一般人對於應用程式的撰寫邏輯與順序,只考量正確性及效能面。但是從灰色的視角切入時,時序或時間差所透露的資訊往往比我們想像中來得多。本議程將針對網頁應用上的時序攻擊,探討邏輯優化可能帶來的安全問題。
邏輯優化的灰色面針對網頁應用的時序攻擊( Timing Attacks on Web )Ant[email protected] / [email protected]2018-03-13
View Slide
2/74IntroductionCoding Security Intellectual property Startup• • •
3/74Thank @mathias for inspiring me
4/74Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016
5/74Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016
6/74Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016
7/74Ref: Front-End Performance The Dark Side @ ColdFront Conference 20161000 µs1000 µs100 µs200 µs
8/74Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016
9/74Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016A000000B000000…E000000EA00000…
10/74Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016
11/74Ref: Front-End Performance The Dark Side @ ColdFront Conference 20161000 µs1000 µs100 µs200 µs
12/74Premature optimization is the root of all evil( 過早最佳化是萬惡的根源 )~ Donald Knuth ~a little bit
13/74PHPAre PHP functions safe against timing attacks ?
14/74
15/74DEMO #01
16/74
17/74Those work on web ideally ?
18/74localhost
19/74
20/74Applicaton jitte10-30 msDatabast jitte10-300 msNttwoek jitte100-150 ms
21/74Attack ShiftTiming atack against sofwaet impltmtntaton
22/74Attack ShiftTiming atack against sofwaet impltmtntatonIdeal
23/74Attack ShiftTiming atack against sofwaet impltmtntatonIdealTiming atack against busintss logicReality
24/74
25/74~2500 ms
26/74~1500 ms
27/74LoginAdmin User100 ms2500 ms 1500 ms
28/74LoginAdmin User100 ms2500 ms 1500 ms~1000 ms
29/74LoginAdmin User100 ms2500 ms 1500 msValidate user100 ms~1000 ms
30/74
31/74100 ms
32/74100 msEmail guess, brute force attack
33/74Which one is better ?
34/74
35/74100 ms
36/74100 ms100 ms
37/74100 ms100 ms100 ms
38/74100 ms100 ms100 msDEMO #02
39/74100 ms100 ms100 ms
40/74LoginAdmin UserGender Age VIP100 ms2500 ms 1500 ms1000 ms 1000 ms 1200 ms…...…...Validate user100 ms
41/74Welcome Ant !~1000 ms
42/74~500 ms
43/74old
44/74~30 msRef: Front-End Performance The Dark Side @ ColdFront Conference 2016 (p52)
45/74Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016 (p54)~15 ms
46/74Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016 (p50)
47/74LoginAdmin UserGender Age VIP100 ms2500 ms 1500 ms1000 ms 1000 ms 1200 ms…...…...Validate user100 ms
48/74404Page not found~200 ms
49/74404Page not found~80 ms
50/74
51/74LoginAdmin UserGender Age VIP100 ms2500 ms 1500 ms1000 ms 1000 ms 1200 ms…...…...Validate user100 ms302 / 40480 ms 1200 ms
52/74
53/74
54/74
55/74
56/74
57/74
58/74DEMO Online
59/74Applicaton jitte10-30 msDatabast jitte10-300 msNttwoek jitte100-150 ms
60/74LANRouterIoT deviceNAS server / etc.POS / Console / etc.
61/74LoginAdmin UserGender Age VIP100 ms2500 ms 1500 ms1000 ms 1000 ms 1200 ms…...…...Validate user100 ms302 / 40480 ms 1200 ms
62/74SuperUserLoginAdmin UserGender Age VIP100 ms100 ms2500 ms 1500 ms1000 ms 1000 ms 1200 msBackdoor…...…...400 msValidate user100 ms302 / 40480 ms 1200 ms
63/74
64/74DEMO #03
65/74A000000B000000…E000000EA00000…
66/74最佳化就像迴旋鏢,何時不小心回來打到你,可能也不知道~ Ant ~
67/74Attack ModesPost-authAdministrator Permissions Hidden page*Pre-authHidden page*Validate userBackdoorActive attacksPassive attacks
68/74Passive attacks
69/74Active attacks
70/74Attack ModesPost-authAdministrator Permissions Hidden page*Pre-authHidden page*Validate userBackdoorActive attacksPassive attacks
71/74password hash function ?
72/74password hash function ?DEMO #04
73/74安全就像洋蔥,一片一片地剝開,總有一片會讓人流淚~ Ant ~
74/74[email protected] / [email protected]https://www.facebook.com/yftzeng.twhttps://twitter.com/yftzeng