邏輯優化的灰色面：針對網頁應用的時序攻擊 (2018臺灣資安大會: 軟體安全論壇)

•

3 likes•1,253 views

This document discusses timing attacks against web applications. It begins by referencing a previous conference presentation on timing attacks and front-end performance vulnerabilities. It then demonstrates how subtle differences in response times can reveal privileged information, like whether a username is valid. The document advocates adding random delays to responses to mitigate these timing attack vectors. It provides several examples of timing attacks in practice and potential mitigation techniques to obscure timing patterns and prevent secret information leakage.

Technology

邏輯優化的灰色面
針對網頁應用的時序攻擊
( Timing Attacks on Web )
Ant
ant@chroot.org / yftzeng@gmail.com
2018-03-13

2/74
Introduction
Coding Security Intellectual property Startup• • •

4/74
Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016

5/74
Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016

6/74
Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016

7/74
Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016
1000 µs
1000 µs
100 µs
200 µs

8/74
Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016

9/74
Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016
A000000
B000000
…
E000000
EA00000
…

10/74
Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016

11/74
Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016
1000 µs
1000 µs
100 µs
200 µs

12/74
Premature optimization is the root of all evil
( 過早最佳化是萬惡的根源 )
~ Donald Knuth ~
a little bit

13/74
PHP
Are PHP functions safe against timing attacks ?

20/74
Applicaton jitte
10-30 ms
Databast jitte
10-300 ms
Nttwoek jitte
100-150 ms

21/74
Attack Shift
Timing atack against sofwaet impltmtntaton

22/74
Attack Shift
Timing atack against sofwaet impltmtntaton
Ideal

23/74
Attack Shift
Timing atack against sofwaet impltmtntaton
Ideal
Timing atack against busintss logic
Reality

27/74
Login
Admin User
100 ms
2500 ms 1500 ms

28/74
Login
Admin User
100 ms
2500 ms 1500 ms
~1000 ms

29/74
Login
Admin User
100 ms
2500 ms 1500 ms
Validate user
100 ms
~1000 ms

32/74
100 ms
Email guess, brute force attack

40/74
Login
Admin User
Gender Age VIP
100 ms
2500 ms 1500 ms
1000 ms 1000 ms 1200 ms
…...…...
Validate user
100 ms

44/74
~30 ms
Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016 (p52)

45/74
Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016 (p54)
~15 ms

46/74
Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016 (p50)

47/74
Login
Admin User
Gender Age VIP
100 ms
2500 ms 1500 ms
1000 ms 1000 ms 1200 ms
…...…...
Validate user
100 ms

51/74
Login
Admin User
Gender Age VIP
100 ms
2500 ms 1500 ms
1000 ms 1000 ms 1200 ms
…...…...
Validate user
100 ms
302 / 404
80 ms 1200 ms

59/74
Applicaton jitte
10-30 ms
Databast jitte
10-300 ms
Nttwoek jitte
100-150 ms

60/74
LAN
Router
IoT device
NAS server / etc.POS / Console / etc.

61/74
Login
Admin User
Gender Age VIP
100 ms
2500 ms 1500 ms
1000 ms 1000 ms 1200 ms
…...…...
Validate user
100 ms
302 / 404
80 ms 1200 ms

62/74
SuperUser
Login
Admin User
Gender Age VIP
100 ms
100 ms
2500 ms 1500 ms
1000 ms 1000 ms 1200 ms
Backdoor
…...…...
400 ms
Validate user
100 ms
302 / 404
80 ms 1200 ms

65/74
A000000
B000000
…
E000000
EA00000
…

66/74
最佳化就像迴旋鏢，何時不小心回來打到你，可能也不知道
~ Ant ~

67/74
Attack Modes
Post-auth
Administrator Permissions Hidden page*
Pre-auth
Hidden page*Validate userBackdoor
Active attacks
Passive attacks

70/74
Attack Modes
Post-auth
Administrator Permissions Hidden page*
Pre-auth
Hidden page*Validate userBackdoor
Active attacks
Passive attacks

74/74
ant@chroot.org / yftzeng@gmail.com
https://www.facebook.com/yftzeng.tw
https://twitter.com/yftzeng

Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/2l3WkBO. Shwetha Nagaraja & Federico Rocha explore in detail some of the most interesting heavily-optimized techniques and strategies that Autodesk Forge Viewer introduces for viewing extremely large 2D and 3D models in the browser in real-time. These include progressive rendering to reduce time to first pixel, geometry consolidation to reduce draw overhead, etc. Filmed at qconnewyork.com. Shwetha Nagaraja is a software engineer at Autodesk. Federico Rocha is a senior software engineer at Autodesk.

