Upgrade to Pro — share decks privately, control downloads, hide ads and more …

邏輯優化的灰色面:針對網頁應用的時序攻擊 (2018臺灣資安大會: 軟體安全論壇)

Yi-Feng Tzeng
March 29, 2018
Technology
1
220

邏輯優化的灰色面:針對網頁應用的時序攻擊 (2018臺灣資安大會: 軟體安全論壇)

一般人對於應用程式的撰寫邏輯與順序,只考量正確性及效能面。但是從灰色的視角切入時,時序或時間差所透露的資訊往往比我們想像中來得多。本議程將針對網頁應用上的時序攻擊,探討邏輯優化可能帶來的安全問題。

Yi-Feng Tzeng

March 29, 2018
Tweet

More Decks by Yi-Feng Tzeng

See All by Yi-Feng Tzeng
重新想像:如何做技術選型決策 / Rethinking : Technical Decision
yftzeng
3
870
擁抱開源:企業應如何善用開源技術,才能得其利而防其弊 - 加強版
yftzeng
0
33
Testing in Production, Deploy on Fridays
yftzeng
0
41
COSCUP 2020 Day 1 - Opening Keynote
yftzeng
0
37
COSCUP 2020 Day 2 - Opening Keynote
yftzeng
0
45
Severless PHP Case : Agile Dashboard via GitLab Board API
yftzeng
0
43
Dev(Sec)Ops: Architecture for Security and Compliance
yftzeng
0
71
給資安工程師開源授權觀念
yftzeng
0
29
Progressive Deployment & NoDeploy
yftzeng
0
120

Other Decks in Technology

See All in Technology
エラーログをAlertで引っ掛けるときにEventTimer使ってみた話
sparty
0
130
cronworkflowを用いた バッチ障害時の運用改善
ayanonanjo
0
210
Webとクラウド技術に全振りした最強のモバイルコア作ってみた
sbtechnight
PRO
0
330
八王子からお届けするノベルティ - YAPC::Kyoto 2023
uzulla
0
220
OCI Cloud Native 2023
oracle4engineer
PRO
0
130
Product Minded Software Engineers: Understanding the Product with a code-first approach
cembasaranoglu
0
220
ノーコードAI開発プラットフォーム「AIMINA」のシステム設計コンセプトと技術的チャレンジ
sbtechnight
PRO
0
300
DevRel_Japan CONFERENCE 2023
kurotaky
1
570
DevRel/Japan CONFERENCE 2023
1ftseabass
PRO
0
400
AmebaにおけるQAコスト改善施策〜テスト項目の整理とAutify for Mobileによる自動化
sosuiiii
0
160
Exadata Database Cloud (Exadata Cloud Service) サービス技術詳細
oracle4engineer
PRO
0
26k
5分でまとめるAWSマイグレーション / 5minutes aws migration
se_o_chan
1
170

Featured

See All Featured
WebSockets: Embracing the real-time Web
robhawkes
58
6.1k
Producing Creativity
orderedlist
PRO
335
38k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
217
21k
Raft: Consensus for Rubyists
vanstee
130
5.7k
Large-scale JavaScript Application Architecture
addyosmani
499
110k
No one is an island. Learnings from fostering a developers community.
thoeni
12
1.6k
Designing Experiences People Love
moore
130
22k
Making Projects Easy
brettharned
102
4.9k
Principles of Awesome APIs and How to Build Them.
keavy
117
16k
Optimizing for Happiness
mojombo
366
65k
The MySQL Ecosystem @ GitHub 2015
samlambert
240
11k
Building Applications with DynamoDB
mza
86
5k

Transcript

  1. 邏輯優化的灰色面
    針對網頁應用的時序攻擊
    ( Timing Attacks on Web )
    Ant
    [email protected] / [email protected]
    2018-03-13

    View Slide

  2. 2/74
    Introduction
    Coding Security Intellectual property Startup
    • • •

    View Slide

  3. 3/74
    Thank @mathias for inspiring me

    View Slide

  4. 4/74
    Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016

    View Slide

  5. 5/74
    Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016

    View Slide

  6. 6/74
    Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016

    View Slide

  7. 7/74
    Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016
    1000 µs
    1000 µs
    100 µs
    200 µs

    View Slide

  8. 8/74
    Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016

    View Slide

  9. 9/74
    Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016
    A000000
    B000000

    E000000
    EA00000

    View Slide

  10. 10/74
    Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016

    View Slide

  11. 11/74
    Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016
    1000 µs
    1000 µs
    100 µs
    200 µs

    View Slide

  12. 12/74
    Premature optimization is the root of all evil
    ( 過早最佳化是萬惡的根源 )
    ~ Donald Knuth ~
    a little bit

    View Slide

  13. 13/74
    PHP
    Are PHP functions safe against timing attacks ?

    View Slide

  14. 14/74

    View Slide

  15. 15/74
    DEMO #01

    View Slide

  16. 16/74

    View Slide

  17. 17/74
    Those work on web ideally ?

