Upgrade to Pro — share decks privately, control downloads, hide ads and more …

邏輯優化的灰色面:針對網頁應用的時序攻擊 (2018臺灣資安大會: 軟體安全論壇)

邏輯優化的灰色面:針對網頁應用的時序攻擊 (2018臺灣資安大會: 軟體安全論壇)

一般人對於應用程式的撰寫邏輯與順序,只考量正確性及效能面。但是從灰色的視角切入時,時序或時間差所透露的資訊往往比我們想像中來得多。本議程將針對網頁應用上的時序攻擊,探討邏輯優化可能帶來的安全問題。

Yi-Feng Tzeng

March 29, 2018
Tweet

More Decks by Yi-Feng Tzeng

Other Decks in Technology

Transcript

  1. 邏輯優化的灰色面
    針對網頁應用的時序攻擊
    ( Timing Attacks on Web )
    Ant
    [email protected] / [email protected]
    2018-03-13

    View Slide

  2. 2/74
    Introduction
    Coding Security Intellectual property Startup
    • • •

    View Slide

  3. 3/74
    Thank @mathias for inspiring me

    View Slide

  4. 4/74
    Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016

    View Slide

  5. 5/74
    Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016

    View Slide

  6. 6/74
    Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016

    View Slide

  7. 7/74
    Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016
    1000 µs
    1000 µs
    100 µs
    200 µs

    View Slide

  8. 8/74
    Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016

    View Slide

  9. 9/74
    Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016
    A000000
    B000000

    E000000
    EA00000

    View Slide

  10. 10/74
    Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016

    View Slide

  11. 11/74
    Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016
    1000 µs
    1000 µs
    100 µs
    200 µs

    View Slide

  12. 12/74
    Premature optimization is the root of all evil
    ( 過早最佳化是萬惡的根源 )
    ~ Donald Knuth ~
    a little bit

    View Slide

  13. 13/74
    PHP
    Are PHP functions safe against timing attacks ?

    View Slide

  14. 14/74

    View Slide

  15. 15/74
    DEMO #01

    View Slide

  16. 16/74

    View Slide

  17. 17/74
    Those work on web ideally ?

    View Slide

  18. 18/74
    localhost

    View Slide

  19. 19/74

    View Slide

  20. 20/74
    Applicaton jitte
    10-30 ms
    Databast jitte
    10-300 ms
    Nttwoek jitte
    100-150 ms

    View Slide

  21. 21/74
    Attack Shift
    Timing atack against sofwaet impltmtntaton

    View Slide

  22. 22/74
    Attack Shift
    Timing atack against sofwaet impltmtntaton
    Ideal

    View Slide

  23. 23/74
    Attack Shift
    Timing atack against sofwaet impltmtntaton
    Ideal
    Timing atack against busintss logic
    Reality

    View Slide

  24. 24/74

    View Slide

  25. 25/74
    ~2500 ms

    View Slide

  26. 26/74
    ~1500 ms

    View Slide

  27. 27/74
    Login
    Admin User
    100 ms
    2500 ms 1500 ms

    View Slide

  28. 28/74
    Login
    Admin User
    100 ms
    2500 ms 1500 ms
    ~1000 ms

    View Slide

  29. 29/74
    Login
    Admin User
    100 ms
    2500 ms 1500 ms
    Validate user
    100 ms
    ~1000 ms

    View Slide

  30. 30/74

    View Slide

  31. 31/74
    100 ms

    View Slide

  32. 32/74
    100 ms
    Email guess, brute force attack

    View Slide

  33. 33/74
    Which one is better ?