Traveler's Guide to Cassandra

DataStax Academy

【TECH×GAME COLLEGE#32】ゼロからリアルタイムサーバーを作るまで

techgamecollege

Flash PresentationSamuel Adams, MBA

重新想像：如何做技術選型決策 / Rethinking : Technical Decision

Yi-Feng Tzeng

《技術管理者論壇：商業與技術的平衡》【主題】重新想像：如何做技術選型決策技術選型是個既『成熟』又『新鮮』的老話題。成熟的是網路充斥著各種資訊；新鮮的是技術每年推陳出新，總會帶來新變化。本場次會以全新有趣又直擊靈魂的問題引導方式，與大家一同深入技術選型的眾多領域。這趟旅程未必有答案，畢竟複雜的問題沒有唯一解，但我提出的問題會嘗試讓你與自己對話，就請跟著我一起試著顛覆既有的認知，並重新回到更深處的思考本質。議題包括但不限於， ➊ 只著眼於「技術」的技術選型，常以失敗告終，為何？ ➋ 老技術不好嗎？新技術不行嗎？永遠會面對的兩難議題。 ➌ Agile & DevOps 對技術選型與管理的影響，以及為何有些技術人討厭與排斥？ ➍ 引入 Cache 不好嗎？套用 Microservices 不好嗎？轉為 Sharding 不好嗎？資料庫怎麼選？選型的本質探討。 ➎ 技術人討厭 OKR？或許我們換個角度，不僅會樂於採用還可讓解決問題的實力大增。

擁抱開源：企業應如何善用開源技術，才能得其利而防其弊-加強版

Yi-Feng Tzeng

國外企業不論大小對開源技術的採用意願極高，採用成熟度高的開源技術一來可以加快研發速度，二來也會大幅降低營運成本。但台灣企業對開源技術的認知程度較低，擔心穩定性、安全性與支援性等問題，但甚少花時間去了解，當你用正確的心態去看待開源，且有妥善的管理機制去管理它，開源技術將是企業的重大助力。加強版新增了幾個案例，以及 GDPR/CCPA 相關的解決方案。

Testing in Production, Deploy on Fridays

Yi-Feng Tzeng

本議程將分享如何利用 Serverless PHP，實作出敏捷儀表板 (Agile Dashboard) 定期報告的經驗。過去每週我都會為三個技術團隊產生敏捷儀表板，以檢視團隊的敏捷健康度，並找出問題點。包括：Sprint 的團隊狀況、Sprint 的個人狀況、Burnup Chart、Cycle Time Chart 等。流程上，團隊使用 GitLab Board 管理開發進度，各類事項的建置、進度與完成均在其上。為了配合產出合適的敏捷儀表板，我們也制定了一套「Label」管理辦法，可以為所有事項標示出必要的屬性，包括 Story points 等。如此，我只要透用 GitLab API 就可以隨時調出任何事項的異動狀態，並繪製出團隊所需要的報告。技術上，為節省管理及維運成本，從工作排程 (例如每週一次)、程式部署 (Severless)，到報告下載點 (Cloud Storage)，均由雲端平台服務完成。

給資安工程師開源授權觀念

Yi-Feng Tzeng

Progressive Deployment & NoDeploy

Yi-Feng Tzeng

Dev(Sec)Ops - Architecture for Security and Compliance

Yi-Feng Tzeng

技術無邊，資安及法遵有邊。軟體架構師規畫架構時，有時會忽略資安及法規的重要性。面對各國各式的法令及商業契約遵循要求，現代軟體架構設計時也應當具備合理的因應措施，包括 2012 年《個人資料保護法》及今年號稱「史上最嚴格的個人資料保護法」的《GDPR》等。此議程將探討軟體架構設計如何應對各種資安自動化及法遵的挑戰。

擁抱開源：企業應如何善用開源技術，才能得其利而防其弊

Yi-Feng Tzeng

國外企業不論大小對開源技術的採用意願極高，採用成熟度高的開源技術一來可以加快研發速度，二來也會大幅降低營運成本。但台灣企業對開源技術的認知程度較低，擔心穩定性、安全性與支援性等問題，但甚少花時間去了解，當你用正確的心態去看待開源，且有妥善的管理機制去管理它，開源技術將是企業的重大助力。