    View Slide

  18. 18/74
    localhost

    View Slide

  19. 19/74

    View Slide

  20. 20/74
    Applicaton jitte
    10-30 ms
    Databast jitte
    10-300 ms
    Nttwoek jitte
    100-150 ms

    View Slide

  21. 21/74
    Attack Shift
    Timing atack against sofwaet impltmtntaton

    View Slide

  22. 22/74
    Attack Shift
    Timing atack against sofwaet impltmtntaton
    Ideal

    View Slide

  23. 23/74
    Attack Shift
    Timing atack against sofwaet impltmtntaton
    Ideal
    Timing atack against busintss logic
    Reality

    View Slide

  24. 24/74

    View Slide

  25. 25/74
    ~2500 ms

    View Slide

  26. 26/74
    ~1500 ms

    View Slide

  27. 27/74
    Login
    Admin User
    100 ms
    2500 ms 1500 ms

    View Slide

  28. 28/74
    Login
    Admin User
    100 ms
    2500 ms 1500 ms
    ~1000 ms

    View Slide

  29. 29/74
    Login
    Admin User
    100 ms
    2500 ms 1500 ms
    Validate user
    100 ms
    ~1000 ms

    View Slide

  30. 30/74

    View Slide

  31. 31/74
    100 ms

    View Slide

  32. 32/74
    100 ms
    Email guess, brute force attack

    View Slide

  33. 33/74
    Which one is better ?

    View Slide

  34. 34/74

    View Slide

  35. 35/74
    100 ms

    View Slide

  36. 36/74
    100 ms
    100 ms

    View Slide

  37. 37/74
    100 ms
    100 ms
    100 ms

    View Slide

  38. 38/74
    100 ms
    100 ms
    100 ms
    DEMO #02

    View Slide

  39. 39/74
    100 ms
    100 ms
    100 ms

    View Slide

  40. 40/74
    Login
    Admin User
    Gender Age VIP
    100 ms
    2500 ms 1500 ms
    1000 ms 1000 ms 1200 ms
    …...
    …...
    Validate user
    100 ms

    View Slide

  41. 41/74
    Welcome Ant !
    ~1000 ms

    View Slide

  42. 42/74
    ~500 ms

    View Slide

  43. 43/74
    old

    View Slide

  44. 44/74
    ~30 ms
    Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016 (p52)

    View Slide

  45. 45/74
    Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016 (p54)
    ~15 ms

    View Slide

  46. 46/74
    Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016 (p50)

    View Slide

  47. 47/74
    Login
    Admin User
    Gender Age VIP
    100 ms
    2500 ms 1500 ms
    1000 ms 1000 ms 1200 ms
    …...
    …...
    Validate user
    100 ms

    View Slide

  48. 48/74
    404
    Page not found
    ~200 ms

    View Slide

  49. 49/74
    404
    Page not found
    ~80 ms

    View Slide

  50. 50/74

    View Slide

  51. 51/74
    Login
    Admin User
    Gender Age VIP
    100 ms
    2500 ms 1500 ms
    1000 ms 1000 ms 1200 ms
    …...
    …...
    Validate user
    100 ms
    302 / 404
    80 ms 1200 ms

    View Slide

  52. 52/74

    View Slide

  53. 53/74

    View Slide

  54. 54/74

    View Slide

  55. 55/74

    View Slide

  56. 56/74

    View Slide

  57. 57/74

    View Slide

  58. 58/74
    DEMO Online

    View Slide

  59. 59/74
    Applicaton jitte
    10-30 ms
    Databast jitte
    10-300 ms
    Nttwoek jitte
    100-150 ms

    View Slide

  60. 60/74
    LAN
    Router
    IoT device
    NAS server / etc.
    POS / Console / etc.

    View Slide

  61. 61/74
    Login
    Admin User
    Gender Age VIP
    100 ms
    2500 ms 1500 ms
    1000 ms 1000 ms 1200 ms
    …...
    …...
    Validate user
    100 ms
    302 / 404
    80 ms 1200 ms

    View Slide

  62. 62/74
    SuperUser
    Login
    Admin User
    Gender Age VIP
    100 ms
    100 ms
    2500 ms 1500 ms
    1000 ms 1000 ms 1200 ms
    Backdoor
    …...
    …...
    400 ms
    Validate user
    100 ms
    302 / 404
    80 ms 1200 ms

    View Slide

  63. 63/74

    View Slide

  64. 64/74
    DEMO #03

    View Slide

  65. 65/74
    A000000
    B000000

    E000000
    EA00000

    View Slide

  66. 66/74
    最佳化就像迴旋鏢,何時不小心回來打到你,可能也不知道
    ~ Ant ~

    View Slide

  67. 67/74
    Attack Modes
    Post-auth
    Administrator Permissions Hidden page*
    Pre-auth
    Hidden page*
    Validate user
    Backdoor
    Active attacks
    Passive attacks

    View Slide

  68. 68/74
    Passive attacks

    View Slide

  69. 69/74
    Active attacks

    View Slide

  70. 70/74
    Attack Modes
    Post-auth
    Administrator Permissions Hidden page*
    Pre-auth
    Hidden page*
    Validate user
    Backdoor
    Active attacks
    Passive attacks

    View Slide

  71. 71/74
    password hash function ?

    View Slide

  72. 72/74
    password hash function ?
    DEMO #04

    View Slide

  73. 73/74
    安全就像洋蔥,一片一片地剝開,總有一片會讓人流淚
    ~ Ant ~

    View Slide

  74. 74/74
    [email protected] / [email protected]
    https://www.facebook.com/yftzeng.tw
    https://twitter.com/yftzeng

    View Slide