) ^ ord(y) return result == 0 https://github.com/google/keyczar/blob/master/python/src/keyczar/keys.py#L582

Timing A2acks Side-Channel A2acks

GZip h?ps:/ /www.djangoproject.com/weblog/2013/aug/06/breach-and-django/

Cross site request forgery protec>on

Cross site request forgery protec>on http://example.com Username Password Submit

Cross site request forgery protec>on http://example.com Username Password Submit <input
type=”hidden” value=”abc123xyz” name=”csrf_token”>

Cross site request forgery protec>on https://example.com Username Password Submit <input
type=”hidden” value=”abc123xyz” name=”csrf_token”>

Cross site request forgery protec>on https://example.com Username Password Submit 10Kb
<input type=”hidden” value=”abc123xyz” name=”csrf_token”>

Cross site request forgery protec>on https://example.com Username Password Submit 3Kb
GZipped! <input type=”hidden” value=”abc123xyz” name=”csrf_token”>

Cross site request forgery protec>on https://example.com 10Kb <input type=”hidden” value=”abc123xyz”
name=”csrf_token”> </... </... </... </...

Cross site request forgery protec>on https://example.com 3Kb GZipped! <input type=”hidden”
value=”abc123xyz” name=”csrf_token”> </...

Cross site request forgery protec>on https://example.com <input type=”hidden” value=”abc123xyz” name=”csrf_token”>
3Kb GZipped! “_________”

Cross site request forgery protec>on https://example.com?q=cleveland <input type=”hidden” value=”abc123xyz” name=”csrf_token”>
3Kb GZipped! “_________” You searched for: cleveland

0 1 2 3 4 5 6 7 8 9
1 2 3 4 5 6

Interlude: PYTHONHASHSEED

/search? q=bananas& page=3& country=us& coupon=yay request.GET = { 'q': 'bananas',
'page': 3, 'country': 'us', 'coupon': 'yay', }

Lists vs. Dicts

2s -> 6506s

hash(data) hash(rand, data)

PEP 456 (2012) Secure and interchangeable hash algorithm (SipHash)

0 1 2 … 2^64

0 1 2 … 2^64 print(memory[2])

0 1 2 … 2^64 print(memory[2]) print(memory[2])

0 1 2 10 … 2^64 print(memory[1])

data = memory[1] if data % 2 == 0: message
= memory[10] else: message = memory[11] print message ¯\_(ツ)_/¯ 0 1 2 2^64

•Explain >ming a?acks •Timing a?acks in Python soBware •Side channel
a?acks in general Thanks! Asheesh Laroia @asheeshlaroia Philip James @phildini

All in the Timing: Side-Channel Attacks in Python

All in the Timing: Side-Channel Attacks in Python

More Decks by Philip James

Other Decks in Programming

Featured

Transcript