淺談量子機器學習 - 當機器學習遇見量子計算

Yi-Feng Tzeng

量子機器學習 (Quantum Machine Learning) 旨在融和量子計算及機器學習方法，為跨越兩領域的新興研究學科。量子計算與機器學習各為很深的研究領域，在探索量子機器學習之前，必須對此兩者有基本的瞭解。在此領域，我仍是一名持續學習的實習生，在本次演講將與大家一同交流，探討量子機器學習會如何影響資料科學及經典機器學習。

A Modern Web Architecture for (GDPR) Compliance

Yi-Feng Tzeng

技術無邊，法遵有邊。多數軟體架構師規畫架構時，往往忽略法令及契約的重要性。面對各國各式的法令及商業契約遵循要求，現代軟體架構設計時也應當具備合理的因應措施，包括 2012 年《個人資料保護法》及今年號稱「史上最嚴格的個人資料保護法」的《GDPR》等。此議程將探討軟體架構設計如何應對各種法遵及契約的挑戰。

量子技術 (2018 03-31)

Yi-Feng Tzeng

Swoole Love PHP

Yi-Feng Tzeng

今天公司內訓的簡報摘錄。研究 Swoole 多年，也確實在上線環境正式運行很久且穩定，所以與同事分享點滴與技巧。除了一點範例程式外，分享著重的是【架構】差異，延伸出去再與 Nginx/PHP, Node 及 Go 進行一些比較。主要是提出幾個問題，希望引發思考： ➊ 很多人都說 Swoole 快，是哪裡快？(其實我覺得網路上的資訊不夠全面，講得也不一定為真) ➋ 猜想 Nginx/PHP, Swoole, Node, Go 基礎效能比較？還能最佳化嗎？何處著手？ ➌ 其他。

Modern Web Architecture Design Journey

Yi-Feng Tzeng

善用 MySQL 及 PostgreSQL - RDBMS 的逆襲 - part1

Yi-Feng Tzeng

恰如其分的 MySQL 設計技巧 [Modern Web 2016]

Yi-Feng Tzeng

「有流量再說」是很多老闆及工程師面對未來風險的態度。當風險來得又快又急時，技術轉換債及架構轉換債問題突現，措手不及的團隊只好加班趕工，有時甚至必須長期中斷服務，進而影響營運及商譽。但若過度遵循計畫式設計 (Planned Design)，因無法事先對未來場景需求有全面瞭解，反而可能導致設計錯誤。本議程將與您一同討論「恰如其分的設計」技巧。

談 Uber 從 PostgreSQL 轉用 MySQL 的技術爭議

Yi-Feng Tzeng

資料庫索引數據結構及主鍵設計(b+tree)(part 1)

Yi-Feng Tzeng

軟體接案自由職業者 (Freelancer) 意想不到的風險

Yi-Feng Tzeng

Enterprise Architecture Case in PHP (MUZIK Online)

Yi-Feng Tzeng

Redis, another step on the road

Yi-Feng Tzeng

Introduction to Redis 3.0, and it’s features and improvements. What’s difference between Redis / Memcached / Aerospike ? The strong sides of Redis, and away from the weak sides. 本議程介紹 Redis 3.0 及其歷史，探討 Redis 的特性與改進。並一併分析 Redis / Memcached / Aerospike 三者之間的差異，有助於未來面對業務場景需求提供瞭解與判斷。最後，分享 Redis 適用之場景，及其不適用場景下的備案或整合方案。議程適於 Redis 初學者、對 Redis 想深入瞭解者，及曾經莫名被 Redis 雷擊或坑殺者。

淺入淺出 MySQL & PostgreSQL

Yi-Feng Tzeng

Removing Uninteresting Bytes in Software Fuzzing

Aftab Hussain

Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process. In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds. - These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.

Assure Contact Center Experiences for Your Customers With ThousandEyes

ThousandEyes

Recently uploaded

Removing Uninteresting Bytes in Software Fuzzing

Aftab Hussain

Assure Contact Center Experiences for Your Customers With ThousandEyes

ThousandEyes

State of ICS and IoT Cyber Threat Landscape Report 2024 preview

Prayukth K V

The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development. The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers: State of global ICS asset and network exposure Sectoral targets and attacks as well as the cost of ransom Global APT activity, AI usage, actor and tactic profiles, and implications Rise in volumes of AI-powered cyberattacks Major cyber events in 2024 Malware and malicious payload trends Cyberattack types and targets Vulnerability exploit attempts on CVEs Attacks on counties – USA Expansion of bot farms – how, where, and why In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East Why are attacks on smart factories rising? Cyber risk predictions Axis of attacks – Europe Systemic attacks in the Middle East Download the full report from here: https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/

Epistemic Interaction - tuning interfaces to provide information for AI support

Alan Dix

Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024 https://alandix.com/academic/papers/synergy2024-epistemic/ As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.