    View Slide

  34. 34/74

    View Slide

  35. 35/74
    100 ms

    View Slide

  36. 36/74
    100 ms
    100 ms

    View Slide

  37. 37/74
    100 ms
    100 ms
    100 ms

    View Slide

  38. 38/74
    100 ms
    100 ms
    100 ms
    DEMO #02

    View Slide

  39. 39/74
    100 ms
    100 ms
    100 ms

    View Slide

  40. 40/74
    Login
    Admin User
    Gender Age VIP
    100 ms
    2500 ms 1500 ms
    1000 ms 1000 ms 1200 ms
    …...
    …...
    Validate user
    100 ms

    View Slide

  41. 41/74
    Welcome Ant !
    ~1000 ms

    View Slide

  42. 42/74
    ~500 ms

    View Slide

  43. 43/74
    old

    View Slide

  44. 44/74
    ~30 ms
    Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016 (p52)

    View Slide

  45. 45/74
    Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016 (p54)
    ~15 ms

    View Slide

  46. 46/74
    Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016 (p50)

    View Slide

  47. 47/74
    Login
    Admin User
    Gender Age VIP
    100 ms
    2500 ms 1500 ms
    1000 ms 1000 ms 1200 ms
    …...
    …...
    Validate user
    100 ms

    View Slide

  48. 48/74
    404
    Page not found
    ~200 ms

    View Slide

  49. 49/74
    404
    Page not found
    ~80 ms

    View Slide

  50. 50/74

    View Slide

  51. 51/74
    Login
    Admin User
    Gender Age VIP
    100 ms
    2500 ms 1500 ms
    1000 ms 1000 ms 1200 ms
    …...
    …...
    Validate user
    100 ms
    302 / 404
    80 ms 1200 ms

    View Slide

  52. 52/74

    View Slide

  53. 53/74

    View Slide

  54. 54/74

    View Slide

  55. 55/74

    View Slide

  56. 56/74

    View Slide

  57. 57/74

    View Slide

  58. 58/74
    DEMO Online

    View Slide

  59. 59/74
    Applicaton jitte
    10-30 ms
    Databast jitte
    10-300 ms
    Nttwoek jitte
    100-150 ms

    View Slide

  60. 60/74
    LAN
    Router
    IoT device
    NAS server / etc.
    POS / Console / etc.

    View Slide

  61. 61/74
    Login
    Admin User
    Gender Age VIP
    100 ms
    2500 ms 1500 ms
    1000 ms 1000 ms 1200 ms
    …...
    …...
    Validate user
    100 ms
    302 / 404
    80 ms 1200 ms

    View Slide

  62. 62/74
    SuperUser
    Login
    Admin User
    Gender Age VIP
    100 ms
    100 ms
    2500 ms 1500 ms
    1000 ms 1000 ms 1200 ms
    Backdoor
    …...
    …...
    400 ms
    Validate user
    100 ms
    302 / 404
    80 ms 1200 ms

    View Slide

  63. 63/74

    View Slide

  64. 64/74
    DEMO #03

    View Slide

  65. 65/74
    A000000
    B000000

    E000000
    EA00000

    View Slide

  66. 66/74
    最佳化就像迴旋鏢,何時不小心回來打到你,可能也不知道
    ~ Ant ~

    View Slide

  67. 67/74
    Attack Modes
    Post-auth
    Administrator Permissions Hidden page*
    Pre-auth
    Hidden page*
    Validate user
    Backdoor
    Active attacks
    Passive attacks

    View Slide

  68. 68/74
    Passive attacks

    View Slide

  69. 69/74
    Active attacks

    View Slide

  70. 70/74
    Attack Modes
    Post-auth
    Administrator Permissions Hidden page*
    Pre-auth
    Hidden page*
    Validate user
    Backdoor
    Active attacks
    Passive attacks

    View Slide

  71. 71/74
    password hash function ?

    View Slide

  72. 72/74
    password hash function ?
    DEMO #04

    View Slide

  73. 73/74
    安全就像洋蔥,一片一片地剝開,總有一片會讓人流淚
    ~ Ant ~

    View Slide

  74. 74/74
    [email protected] / [email protected]
    https://www.facebook.com/yftzeng.tw
    https://twitter.com/yftzeng

    View Slide