邏輯優化的灰色面:針對網頁應用的時序攻擊 (2018臺灣資安大會: 軟體安全論壇)

Ffe61c981651f09952d858fea7eaccd3?s=47 Yi-Feng Tzeng
March 29, 2018
Technology
1
190

邏輯優化的灰色面:針對網頁應用的時序攻擊 (2018臺灣資安大會: 軟體安全論壇)

一般人對於應用程式的撰寫邏輯與順序,只考量正確性及效能面。但是從灰色的視角切入時,時序或時間差所透露的資訊往往比我們想像中來得多。本議程將針對網頁應用上的時序攻擊,探討邏輯優化可能帶來的安全問題。

Ffe61c981651f09952d858fea7eaccd3?s=128

Yi-Feng Tzeng

March 29, 2018
Tweet

Want more?

Ffe61c981651f09952d858fea7eaccd3?s=48 yftzeng
0
5
Ffe61c981651f09952d858fea7eaccd3?s=48 yftzeng
0
68
Ffe61c981651f09952d858fea7eaccd3?s=48 yftzeng
0
15
3ab1249be442027903e1180025340b3f?s=48 reverentgeek
2
150
A9a491b0fcbe0fbce3d64063a37add99?s=48 rmw
1
76
766b9746b59e6f09e280cd33cf4ed419?s=48 skipperchong
0
68
61857dafbd287b3027c4dcea9008ad3c?s=48 carmenhchung
5
150
06f8b41980eb4c577fa40c41d5030c19?s=48 keathley
4
160
C0390e8b11079f8761c0cd3274ed61cb?s=48 productmarketing
2
220
C35e01544a0dd94a2cf1619ee8a42ebb?s=48 clairelew
2
430
6bb82b13cda86d3b821fa44100335ddf?s=48 thoeni
1
120
B3ace07412a5178ea778e7eec161fc0a?s=48 jcasabona
4
200

Transcript

  1. 1.

    邏輯優化的灰色面 針對網頁應用的時序攻擊 ( Timing Attacks on Web ) Ant ant@chroot.org

    / yftzeng@gmail.com 2018-03-13
  2. 2.

    2/74 Introduction Coding Security Intellectual property Startup • • •

  3. 3.

    3/74 Thank @mathias for inspiring me

  4. 4.

    4/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference

    2016
  5. 5.

    5/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference

    2016
  6. 6.

    6/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference

    2016
  7. 7.

    7/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference

    2016 1000 µs 1000 µs 100 µs 200 µs
  8. 8.

    8/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference

    2016
  9. 9.

    9/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference

    2016 A000000 B000000 … E000000 EA00000 …
  10. 10.

    10/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference

    2016
  11. 11.

    11/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference

    2016 1000 µs 1000 µs 100 µs 200 µs
  12. 12.

    12/74 Premature optimization is the root of all evil (

    過早最佳化是萬惡的根源 ) ~ Donald Knuth ~ a little bit
  13. 13.

    13/74 PHP Are PHP functions safe against timing attacks ?

  14. 14.

    14/74

  15. 15.

    15/74 DEMO #01

  16. 16.

    16/74

  17. 17.

    17/74 Those work on web ideally ?

  18. 18.

    18/74 localhost

  19. 19.

    19/74

  20. 20.

    20/74 Applicaton jitte 10-30 ms Databast jitte 10-300 ms Nttwoek

    jitte 100-150 ms
  21. 21.

    21/74 Attack Shift Timing atack against sofwaet impltmtntaton

  22. 22.

    22/74 Attack Shift Timing atack against sofwaet impltmtntaton Ideal

  23. 23.

    23/74 Attack Shift Timing atack against sofwaet impltmtntaton Ideal Timing

    atack against busintss logic Reality
  24. 24.

    24/74

  25. 25.

    25/74 ~2500 ms

  26. 26.

    26/74 ~1500 ms

  27. 27.

    27/74 Login Admin User 100 ms 2500 ms 1500 ms

  28. 28.

    28/74 Login Admin User 100 ms 2500 ms 1500 ms

    ~1000 ms
  29. 29.