PCI PIN Basics Webinar from the Controlcase Team

ControlCase

Introduction to CHERI technology - Cybersecurity

mikeeftimakis1

Elizabeth Buie - Older adults: Are we really designing for our future selves?

Nexer Digital

Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...

SOFTTECHHUB

The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing. One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.

UiPath Test Automation using UiPath Test Suite series, part 4

DianaGray10

Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap. The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies. Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques What will you get from this session? 1. Insights into SAP testing best practices 2. Heatmap utilization for testing 3. Optimization of testing processes 4. Demo Topics covered: Execution from the test manager Orchestrator execution result Defect reporting SAP heatmap example with demo Speaker: Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP

Generative AI Deep Dive: Advancing from Proof of Concept to Production

Aggregage

Essentials of Automations: The Art of Triggers and Actions in FME

Safe Software

In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation. We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios. Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!

Encryption in Microsoft 365 - ExpertsLive Netherlands 2024

Albert Hoitingh

The Art of the Pitch: WordPress Relationships and Sales

Laura Byrne

Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes? All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.

The Metaverse and AI: how can decision-makers harness the Metaverse for their...

Jen Stirrup

The Metaverse is popularized in science fiction, and now it is becoming closer to being a part of our daily lives through the use of social media and shopping companies. How can businesses survive in a world where Artificial Intelligence is becoming the present as well as the future of technology, and how does the Metaverse fit into business strategy when futurist ideas are developing into reality at accelerated rates? How do we do this when our data isn't up to scratch? How can we move towards success with our data so we are set up for the Metaverse when it arrives? How can you help your company evolve, adapt, and succeed using Artificial Intelligence and the Metaverse to stay ahead of the competition? What are the potential issues, complications, and benefits that these technologies could bring to us and our organizations? In this session, Jen Stirrup will explain how to start thinking about these technologies as an organisation.

Elevating Tactical DDD Patterns Through Object Calisthenics

Dorra BARTAGUIZ

After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!

Enhancing Performance with Globus and the Science DMZ

Globus

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf

FIDO Alliance

Free Complete Python - A step towards Data Science

RinaMondal9

zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs

Alex Pruden

This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second). Paper: https://eprint.iacr.org/2023/1886

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

FIDO Alliance

Recently uploaded (20)

Removing Uninteresting Bytes in Software Fuzzing

Assure Contact Center Experiences for Your Customers With ThousandEyes

State of ICS and IoT Cyber Threat Landscape Report 2024 preview

Epistemic Interaction - tuning interfaces to provide information for AI support

PCI PIN Basics Webinar from the Controlcase Team

Introduction to CHERI technology - Cybersecurity

Elizabeth Buie - Older adults: Are we really designing for our future selves?

Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...

UiPath Test Automation using UiPath Test Suite series, part 4

Generative AI Deep Dive: Advancing from Proof of Concept to Production

Essentials of Automations: The Art of Triggers and Actions in FME

Encryption in Microsoft 365 - ExpertsLive Netherlands 2024

The Art of the Pitch: WordPress Relationships and Sales

The Metaverse and AI: how can decision-makers harness the Metaverse for their...

Elevating Tactical DDD Patterns Through Object Calisthenics

Enhancing Performance with Globus and the Science DMZ

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf

Free Complete Python - A step towards Data Science

zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

邏輯優化的灰色面：針對網頁應用的時序攻擊 (2018臺灣資安大會: 軟體安全論壇)

1. 邏輯優化的灰色面針對網頁應用的時序攻擊 ( Timing Attacks on Web ) Ant ant@chroot.org / yftzeng@gmail.com 2018-03-13

2. 2/74 Introduction Coding Security Intellectual property Startup• • •

3. 3/74 Thank @mathias for inspiring me

4. 4/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016

5. 5/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016

6. 6/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016

7. 7/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016 1000 µs 1000 µs 100 µs 200 µs

8. 8/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016

9. 9/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016 A000000 B000000 … E000000 EA00000 …

10. 10/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016

11. 11/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016 1000 µs 1000 µs 100 µs 200 µs

12. 12/74 Premature optimization is the root of all evil ( 過早最佳化是萬惡的根源 ) ~ Donald Knuth ~ a little bit

13. 13/74 PHP Are PHP functions safe against timing attacks ?

