Delhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
XSSearch
1. Cross-Site Search Attacks
CCS 2015
2 citation
Nethanel Gelernter
Department of Computer
Science at Bar Ilan
University
Amir Herzberg
Department of Computer
Science at Bar Ilan
University
2. Outline
● Motivation
● Background
– XS-Timing Attack
● Challenge: XS-Timing Attack
● Problem
– How to utilize characteristics of search service to
overcome challenge
● Solution
● Evaluation
● Conclusion
4. Motivation
● Image you're an attacker, who has a website
● You can make your visitor
– send any requests
– and measure the response time
5. Motivation
● Image you're an attacker, who has a website
● You can make your visitor
– send any requests
– and measure the response time
● What request will you send?
7. Motivation
● What request will you send?
– request to his Gmail home page? → login or not
not-logged => fast logged => slower
8. Motivation
● What request will you send?
– request to his Gmail home page? → login or not
– However, visitor's network condition varies
visitorA: not-logined => faster? visitorB: logined => slower?
9. Motivation
● If you know whether user login or not,
– there's a dummy request,
– T(dummy) ~= T(not-logined)
visitorA: not-logined visitorB: logined
dummy dummy
253ms
246ms
100ms
15ms
10. Motivation
● What request will you send?
– request to search on his Gmail?
● seems to be more useful
dummy => always no match
target
11. Motivation
● What request will you send?
– many requests for common names on his Gmail?
→ find out visitor's real name
12. Motivation
● What request will you send?
– many requests for common names on his Gmail?
→ find out visitor's real name
– many requests for xxxx-xxx-xxx on his Gmail?
→ find out visitor's phone number
13. Motivation
● What request will you send?
– many requests for common names on his Gmail?
→ find out visitor's real name
– many requests for xxxx-xxx-xxx on his Gmail?
→ find out visitor's phone number
– many request for no-reply@xxx.com?
● no-reply@firstbank.com.tw → a client of Taiwan FirstBank ?
● no-reply@cht.tw → a mobile user of ChungHua Telecom?
● no-reply@amazon.com → like to shop at Amazon?
14. Motivation
● If you can make your visitor
– send any requests
– and measure the response time
● Targeting at search service can find more
sensitive information
15. Motivation
● You can make your visitor
– send any requests
– and measure the response time
XS-Timing Attack
16. Motivation
● You can make your visitor
– send any requests
– and measure the response time
● XS Search Attack
= XS-Timing Attack on search service
XS-Timing Attack
17. Outline
● Motivation
● Background
– XS-Timing Attack
● Challenge: XS-Timing Attack
● Problem
– How to utilize characteristics of search service to
overcome challenge
● Solution
● Evaluation
● Conclusion
18. XS-Timing Attack
● You can make your visitor
– send any requests
– and measure the response time
● Questions
– How to make visitor send request?
– Why not the response content?
28. Challenge: XS-Timing Attack
● Infer by comparing timing different often make mistakes!
● Response time = T(communication)+T(computation)
29. Challenge: XS-Timing Attack
● Infer by comparing timing different often make mistakes!
● Response time = T(communication)+T(computation)
● Network condition
– Bad: timing difference dominated by T(communication)
– Good: T(computation) difference might be too small
30. Challenge: XS-Timing Attack
● Infer by comparing timing different often make mistakes!
● Response time = T(communication)+T(computation)
● Network condition
– Bad: timing difference dominated by T(communication)
– Good: T(computation) difference might be too small
dummy => 0 match 10 samples Avg 734ms
target => 50 match 10 samples Avg 751ms
31. Problem
dummy query: always response fast
target query
– fast => empty
– slower => non-empty
enlarge the difference
● Response time = T(communication)+T(computation)
32. Main Idea
● Enlarge timing difference strategy
T (communication)∝contentlength
– Response-Inflate
T (computation)
– Compute-Inflate
37. Compute-Inflate
early abort on terms which resolves false
Observation
=> can detect even single match on Gmail!
Dummy
Target
A∧B
38. Evaluation: Compute-Inflate
● 138 active Gmail user
– 90 University schoolmate
– 48 Amazon M-Turk worker
● Sent a email contain single sentence
– “I like [random-animal]”
Dummy
Target
44. Efficient Term Identification
● Which of {T1,T2,...} appears in mailbox?
● Can you come up better solution?
● Naive
– Query terms one-by-one
– O(n)
45. Efficient Term Identification
● Which of {T1,T2,...} appears in mailbox?