    29/74 Login Admin User 100 ms 2500 ms 1500 ms

    Validate user 100 ms ~1000 ms
  30. 30.

    30/74

  31. 31.

    31/74 100 ms

  32. 32.

    32/74 100 ms Email guess, brute force attack

  33. 33.

    33/74 Which one is better ?

  34. 34.

    34/74

  35. 35.

    35/74 100 ms

  36. 36.

    36/74 100 ms 100 ms

  37. 37.

    37/74 100 ms 100 ms 100 ms

  38. 38.

    38/74 100 ms 100 ms 100 ms DEMO #02

  39. 39.

    39/74 100 ms 100 ms 100 ms

  40. 40.

    40/74 Login Admin User Gender Age VIP 100 ms 2500

    ms 1500 ms 1000 ms 1000 ms 1200 ms …... …... Validate user 100 ms
  41. 41.

    41/74 Welcome Ant ! ~1000 ms

  42. 42.

    42/74 ~500 ms

  43. 43.

    43/74 old

  44. 44.

    44/74 ~30 ms Ref: Front-End Performance The Dark Side @

    ColdFront Conference 2016 (p52)
  45. 45.

    45/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference

    2016 (p54) ~15 ms
  46. 46.

    46/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference

    2016 (p50)
  47. 47.

    47/74 Login Admin User Gender Age VIP 100 ms 2500

    ms 1500 ms 1000 ms 1000 ms 1200 ms …... …... Validate user 100 ms
  48. 48.

    48/74 404 Page not found ~200 ms

  49. 49.

    49/74 404 Page not found ~80 ms

  50. 50.

    50/74

  51. 51.

    51/74 Login Admin User Gender Age VIP 100 ms 2500

    ms 1500 ms 1000 ms 1000 ms 1200 ms …... …... Validate user 100 ms 302 / 404 80 ms 1200 ms
  52. 52.

    52/74

  53. 53.

    53/74

  54. 54.

    54/74

  55. 55.

    55/74

  56. 56.

    56/74

  57. 57.

    57/74

  58. 58.

    58/74 DEMO Online

  59. 59.

    59/74 Applicaton jitte 10-30 ms Databast jitte 10-300 ms Nttwoek

    jitte 100-150 ms
  60. 60.

    60/74 LAN Router IoT device NAS server / etc. POS

    / Console / etc.
  61. 61.

    61/74 Login Admin User Gender Age VIP 100 ms 2500

    ms 1500 ms 1000 ms 1000 ms 1200 ms …... …... Validate user 100 ms 302 / 404 80 ms 1200 ms
  62. 62.

    62/74 SuperUser Login Admin User Gender Age VIP 100 ms

    100 ms 2500 ms 1500 ms 1000 ms 1000 ms 1200 ms Backdoor …... …... 400 ms Validate user 100 ms 302 / 404 80 ms 1200 ms
  63. 63.

    63/74

  64. 64.

    64/74 DEMO #03

  65. 65.

    65/74 A000000 B000000 … E000000 EA00000 …

  66. 66.

    66/74 最佳化就像迴旋鏢,何時不小心回來打到你,可能也不知道 ~ Ant ~

  67. 67.

    67/74 Attack Modes Post-auth Administrator Permissions Hidden page* Pre-auth Hidden

    page* Validate user Backdoor Active attacks Passive attacks
  68. 68.

    68/74 Passive attacks

  69. 69.

    69/74 Active attacks

  70. 70.

    70/74 Attack Modes Post-auth Administrator Permissions Hidden page* Pre-auth Hidden

    page* Validate user Backdoor Active attacks Passive attacks
  71. 71.

    71/74 password hash function ?

  72. 72.

    72/74 password hash function ? DEMO #04

  73. 73.

    73/74 安全就像洋蔥,一片一片地剝開,總有一片會讓人流淚 ~ Ant ~

  74. 74.

    74/74 ant@chroot.org / yftzeng@gmail.com https://www.facebook.com/yftzeng.tw https://twitter.com/yftzeng