Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

邏輯優化的灰色面:針對網頁應用的時序攻擊 (2018臺灣資安大會: 軟體安全論壇)

898 views

Published on

一般人對於應用程式的撰寫邏輯與順序,只考量正確性及效能面。但是從灰色的視角切入時,時序或時間差所透露的資訊往往比我們想像中來得多。本議程將針對網頁應用上的時序攻擊,探討邏輯優化可能帶來的安全問題。

Published in: Technology
  • Be the first to comment

邏輯優化的灰色面:針對網頁應用的時序攻擊 (2018臺灣資安大會: 軟體安全論壇)

  1. 1. 邏輯優化的灰色面 針對網頁應用的時序攻擊 ( Timing Attacks on Web ) Ant ant@chroot.org / yftzeng@gmail.com 2018-03-13
  2. 2. 2/74 Introduction Coding Security Intellectual property Startup• • •
  3. 3. 3/74 Thank @mathias for inspiring me
  4. 4. 4/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016
  5. 5. 5/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016
  6. 6. 6/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016
  7. 7. 7/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016 1000 µs 1000 µs 100 µs 200 µs
  8. 8. 8/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016
  9. 9. 9/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016 A000000 B000000 … E000000 EA00000 …
  10. 10. 10/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016
  11. 11. 11/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016 1000 µs 1000 µs 100 µs 200 µs
  12. 12. 12/74 Premature optimization is the root of all evil ( 過早最佳化是萬惡的根源 ) ~ Donald Knuth ~ a little bit
  13. 13. 13/74 PHP Are PHP functions safe against timing attacks ?
  14. 14. 14/74
  15. 15. 15/74 DEMO #01
  16. 16. 16/74
  17. 17. 17/74 Those work on web ideally ?
  18. 18. 18/74 localhost
  19. 19. 19/74
  20. 20. 20/74 Applicaton jitte 10-30 ms Databast jitte 10-300 ms Nttwoek jitte 100-150 ms
  21. 21. 21/74 Attack Shift Timing atack against sofwaet impltmtntaton
  22. 22. 22/74 Attack Shift Timing atack against sofwaet impltmtntaton Ideal
  23. 23. 23/74 Attack Shift Timing atack against sofwaet impltmtntaton Ideal Timing atack against busintss logic Reality
  24. 24. 24/74
  25. 25. 25/74 ~2500 ms
  26. 26. 26/74 ~1500 ms
  27. 27. 27/74 Login Admin User 100 ms 2500 ms 1500 ms
  28. 28. 28/74 Login Admin User 100 ms 2500 ms 1500 ms ~1000 ms
  29. 29. 29/74 Login Admin User 100 ms 2500 ms 1500 ms Validate user 100 ms ~1000 ms
  30. 30. 30/74
  31. 31. 31/74 100 ms
  32. 32. 32/74 100 ms Email guess, brute force attack
  33. 33. 33/74 Which one is better ?
  34. 34. 34/74
  35. 35. 35/74 100 ms
  36. 36. 36/74 100 ms 100 ms
  37. 37. 37/74 100 ms 100 ms 100 ms
  38. 38. 38/74 100 ms 100 ms 100 ms DEMO #02
  39. 39. 39/74 100 ms 100 ms 100 ms
  40. 40. 40/74 Login Admin User Gender Age VIP 100 ms 2500 ms 1500 ms 1000 ms 1000 ms 1200 ms …...…... Validate user 100 ms
  41. 41. 41/74 Welcome Ant ! ~1000 ms
  42. 42. 42/74 ~500 ms
  43. 43. 43/74 old
  44. 44. 44/74 ~30 ms Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016 (p52)
  45. 45. 45/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016 (p54) ~15 ms
  46. 46. 46/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016 (p50)
  47. 47. 47/74 Login Admin User Gender Age VIP 100 ms 2500 ms 1500 ms 1000 ms 1000 ms 1200 ms …...…... Validate user 100 ms
  48. 48. 48/74 404 Page not found ~200 ms
  49. 49. 49/74 404 Page not found ~80 ms
  50. 50. 50/74
  51. 51. 51/74 Login Admin User Gender Age VIP 100 ms 2500 ms 1500 ms 1000 ms 1000 ms 1200 ms …...…... Validate user 100 ms 302 / 404 80 ms 1200 ms
  52. 52. 52/74
  53. 53. 53/74
  54. 54. 54/74
  55. 55. 55/74
  56. 56. 56/74
  57. 57. 57/74
  58. 58. 58/74 DEMO Online
  59. 59. 59/74 Applicaton jitte 10-30 ms Databast jitte 10-300 ms Nttwoek jitte 100-150 ms
  60. 60. 60/74 LAN Router IoT device NAS server / etc.POS / Console / etc.
  61. 61. 61/74 Login Admin User Gender Age VIP 100 ms 2500 ms 1500 ms 1000 ms 1000 ms 1200 ms …...…... Validate user 100 ms 302 / 404 80 ms 1200 ms
  62. 62. 62/74 SuperUser Login Admin User Gender Age VIP 100 ms 100 ms 2500 ms 1500 ms 1000 ms 1000 ms 1200 ms Backdoor …...…... 400 ms Validate user 100 ms 302 / 404 80 ms 1200 ms
  63. 63. 63/74
  64. 64. 64/74 DEMO #03
  65. 65. 65/74 A000000 B000000 … E000000 EA00000 …
  66. 66. 66/74 最佳化就像迴旋鏢,何時不小心回來打到你,可能也不知道 ~ Ant ~
  67. 67. 67/74 Attack Modes Post-auth Administrator Permissions Hidden page* Pre-auth Hidden page*Validate userBackdoor Active attacks Passive attacks
  68. 68. 68/74 Passive attacks
  69. 69. 69/74 Active attacks
  70. 70. 70/74 Attack Modes Post-auth Administrator Permissions Hidden page* Pre-auth Hidden page*Validate userBackdoor Active attacks Passive attacks
  71. 71. 71/74 password hash function ?
  72. 72. 72/74 password hash function ? DEMO #04
  73. 73. 73/74 安全就像洋蔥,一片一片地剝開,總有一片會讓人流淚 ~ Ant ~
  74. 74. 74/74 ant@chroot.org / yftzeng@gmail.com https://www.facebook.com/yftzeng.tw https://twitter.com/yftzeng

×