● Can you come up better solution?
● Naive
– Query terms one-by-one
– O(n)
– Binary search
– O(log n)
46. Evaluation: Efficient Term Identification
● 138 active Gmail user
● Sent a email contain single sentence
– “I like [random-animal]”
– 32 animal options
accuracy
time
47. Claimed Experiment
● Attack on Credit number
– Focus on MasterCard, Visa
● Format: 4-4-4-4
● Attack Flow
1. Find all four 4-digit number (10,000 options)
2. Find order of the 4-digit numbers
● omit wrong combination by credit card's checksum
48. Conclusion
● Good discovery of how search service makes
XS-Timing Attack realistic
● Typical bad paper writing style
49. Cross-Site Search Attacks
CCS 2015
2 citation
Nethanel Gelernter
Department of Computer
Science at Bar Ilan
University
Amir Herzberg
Department of Computer
Science at Bar Ilan
University
今天要講的是 cross-site search attack
作者是以色列巴伊蘭大學
50. Outline
● Motivation
● Background
– XS-Timing Attack
● Challenge: XS-Timing Attack
● Problem
– How to utilize characteristics of search service to
overcome challenge
● Solution
● Evaluation
● Conclusion
這篇是第一個發現 XS Search Attack 攻擊的 paper
一開始 motivation 講為何有人會想做這種攻擊
再來 backgroud 講 XS Search Attack 的原理
原理是 XS-Timing Attack 會介紹他是怎麼做的
然後是重點 使用 XS-Timing attack 會遇到的
challenge 是這篇要解決的問題
這篇發現利用 search service 常見的特性 剛好可以解
決 challenge
之後講 solution 看實驗 evaluation 最後結論
52. Motivation
● Image you're an attacker, who has a website
● You can make your visitor
– send any requests
– and measure the response time
而且你有能力操作來網站的 visitor 的瀏覽器
你可以讓 visitor 的瀏覽器送出任意的 request
要送什麼 request 要送到哪都可以
那送出後 你能測 request 的回傳時間
53. Motivation
● Image you're an attacker, who has a website
● You can make your visitor
– send any requests
– and measure the response time
● What request will you send?
那麼你想送什麼 request 來得到什麼資訊呢?
54. Motivation
● What request will you send?
– request to his Gmail home page?
送個 request 給 visitor 的 Gmail 首頁好不好?
55. Motivation
● What request will you send?
– request to his Gmail home page? → login or not
not-logged => fast logged => slower
比較時間差 你頂多只能知道他有沒有登入 根據自己用
電腦經驗有登入時比較快沒登入比較慢
56. Motivation
● What request will you send?
– request to his Gmail home page? → login or not
– However, visitor's network condition varies
visitorA: not-logined => faster? visitorB: logined => slower?
但仔細一想會覺得怪怪的 visitor 是不同人
假如實際情況是 visitorA 沒登入 visitorB 有登入 那 A
真的會比 B 快嗎?
不一定吧 A B 地理位置可能差很多 A 如果連到 Gmail
可能要 routing 比較久 那測到的時間反而是 A 比 B
慢 所以比較不同 visitor 的回傳時間 無法推論出
visitor 到底有沒有登入
那該怎麼辦呢?
58. Motivation
● What request will you send?
– request to search on his Gmail?
● seems to be more useful
dummy => always no match
target
知道 visior 有沒有登入 Gmail 好像沒什麼用
那麼送 request 去搜尋 visitor 信箱如何?查查看
visitor 信箱裡有沒有出現過某個字?
那跟剛剛一樣 要解決 visitor 網路狀況不同的問題 可以
找個你知道一定不會有 match 的搜尋 比如搜尋一串
隨機產生的字串當作 dummy
Dummy 你想搜尋的 target 只要比較慢就是有結果
那麼你要對 visitor 的信箱做什麼搜尋呢?
59. Motivation
● What request will you send?
– many requests for common names on his Gmail?
→ find out visitor's real name
猜他的真實姓名?用暴力法測所有可能的名字 有
match 的話就可以知道他叫什麼名字
60. Motivation
● What request will you send?
– many requests for common names on his Gmail?
→ find out visitor's real name
– many requests for xxxx-xxx-xxx on his Gmail?
→ find out visitor's phone number
同樣暴力搜尋 可以找出 visitor 的手機號碼
61. Motivation
● What request will you send?
– many requests for common names on his Gmail?
→ find out visitor's real name
– many requests for xxxx-xxx-xxx on his Gmail?
