4/74
Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016
Slide 5
Slide 5 text
5/74
Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016
Slide 6
Slide 6 text
6/74
Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016
Slide 7
Slide 7 text
7/74
Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016
1000 µs
1000 µs
100 µs
200 µs
Slide 8
Slide 8 text
8/74
Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016
Slide 9
Slide 9 text
9/74
Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016
A000000
B000000
…
E000000
EA00000
…
Slide 10
Slide 10 text
10/74
Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016
Slide 11
Slide 11 text
11/74
Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016
1000 µs
1000 µs
100 µs
200 µs
Slide 12
Slide 12 text
12/74
Premature optimization is the root of all evil
( 過早最佳化是萬惡的根源 )
~ Donald Knuth ~
a little bit
Slide 13
Slide 13 text
13/74
PHP
Are PHP functions safe against timing attacks ?
Slide 14
Slide 14 text
14/74
Slide 15
Slide 15 text
15/74
DEMO #01
Slide 16
Slide 16 text
16/74
Slide 17
Slide 17 text
17/74
Those work on web ideally ?
Slide 18
Slide 18 text
18/74
localhost
Slide 19
Slide 19 text
19/74
Slide 20
Slide 20 text
20/74
Applicaton jitte
10-30 ms
Databast jitte
10-300 ms
Nttwoek jitte
100-150 ms
Slide 21
Slide 21 text
21/74
Attack Shift
Timing atack against sofwaet impltmtntaton
Slide 22
Slide 22 text
22/74
Attack Shift
Timing atack against sofwaet impltmtntaton
Ideal
Slide 23
Slide 23 text
23/74
Attack Shift
Timing atack against sofwaet impltmtntaton
Ideal
Timing atack against busintss logic
Reality
Slide 24
Slide 24 text
24/74
Slide 25
Slide 25 text
25/74
~2500 ms
Slide 26
Slide 26 text
26/74
~1500 ms
Slide 27
Slide 27 text
27/74
Login
Admin User
100 ms
2500 ms 1500 ms
Slide 28
Slide 28 text
28/74
Login
Admin User
100 ms
2500 ms 1500 ms
~1000 ms
Slide 29
Slide 29 text
29/74
Login
Admin User
100 ms
2500 ms 1500 ms
Validate user
100 ms
~1000 ms
Slide 30
Slide 30 text
30/74
Slide 31
Slide 31 text
31/74
100 ms
Slide 32
Slide 32 text
32/74
100 ms
Email guess, brute force attack
Slide 33
Slide 33 text
33/74
Which one is better ?
Slide 34
Slide 34 text
34/74
Slide 35
Slide 35 text
35/74
100 ms
Slide 36
Slide 36 text
36/74
100 ms
100 ms
Slide 37
Slide 37 text
37/74
100 ms
100 ms
100 ms
Slide 38
Slide 38 text
38/74
100 ms
100 ms
100 ms
DEMO #02
Slide 39
Slide 39 text
39/74
100 ms
100 ms
100 ms
Slide 40
Slide 40 text
40/74
Login
Admin User
Gender Age VIP
100 ms
2500 ms 1500 ms
1000 ms 1000 ms 1200 ms
…...
…...
Validate user
100 ms
Slide 41
Slide 41 text
41/74
Welcome Ant !
~1000 ms
Slide 42
Slide 42 text
42/74
~500 ms
Slide 43
Slide 43 text
43/74
old
Slide 44
Slide 44 text
44/74
~30 ms
Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016 (p52)
Slide 45
Slide 45 text
45/74
Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016 (p54)
~15 ms
Slide 46
Slide 46 text
46/74
Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016 (p50)
Slide 47
Slide 47 text
47/74
Login
Admin User
Gender Age VIP
100 ms
2500 ms 1500 ms
1000 ms 1000 ms 1200 ms
…...
…...
Validate user
100 ms
Slide 48
Slide 48 text
48/74
404
Page not found
~200 ms
Slide 49
Slide 49 text
49/74
404
Page not found
~80 ms
Slide 50
Slide 50 text
50/74
Slide 51
Slide 51 text
51/74
Login
Admin User
Gender Age VIP
100 ms
2500 ms 1500 ms
1000 ms 1000 ms 1200 ms
…...
…...
Validate user
100 ms
302 / 404
80 ms 1200 ms
Slide 52
Slide 52 text
52/74
Slide 53
Slide 53 text
53/74
Slide 54
Slide 54 text
54/74
Slide 55
Slide 55 text
55/74
Slide 56
Slide 56 text
56/74
Slide 57
Slide 57 text
57/74
Slide 58
Slide 58 text
58/74
DEMO Online
Slide 59
Slide 59 text
59/74
Applicaton jitte
10-30 ms
Databast jitte
10-300 ms
Nttwoek jitte
100-150 ms
Slide 60
Slide 60 text
60/74
LAN
Router
IoT device
NAS server / etc.
POS / Console / etc.
Slide 61
Slide 61 text
61/74
Login
Admin User
Gender Age VIP
100 ms
2500 ms 1500 ms
1000 ms 1000 ms 1200 ms
…...
…...
Validate user
100 ms
302 / 404
80 ms 1200 ms
Slide 62
Slide 62 text
62/74
SuperUser
Login
Admin User
Gender Age VIP
100 ms
100 ms
2500 ms 1500 ms
1000 ms 1000 ms 1200 ms
Backdoor
…...
…...
400 ms
Validate user
100 ms
302 / 404
80 ms 1200 ms
Slide 63
Slide 63 text
63/74
Slide 64
Slide 64 text
64/74
DEMO #03
Slide 65
Slide 65 text
65/74
A000000
B000000
…
E000000
EA00000
…
Slide 66
Slide 66 text
66/74
最佳化就像迴旋鏢,何時不小心回來打到你,可能也不知道
~ Ant ~
Slide 67
Slide 67 text
67/74
Attack Modes
Post-auth
Administrator Permissions Hidden page*
Pre-auth
Hidden page*
Validate user
Backdoor
Active attacks
Passive attacks
Slide 68
Slide 68 text
68/74
Passive attacks
Slide 69
Slide 69 text
69/74
Active attacks
Slide 70
Slide 70 text
70/74
Attack Modes
Post-auth
Administrator Permissions Hidden page*
Pre-auth
Hidden page*
Validate user
Backdoor
Active attacks
Passive attacks