邏輯優化的灰色面：針對網頁應用的時序攻擊 (2018臺灣資安大會: 軟體安全論壇)

Slide 1

Slide 1 text

邏輯優化的灰色面針對網頁應用的時序攻擊 ( Timing Attacks on Web ) Ant ant@chroot.org / yftzeng@gmail.com 2018-03-13

Slide 2

Slide 2 text

2/74 Introduction Coding Security Intellectual property Startup • • •

Slide 3

Slide 3 text

3/74 Thank @mathias for inspiring me

Slide 4

Slide 4 text

4/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016

Slide 5

Slide 5 text

5/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016

Slide 6

Slide 6 text

6/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016

Slide 7

Slide 7 text

7/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016 1000 µs 1000 µs 100 µs 200 µs

Slide 8

Slide 8 text

8/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016

Slide 9

Slide 9 text

9/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016 A000000 B000000 … E000000 EA00000 …

Slide 10

Slide 10 text

10/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016

Slide 11

Slide 11 text

11/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016 1000 µs 1000 µs 100 µs 200 µs

Slide 12

Slide 12 text

12/74 Premature optimization is the root of all evil ( 過早最佳化是萬惡的根源 ) ~ Donald Knuth ~ a little bit

Slide 13

Slide 13 text

13/74 PHP Are PHP functions safe against timing attacks ?

Slide 14

Slide 14 text

14/74

Slide 15

Slide 15 text

15/74 DEMO #01

Slide 16

Slide 16 text

16/74

Slide 17

Slide 17 text

17/74 Those work on web ideally ?

Slide 18

Slide 18 text

18/74 localhost

Slide 19

Slide 19 text

19/74

Slide 20

Slide 20 text

20/74 Applicaton jitte 10-30 ms Databast jitte 10-300 ms Nttwoek jitte 100-150 ms

Slide 21

Slide 21 text

21/74 Attack Shift Timing atack against sofwaet impltmtntaton

Slide 22

Slide 22 text

22/74 Attack Shift Timing atack against sofwaet impltmtntaton Ideal

Slide 23

Slide 23 text

23/74 Attack Shift Timing atack against sofwaet impltmtntaton Ideal Timing atack against busintss logic Reality

Slide 24

Slide 24 text

24/74

Slide 25

Slide 25 text

25/74 ~2500 ms

Slide 26

Slide 26 text

26/74 ~1500 ms

Slide 27

Slide 27 text

27/74 Login Admin User 100 ms 2500 ms 1500 ms

Slide 28

Slide 28 text

28/74 Login Admin User 100 ms 2500 ms 1500 ms ~1000 ms

Slide 29

Slide 29 text

29/74 Login Admin User 100 ms 2500 ms 1500 ms Validate user 100 ms ~1000 ms

Slide 30

Slide 30 text

30/74

Slide 31

Slide 31 text

31/74 100 ms

Slide 32

Slide 32 text

32/74 100 ms Email guess, brute force attack

Slide 33

Slide 33 text

33/74 Which one is better ?

Slide 34

Slide 34 text

34/74

Slide 35

Slide 35 text

35/74 100 ms

Slide 36

Slide 36 text

36/74 100 ms 100 ms

Slide 37

Slide 37 text

37/74 100 ms 100 ms 100 ms

Slide 38

Slide 38 text

38/74 100 ms 100 ms 100 ms DEMO #02

Slide 39

Slide 39 text

39/74 100 ms 100 ms 100 ms

Slide 40

Slide 40 text

40/74 Login Admin User Gender Age VIP 100 ms 2500 ms 1500 ms 1000 ms 1000 ms 1200 ms …... …... Validate user 100 ms

Slide 41

Slide 41 text

41/74 Welcome Ant ! ~1000 ms

Slide 42

Slide 42 text

42/74 ~500 ms

Slide 43

Slide 43 text

43/74 old

Slide 44

Slide 44 text

44/74 ~30 ms Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016 (p52)

Slide 45

Slide 45 text

45/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016 (p54) ~15 ms

Slide 46

Slide 46 text

46/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016 (p50)

Slide 47

Slide 47 text

47/74 Login Admin User Gender Age VIP 100 ms 2500 ms 1500 ms 1000 ms 1000 ms 1200 ms …... …... Validate user 100 ms

Slide 48

Slide 48 text

48/74 404 Page not found ~200 ms

Slide 49

Slide 49 text

49/74 404 Page not found ~80 ms

Slide 50

Slide 50 text

50/74

Slide 51

Slide 51 text

51/74 Login Admin User Gender Age VIP 100 ms 2500 ms 1500 ms 1000 ms 1000 ms 1200 ms …... …... Validate user 100 ms 302 / 404 80 ms 1200 ms

Slide 52

Slide 52 text

52/74

Slide 53

Slide 53 text

53/74

Slide 54

Slide 54 text

54/74

Slide 55

Slide 55 text

55/74

Slide 56

Slide 56 text

56/74

Slide 57

Slide 57 text

57/74

Slide 58

Slide 58 text

58/74 DEMO Online

Slide 59

Slide 59 text

59/74 Applicaton jitte 10-30 ms Databast jitte 10-300 ms Nttwoek jitte 100-150 ms

Slide 60

Slide 60 text

60/74 LAN Router IoT device NAS server / etc. POS / Console / etc.

Slide 61

Slide 61 text

61/74 Login Admin User Gender Age VIP 100 ms 2500 ms 1500 ms 1000 ms 1000 ms 1200 ms …... …... Validate user 100 ms 302 / 404 80 ms 1200 ms

Slide 62

Slide 62 text

62/74 SuperUser Login Admin User Gender Age VIP 100 ms 100 ms 2500 ms 1500 ms 1000 ms 1000 ms 1200 ms Backdoor …... …... 400 ms Validate user 100 ms 302 / 404 80 ms 1200 ms

Slide 63

Slide 63 text

63/74

Slide 64

Slide 64 text

64/74 DEMO #03

Slide 65

Slide 65 text

65/74 A000000 B000000 … E000000 EA00000 …

Slide 66

Slide 66 text

66/74 最佳化就像迴旋鏢，何時不小心回來打到你，可能也不知道 ~ Ant ~

Slide 67

Slide 67 text

67/74 Attack Modes Post-auth Administrator Permissions Hidden page* Pre-auth Hidden page* Validate user Backdoor Active attacks Passive attacks

Slide 68

Slide 68 text

68/74 Passive attacks

Slide 69

Slide 69 text

69/74 Active attacks

Slide 70

Slide 70 text

70/74 Attack Modes Post-auth Administrator Permissions Hidden page* Pre-auth Hidden page* Validate user Backdoor Active attacks Passive attacks

Slide 71

Slide 71 text

71/74 password hash function ?

Slide 72

Slide 72 text

72/74 password hash function ? DEMO #04

Slide 73

Slide 73 text

73/74 安全就像洋蔥，一片一片地剝開，總有一片會讓人流淚 ~ Ant ~

Slide 74

Slide 74 text

74/74 ant@chroot.org / yftzeng@gmail.com https://www.facebook.com/yftzeng.tw https://twitter.com/yftzeng