→ find out visitor's phone number
– many request for no-reply@xxx.com?
● no-reply@firstbank.com.tw → a client of Taiwan FirstBank ?
● no-reply@cht.tw → a mobile user of ChungHua Telecom?
● no-reply@amazon.com → like to shop at Amazon?
還有大家應該收過來自 no-reply@xxx 的信吧 訂閱的
blog Youtube 熱門影片 銀行定期 digest 等等 那麼能
知道 visitor 是不是台灣第一銀行的用戶阿 是不是中
華電信的用戶 是不是在 Amazon 買過東西阿
能知道這些資訊 知道愈多就能做出愈讓人相信的詐騙
訊息
62. Motivation
● If you can make your visitor
– send any requests
– and measure the response time
● Targeting at search service can find more
sensitive information
所以如果你有操作 visitor 瀏覽器送 request 測時間的
能力 把目標鎖定在 search service 似乎很有機會找
到敏感的資訊
63. Motivation
● You can make your visitor
– send any requests
– and measure the response time
XS-Timing Attack
一開始假設的 你可以操作 visitor 瀏覽器送 requst 且測
時間的 攻擊手法就是 XS-Timing Attack
64. Motivation
● You can make your visitor
– send any requests
– and measure the response time
● XS Search Attack
= XS-Timing Attack on search service
XS-Timing Attack
那鎖定在 search service 的就是 XS Search Attack
但是要使用 XS-Timing 有很大的 challenge 這篇是第
一個發現 search service 剛好可以解決 XS-Timing
的 challenge 讓這種攻擊變的有威脅力
65. Outline
● Motivation
● Background
– XS-Timing Attack
● Challenge: XS-Timing Attack
● Problem
– How to utilize characteristics of search service to
overcome challenge
● Solution
● Evaluation
● Conclusion
66. XS-Timing Attack
● You can make your visitor
– send any requests
– and measure the response time
● Questions
– How to make visitor send request?
– Why not the response content?
第一個
要怎麼樣讓 XS-Timing Attack 可以讓 visitor 送出任何
你想要的 request?
第二個 那為什麼只能測時間呢?不能得到 response
的內容呢?
75. Challenge: XS-Timing Attack
● Infer by comparing timing different often make mistakes!
XS-Timing Attack 的 challenge
最大的困難在於 剛剛說的跟 dummy 比較時間差來推
論有沒有 match 的方法 常常判斷錯誤
76. Challenge: XS-Timing Attack
● Infer by comparing timing different often make mistakes!
● Response time = T(communication)+T(computation)
那原因是 首先測到的 response 回傳時間 是網路傳過
去傳回來的 communication 時間加上 server 處理
request 的 computation 時間
77. Challenge: XS-Timing Attack
● Infer by comparing timing different often make mistakes!
● Response time = T(communication)+T(computation)
● Network condition
– Bad: timing difference dominated by T(communication)
– Good: T(computation) difference might be too small
第 1 是網路狀況太差時 即使與 dummy 有時間差 也無
法判斷是否真的有結果而不是 delay 造成的
第 2 假設網路穩定 communication 時間固定 現在
server 運算能力很強 有沒有結果可能 compute 起來
都很快 快到看不出差別
78. Challenge: XS-Timing Attack
● Infer by comparing timing different often make mistakes!