14. 14/74

15. 15/74 DEMO #01

16. 16/74

17. 17/74 Those work on web ideally ?

18. 18/74 localhost

19. 19/74

20. 20/74 Applicaton jitte 10-30 ms Databast jitte 10-300 ms Nttwoek jitte 100-150 ms

21. 21/74 Attack Shift Timing atack against sofwaet impltmtntaton

22. 22/74 Attack Shift Timing atack against sofwaet impltmtntaton Ideal

23. 23/74 Attack Shift Timing atack against sofwaet impltmtntaton Ideal Timing atack against busintss logic Reality

24. 24/74

25. 25/74 ~2500 ms

26. 26/74 ~1500 ms

27. 27/74 Login Admin User 100 ms 2500 ms 1500 ms

28. 28/74 Login Admin User 100 ms 2500 ms 1500 ms ~1000 ms

29. 29/74 Login Admin User 100 ms 2500 ms 1500 ms Validate user 100 ms ~1000 ms

30. 30/74

31. 31/74 100 ms

32. 32/74 100 ms Email guess, brute force attack

33. 33/74 Which one is better ?

34. 34/74

35. 35/74 100 ms

36. 36/74 100 ms 100 ms

37. 37/74 100 ms 100 ms 100 ms

38. 38/74 100 ms 100 ms 100 ms DEMO #02

39. 39/74 100 ms 100 ms 100 ms

40. 40/74 Login Admin User Gender Age VIP 100 ms 2500 ms 1500 ms 1000 ms 1000 ms 1200 ms …...…... Validate user 100 ms

41. 41/74 Welcome Ant ! ~1000 ms

42. 42/74 ~500 ms

43. 43/74 old

44. 44/74 ~30 ms Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016 (p52)

45. 45/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016 (p54) ~15 ms

46. 46/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016 (p50)

47. 47/74 Login Admin User Gender Age VIP 100 ms 2500 ms 1500 ms 1000 ms 1000 ms 1200 ms …...…... Validate user 100 ms

48. 48/74 404 Page not found ~200 ms

49. 49/74 404 Page not found ~80 ms

50. 50/74

51. 51/74 Login Admin User Gender Age VIP 100 ms 2500 ms 1500 ms 1000 ms 1000 ms 1200 ms …...…... Validate user 100 ms 302 / 404 80 ms 1200 ms

52. 52/74

53. 53/74

54. 54/74

55. 55/74

56. 56/74

57. 57/74

58. 58/74 DEMO Online

59. 59/74 Applicaton jitte 10-30 ms Databast jitte 10-300 ms Nttwoek jitte 100-150 ms

60. 60/74 LAN Router IoT device NAS server / etc.POS / Console / etc.

61. 61/74 Login Admin User Gender Age VIP 100 ms 2500 ms 1500 ms 1000 ms 1000 ms 1200 ms …...…... Validate user 100 ms 302 / 404 80 ms 1200 ms

62. 62/74 SuperUser Login Admin User Gender Age VIP 100 ms 100 ms 2500 ms 1500 ms 1000 ms 1000 ms 1200 ms Backdoor …...…... 400 ms Validate user 100 ms 302 / 404 80 ms 1200 ms

63. 63/74

64. 64/74 DEMO #03

65. 65/74 A000000 B000000 … E000000 EA00000 …

66. 66/74 最佳化就像迴旋鏢，何時不小心回來打到你，可能也不知道 ~ Ant ~

67. 67/74 Attack Modes Post-auth Administrator Permissions Hidden page* Pre-auth Hidden page*Validate userBackdoor Active attacks Passive attacks

68. 68/74 Passive attacks

69. 69/74 Active attacks

70. 70/74 Attack Modes Post-auth Administrator Permissions Hidden page* Pre-auth Hidden page*Validate userBackdoor Active attacks Passive attacks

71. 71/74 password hash function ?

72. 72/74 password hash function ? DEMO #04

73. 73/74 安全就像洋蔥，一片一片地剝開，總有一片會讓人流淚 ~ Ant ~

74. 74/74 ant@chroot.org / yftzeng@gmail.com https://www.facebook.com/yftzeng.tw https://twitter.com/yftzeng