Upgrade to Pro — share decks privately, control downloads, hide ads and more …

邏輯優化的灰色面:針對網頁應用的時序攻擊 (2018臺灣資安大會: 軟體安全論壇)

Sponsored · SiteGround - Reliable hosting with speed, security, and support you can count on.
Avatar for Yi-Feng Tzeng Yi-Feng Tzeng
March 29, 2018
Technology
1
350

邏輯優化的灰色面:針對網頁應用的時序攻擊 (2018臺灣資安大會: 軟體安全論壇)

一般人對於應用程式的撰寫邏輯與順序,只考量正確性及效能面。但是從灰色的視角切入時,時序或時間差所透露的資訊往往比我們想像中來得多。本議程將針對網頁應用上的時序攻擊,探討邏輯優化可能帶來的安全問題。

Avatar for Yi-Feng Tzeng

Yi-Feng Tzeng

March 29, 2018
Tweet

More Decks by Yi-Feng Tzeng

See All by Yi-Feng Tzeng
重新想像:如何做技術選型決策 / Rethinking : Technical Decision
Avatar for Yi-Feng Tzeng yftzeng
7
2.5k
擁抱開源:企業應如何善用開源技術,才能得其利而防其弊 - 加強版
Avatar for Yi-Feng Tzeng yftzeng
0
230
Testing in Production, Deploy on Fridays
Avatar for Yi-Feng Tzeng yftzeng
0
2.8k
COSCUP 2020 Day 1 - Opening Keynote
Avatar for Yi-Feng Tzeng yftzeng
0
130
COSCUP 2020 Day 2 - Opening Keynote
Avatar for Yi-Feng Tzeng yftzeng
0
140
Severless PHP Case : Agile Dashboard via GitLab Board API
Avatar for Yi-Feng Tzeng yftzeng
0
190
Dev(Sec)Ops: Architecture for Security and Compliance
Avatar for Yi-Feng Tzeng yftzeng
0
310
給資安工程師開源授權觀念
Avatar for Yi-Feng Tzeng yftzeng
0
120
Progressive Deployment & NoDeploy
Avatar for Yi-Feng Tzeng yftzeng
0
210

Other Decks in Technology

See All in Technology
AIエージェント時代に必要な オペレーションマネージャーのロールとは
Avatar for KentaroFujii kentarofujii
0
230
Why we keep our community?
Avatar for Yasunobu Kawaguchi kawaguti
PRO
0
340
Oracle Cloud Infrastructure(OCI):Onboarding Session(はじめてのOCI/Oracle Supportご利⽤ガイド)
Avatar for oracle4engineer oracle4engineer
PRO
2
17k
OPENLOGI Company Profile for engineer
Avatar for OPENLOGI hr01
1
61k
CloudFrontのHost Header転送設定でパケットの中身はどう変わるのか?
Avatar for nagisa_53 nagisa53
1
220
SaaSの操作主体は人間からAIへ - 経理AIエージェントが目指す深い自動化
Avatar for Motoshi Nishihira nishihira
0
120
Physical AI on AWS リファレンスアーキテクチャ / Physical AI on AWS Reference Architecture
Avatar for shota aws_shota
1
200
QA組織のAI戦略とAIテスト設計システムAITASの実践
Avatar for SansanTech sansantech
PRO
1
260
Zephyr(RTOS)でOpenPLCを実装してみた
Avatar for misoji engineer iotengineer22
0
160
開発チームとQAエンジニアの新しい協業モデル -年末調整開発チームで実践する【QAリード施策】-
Avatar for kaomi kaomi_wombat
0
270
BFCacheを活用して無限スクロールのUX を改善した話
Avatar for Ryuya Yanagi apple_yagi
0
130
やさしいとこから始めるGitHubリポジトリのセキュリティ
Avatar for Yuta Matsumura tsubakimoto_s
3
2k

Featured

See All Featured
Stewardship and Sustainability of Urban and Community Forests
Avatar for Eric Wiseman pwiseman
0
160
brightonSEO & MeasureFest 2025 - Christian Goodrich - Winning strategies for Black Friday CRO & PPC
Avatar for Christian Goodrich cargoodrich
3
140
Paper Plane (Part 1)
Avatar for Katie Cordina Lindsey katiecoart
PRO
0
6.1k
DBのスキルで生き残る技術 - AI時代におけるテーブル設計の勘所
Avatar for soudai sone soudai
PRO
64
53k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
Avatar for Stéphanie Walter stephaniewalter
287
14k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
Avatar for Eileen M. Uchitelle eileencodes
38
2.8k
A Soul's Torment
Avatar for Nat Ma seathinner
5
2.6k
The Straight Up "How To Draw Better" Workshop
Avatar for Dennis Kardys denniskardys
239
140k
Technical Leadership for Architectural Decision Making
Avatar for Kenny Baas-Schwegler baasie
3
300
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
Avatar for Dan Newman danielanewman
231
22k
HDC tutorial
Avatar for Michiel Stock michielstock
1
590
Writing Fast Ruby
Avatar for Erik Berlin sferik
630
63k

Transcript

  1. 邏輯優化的灰色面 針對網頁應用的時序攻擊 ( Timing Attacks on Web ) Ant [email protected]