● Response time = T(communication)+T(computation)
● Network condition
– Bad: timing difference dominated by T(communication)
– Good: T(computation) difference might be too small
dummy => 0 match 10 samples Avg 734ms
target => 50 match 10 samples Avg 751ms
給大家一個數據 我寫了個可以做 XS-Timing 的網站 用
穩定的宿網測在我信箱兩搜尋這裡個字串的時間 一
個 dummy 搜隨機字串 沒有 match 另一個搜我的帳
號 有 50 個 match
一次送 10 組 取平均時間 結果差距只有 25 個 ms
所以直接用 XS-Timing Attack 即使網路穩定 有 50 個
match 很可能會判斷錯誤
79. Problem
dummy query: always response fast
target query
– fast => empty
– slower => non-empty
enlarge the difference
● Response time = T(communication)+T(computation)
提升 timing attack 效率的重點在於 加大有結果時對
dummy 的時間差
80. Main Idea
● Enlarge timing difference strategy
T (communication)∝contentlength
– Response-Inflate
T (computation)
– Compute-Inflate
加大時間差的方法有兩個方向
1. 讓有 match 的 response 變長 增加網路傳送時間
2. 增加有 match 時的計算量
81. Response-Inflate
search query is copied once for each matched entry
Observation
增加長度的方法是根據這個觀察 下的 search query 在
match 的結果裡 每一個 match 的 entry 都會被複製
一次
82. Response-Inflate
search query is copied once for each matched entry
Observation
=> extend to max(query size) < 8KB
所以只要讓 query 變長 response 就會變長
那你可以用 OR 來增長 query 而不改變 search 結果
83. Compute-Inflate
early abort on terms which resolves false
Observation
A∧B
用的觀察是 search service 在 evaluation query 有順
序而且為了效率通常會 early abort
比如這個 query A AND B 如果 evaluate 順序是先 A 再
B 的話 A evaluate 出 false 就會直接 abort 省去算 B
的時間
換句話說 只要能找到會讓 search service 算很久的 B
就可以大幅增加有 match 時的時間差
84. Compute-Inflate
early abort on terms which resolves false
Observation
Dummy
Target
A∧B
在 Gmail 裡不難設計
在想搜尋的字後面做 has-not 一大堆根本不會存在的
字 如果接 100 個 Gmail 必須確認確實不包含任何個
字才能 return
85. Compute-Inflate
early abort on terms which resolves false
Observation
=> can detect even single match on Gmail!
Dummy
Target
A∧B
那這樣的效果很棒 claim 在 active 的 Gmail 帳戶裡 即
使 query 只有一個 match 也能偵測出來
86. Evaluation: Compute-Inflate
● 138 active Gmail user
– 90 University schoolmate
– 48 Amazon M-Turk worker
● Sent a email contain single sentence
– “I like [random-animal]”
Dummy
Target
來 evaluate compute inflate 的效果
這個實驗請了 138 個 active 的 Gmail 使用者
90 個系上同學 48 MTurk worker
實驗方式讓每個人寄一封確定只會出現一次的句子
I like 某個 animal
91. Efficient Term Identification
● Which of {T1,T2,...} appears in mailbox?
接下來可以 develop 更有用的演算法
假設你有一個字的清單 T1,T2, 等等 你想知道哪些字在
信箱出現過
那要怎麼做呢?
92. Efficient Term Identification
● Which of {T1,T2,...} appears in mailbox?
● Can you come up better solution?
● Naive
– Query terms one-by-one
– O(n)
Naive 想法就一個一個字做 search 嘛 看有沒有中
但學過演算法應該可以想到更好的方法
93. Efficient Term Identification
● Which of {T1,T2,...} appears in mailbox?
● Can you come up better solution?
● Naive
– Query terms one-by-one
– O(n)
– Binary search
– O(log n)
搭配 OR 做 divide conquer
94. Evaluation: Efficient Term Identification
● 138 active Gmail user
● Sent a email contain single sentence
– “I like [random-animal]”
– 32 animal options
accuracy
time
同樣 138 個使用者 每個人寄一封只會在信箱出現一次
的句子 I like 某個 animal animal 有 32 種選擇
這次實驗目標是要準確找出每個人喜歡的是哪個
animal
column 是使用不同 statistic test
送 25 次準確率大概是 60% 50 次有 70%
95. Claimed Experiment
● Attack on Credit number
– Focus on MasterCard, Visa
● Format: 4-4-4-4
● Attack Flow
1. Find all four 4-digit number (10,000 options)
2. Find order of the 4-digit numbers
● omit wrong combination by credit card's checksum
再來是我很期待的 他們說有用自己的帳號測找信用卡
卡號的實驗 但讓我很失望 可能是因為道德因素 只在
文中講方法而沒放結果
想法是信用卡卡號有格式 4 位 4 位一組 中間用 dash
或空白隔開
那麼 divide and conquer 一次 4 位數字的 10,000 種組
合 就能找出是哪 4 個 4 位數 然後再試順序
96. Conclusion
● Good discovery of how search service makes
XS-Timing Attack realistic
● Typical bad paper writing style
這篇發現可以利用 search service 來大幅提升
傳統認為無法達成的 XS-Timing Attack 很有趣
但缺點是 寫作風格是屬於老師一直告誡我不要挑的爛
paper main idea 演算法明明很簡單卻寫的很複雜
實驗也是 挑一組 data 當代表就好 他偏偏要做一大
堆相同的實驗把 paper 塞滿滿的 不知道在幹嘛 而大
家有興趣的卻草草帶過 很不好
我們要引以為戒