Timing Info-leak Made Easy - Security Boootcamp 2013

Transcript

1. Timing Info-leak Made Easy Trình bày: Quan Minh Tam Security

   Bootcamp 2013 CầnThơ

2. Outline  Review SSL/TLS weaks  BEAST is not beast

    CRIME is not crime Compression CRIME  TIME is time CRIME+ www.securitybootcamp.vn 2

3. Cryptanalysis  Chosen plaintext | ciphertext  Adaptive chosen plaintext

   | ciphertext  Side channel attack  Bruteforce attack  Meet-in-the middle  Linear | differential attack  Birthday www.securitybootcamp.vn 3

4. Timeline  BEAST - 2011  CRIME - 2012 

   BREACH - 2013  LUCKY 13 - 2013  TIME - 2013  RC4 biases in TLS www.securitybootcamp.vn 4

5. CRIME www.securitybootcamp.vn 5

6. CRIME  Compression Ratio Info-leak Made Easy  Chosen plaintext

   attack www.securitybootcamp.vn 6

7. CRIME www.securitybootcamp.vn 7

8. COMPRESSION www.securitybootcamp.vn 8

9. COMPRESSION www.securitybootcamp.vn 9

10. COMPRESSION www.securitybootcamp.vn 10

11. COMPRESSION www.securitybootcamp.vn 11 http://www.c-sharpcorner.com/uploadfile/shivprasadk/best-practice-no-4-improve-bandwidth-performance-of-asp-net-sites-using-iis-compression/

12. LZ77 www.securitybootcamp.vn 12

13. Compression: Huffman Coding www.securitybootcamp.vn 13

14. COMPRESSION  Gzip/Deflate  HTTP Respone body  HTTP Request

    body  Header compression  SSL/TLS Compression  Servers: Open SSL, others  Clients: Chrome  SPDY  Server: Apache mod_spdy  Client: -IE www.securitybootcamp.vn 14

15. Chosen Plaintext Attack  len(compress(input + secret))  len(compress(A +

    SECURITY))  len(compress(B + SECURITY))  len(compress(D + SECURITY))  len(compress(E + SECURITY))  len(compress(… + SECURITY)) www.securitybootcamp.vn 15

16. CRIME - Algorithm  Len(encrypt(compress(input + public + secret)) is

    leaked.  Input: URL path.  Public: known headers  Secret: cookie  Algorithm:  Make a guess, ask browser to send a request with path as guess.  Observe length of the request that was sent.  Correct guess is when length is different than usual. www.securitybootcamp.vn 16 GET /twid=a Host: twitter.com User-Agent: Chrome Cookie: twid=secret [Length: 434] GET /twid=s Host: twitter.com User-Agent: Chrome Cookie: twid=secret [Length: 433]

17. CRIME demo www.securitybootcamp.vn 17

18. How can you become a victim of CRIME?  1st

    requirement: the attacker can sniff your network traffic.  You share a (W)LAN.  He's hacked your home router.  He's your network admin, ISP or government. www.securitybootcamp.vn 18 https://docs.google.com/presentation/d/11eBmGiHbYcHR9gL5nDyZChu_-lCa2GizeuOfaLU2HOU/edit#slide=id.g1d134dff_0_165

19. How can you become a victim of CRIME?  2nd

    requirement: you visit evil.com.  You click on a link.  Or you surf a non-HTTPS site. www.securitybootcamp.vn 19 https://docs.google.com/presentation/d/11eBmGiHbYcHR9gL5nDyZChu_-lCa2GizeuOfaLU2HOU/edit#slide=id.g1e3070b2_1_21

20. TIME www.securitybootcamp.vn 20

21. Review  Round-Trip Time (RTT)  Maximum Transmission Unit (MTU)

     Maximum Segment Size (MSS) MSS = MTU - sizeof(TCPHDR) - sizeof(IPHDR)  TCP Sliding Window System www.securitybootcamp.vn 21

22. www.securitybootcamp.vn 22 http://ulam2.cs.luc.edu/ebook/html/slidingwindows.html

23. TIME  Timing Info-leak Made Easy  Chosen Plaintext Attack

     Targets compression and timing information leakage www.securitybootcamp.vn 23

24. What diff?  HTTP request  CRIME for request to

    extract cookie data  HTTP response  Extended CRIME to extract response data  Access a behind authentication resource for user login status detection  Application specific: e.g. number of digits in bank account balance www.securitybootcamp.vn 24

25. HTTP payload  HTTP Payload size may carry sensitive information

     HTTP payload size differences detection is sufficient to extract the sensitive information  Using timing measurements attacker can distinguish HTTP payload size differences  These timing measurements can be done with javascript on attacker site www.securitybootcamp.vn 25

26. XHR POC  Create HTTP request with XHR  XHR

    adheres to SOP  Allows GET requests to flow  If headers allow show response  If not, abort  We don’t care for the response  Timing leaks the request size  Use getTime() on XHR events  onreadystatechange  Noise elimination  Repeat the process (say 10 times) and obtain Minimal time www.securitybootcamp.vn 26

27. XHR POC  HTML with Javascript, sending method is XHR

     Sends one byte diff requests alternately 10 times  The longer request crosses the send window boundary  The shorter is exactly within  Measures requests time  Outputs length and time  Outputs the minimal timing values for both requests’ length www.securitybootcamp.vn 27

28. XHR www.securitybootcamp.vn 28

29. www.securitybootcamp.vn 29

30. www.securitybootcamp.vn 30

31. www.securitybootcamp.vn 31

32. www.securitybootcamp.vn 32

33. Real world www.securitybootcamp.vn 33 1 SCB

34. Iframe Use getTime() on iframe events onLoad Onreadystatechange(IE) www.securitybootcamp.vn 34

    1

35. Real world www.securitybootcamp.vn 35 2 SCB

36. HTTP request with IMG src It is not a image?

    Don’t worry X-Frame-Options? Don’t worry Use getTime() on img events onLoad Onreadystatechange(IE) www.securitybootcamp.vn 36 2

37. New Risk? www.securitybootcamp.vn 37

38. New Risk? Automation attack via URL via loadtine SOP? data

    leaked out www.securitybootcamp.vn 38

39. MITIGATIONS Adding random timing delays X-Frame-Options Unknown-parameter CAPTCHA, CSRF token

    www.securitybootcamp.vn 39

40. MITIGATIONS  Adding random timing delays www.securitybootcamp.vn 40 ineffective

41. MITIGATIONS  X-Frame-Options Browser should support and respect “X- Frame-Options''

    header for all content inclusion (not just IFRAME); www.securitybootcamp.vn 41

42. MITIGATIONS CSRF protection Unknow parameter Captcha www.securitybootcamp.vn 42

43. “ ” Time up!