    / [email protected] 2018-03-13

  2. 2/74 Introduction Coding Security Intellectual property Startup • • •

  3. 3/74 Thank @mathias for inspiring me

  4. 4/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference

    2016

  5. 5/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference

    2016

  6. 6/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference

    2016

  7. 7/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference

    2016 1000 µs 1000 µs 100 µs 200 µs

  8. 8/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference

    2016

  9. 9/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference

    2016 A000000 B000000 … E000000 EA00000 …

  10. 10/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference

    2016

  11. 11/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference

    2016 1000 µs 1000 µs 100 µs 200 µs

  12. 12/74 Premature optimization is the root of all evil (

    過早最佳化是萬惡的根源 ) ~ Donald Knuth ~ a little bit

  13. 13/74 PHP Are PHP functions safe against timing attacks ?

  14. 14/74

  15. 15/74 DEMO #01

  16. 16/74

  17. 17/74 Those work on web ideally ?

  18. 18/74 localhost

  19. 19/74

  20. 20/74 Applicaton jitte 10-30 ms Databast jitte 10-300 ms Nttwoek

    jitte 100-150 ms

  21. 21/74 Attack Shift Timing atack against sofwaet impltmtntaton

  22. 22/74 Attack Shift Timing atack against sofwaet impltmtntaton Ideal

  23. 23/74 Attack Shift Timing atack against sofwaet impltmtntaton Ideal Timing

    atack against busintss logic Reality

  24. 24/74

  25. 25/74 ~2500 ms

  26. 26/74 ~1500 ms

  27. 27/74 Login Admin User 100 ms 2500 ms 1500 ms

  28. 28/74 Login Admin User 100 ms 2500 ms 1500 ms

    ~1000 ms

  29. 29/74 Login Admin User 100 ms 2500 ms 1500 ms

    Validate user 100 ms ~1000 ms

  30. 30/74

  31. 31/74 100 ms

  32. 32/74 100 ms Email guess, brute force attack

  33. 33/74 Which one is better ?

  34. 34/74

  35. 35/74 100 ms

  36. 36/74 100 ms 100 ms

  37. 37/74 100 ms 100 ms 100 ms

  38. 38/74 100 ms 100 ms 100 ms DEMO #02

  39. 39/74 100 ms 100 ms 100 ms

  40. 40/74 Login Admin User Gender Age VIP 100 ms 2500

    ms 1500 ms 1000 ms 1000 ms 1200 ms …... …... Validate user 100 ms

  41. 41/74 Welcome Ant ! ~1000 ms

  42. 42/74 ~500 ms

  43. 43/74 old

  44. 44/74 ~30 ms Ref: Front-End Performance The Dark Side @

    ColdFront Conference 2016 (p52)

  45. 45/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference

    2016 (p54) ~15 ms

  46. 46/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference

    2016 (p50)

  47. 47/74 Login Admin User Gender Age VIP 100 ms 2500

    ms 1500 ms 1000 ms 1000 ms 1200 ms …... …... Validate user 100 ms

  48. 48/74 404 Page not found ~200 ms

  49. 49/74 404 Page not found ~80 ms

  50. 50/74

  51. 51/74 Login Admin User Gender Age VIP 100 ms 2500

    ms 1500 ms 1000 ms 1000 ms 1200 ms …... …... Validate user 100 ms 302 / 404 80 ms 1200 ms

  52. 52/74

  53. 53/74

  54. 54/74

  55. 55/74

  56. 56/74

  57. 57/74

  58. 58/74 DEMO Online

  59. 59/74 Applicaton jitte 10-30 ms Databast jitte 10-300 ms Nttwoek

    jitte 100-150 ms

  60. 60/74 LAN Router IoT device NAS server / etc. POS

    / Console / etc.

  61. 61/74 Login Admin User Gender Age VIP 100 ms 2500

    ms 1500 ms 1000 ms 1000 ms 1200 ms …... …... Validate user 100 ms 302 / 404 80 ms 1200 ms

  62. 62/74 SuperUser Login Admin User Gender Age VIP 100 ms

    100 ms 2500 ms 1500 ms 1000 ms 1000 ms 1200 ms Backdoor …... …... 400 ms Validate user 100 ms 302 / 404 80 ms 1200 ms

  63. 63/74

  64. 64/74 DEMO #03

  65. 65/74 A000000 B000000 … E000000 EA00000 …

  66. 66/74 最佳化就像迴旋鏢,何時不小心回來打到你,可能也不知道 ~ Ant ~

  67. 67/74 Attack Modes Post-auth Administrator Permissions Hidden page* Pre-auth Hidden

    page* Validate user Backdoor Active attacks Passive attacks

  68. 68/74 Passive attacks

  69. 69/74 Active attacks

  70. 70/74 Attack Modes Post-auth Administrator Permissions Hidden page* Pre-auth Hidden

    page* Validate user Backdoor Active attacks Passive attacks

  71. 71/74 password hash function ?

  72. 72/74 password hash function ? DEMO #04

  73. 73/74 安全就像洋蔥,一片一片地剝開,總有一片會讓人流淚 ~ Ant ~

  74. 74/74 [email protected] / [email protected] https://www.facebook.com/yftzeng.tw https://twitter.com/yftzeng