Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
邏輯優化的灰色面:針對網頁應用的時序攻擊 (2018臺灣資安大會: 軟體安全論壇)
Search
Yi-Feng Tzeng
March 29, 2018
Technology
1
340
邏輯優化的灰色面:針對網頁應用的時序攻擊 (2018臺灣資安大會: 軟體安全論壇)
一般人對於應用程式的撰寫邏輯與順序,只考量正確性及效能面。但是從灰色的視角切入時,時序或時間差所透露的資訊往往比我們想像中來得多。本議程將針對網頁應用上的時序攻擊,探討邏輯優化可能帶來的安全問題。
Yi-Feng Tzeng
March 29, 2018
Tweet
Share
More Decks by Yi-Feng Tzeng
See All by Yi-Feng Tzeng
重新想像:如何做技術選型決策 / Rethinking : Technical Decision
yftzeng
7
2.4k
擁抱開源:企業應如何善用開源技術,才能得其利而防其弊 - 加強版
yftzeng
0
200
Testing in Production, Deploy on Fridays
yftzeng
0
2.8k
COSCUP 2020 Day 1 - Opening Keynote
yftzeng
0
110
COSCUP 2020 Day 2 - Opening Keynote
yftzeng
0
120
Severless PHP Case : Agile Dashboard via GitLab Board API
yftzeng
0
170
Dev(Sec)Ops: Architecture for Security and Compliance
yftzeng
0
280
給資安工程師開源授權觀念
yftzeng
0
110
Progressive Deployment & NoDeploy
yftzeng
0
190
Other Decks in Technology
See All in Technology
組織の“見えない壁”を越えよ!エンタープライズシフトに必須な3つのPMの「在り方」変革 #pmconf2025
masakazu178
1
590
未回答質問の回答一覧 / 開発をリードする品質保証 QAエンジニアと開発者の未来を考える-Findy Online Conference -
findy_eventslides
0
350
Progressive Deliveryで支える!スケールする衛星コンステレーションの地上システム運用 / Ground Station Operation for Scalable Satellite Constellation by Progressive Delivery
iselegant
1
210
Tomcatが起動しない!?SecureRandomと乱数デバイスの罠
fujikawa8
1
110
学術的根拠から読み解くNotebookLMの音声活用法
shukob
0
140
re:Invent2025 事前勉強会 歴史と愉しみ方10分LT編
toshi_atsumi
0
220
Rubyist入門: The Way to The Timeless Way of Programming
snoozer05
PRO
7
540
JavaScript パーサーに using 対応をする過程で与えたエコシステムへの影響
baseballyama
1
110
AI × クラウドで シイタケの収穫時期を判定してみた
lamaglama39
1
380
AS59105におけるFreeBSD EtherIPの運用と課題
x86taka
0
210
LINEヤフー バックエンド組織・体制の紹介
lycorptech_jp
PRO
0
830
ソフトウェア開発現代史: 55%が変化に備えていない現実 ─ AI支援型開発時代のReboot Japan #agilejapan
takabow
7
4.5k
Featured
See All Featured
How To Stay Up To Date on Web Technology
chriscoyier
791
250k
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
tammyeverts
10
680
How to train your dragon (web standard)
notwaldorf
97
6.4k
Rails Girls Zürich Keynote
gr2m
95
14k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
46
7.8k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
32
1.8k
The Cult of Friendly URLs
andyhume
79
6.7k
Why You Should Never Use an ORM
jnunemaker
PRO
60
9.6k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
234
17k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
24
1.6k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
666
130k
Writing Fast Ruby
sferik
630
62k
Transcript
邏輯優化的灰色面 針對網頁應用的時序攻擊 ( Timing Attacks on Web ) Ant
[email protected]
/
[email protected]
2018-03-13
2/74 Introduction Coding Security Intellectual property Startup • • •
3/74 Thank @mathias for inspiring me
4/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference
2016
5/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference
2016
6/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference
2016
7/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference
2016 1000 µs 1000 µs 100 µs 200 µs
8/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference
2016
9/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference
2016 A000000 B000000 … E000000 EA00000 …
10/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference
2016
11/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference
2016 1000 µs 1000 µs 100 µs 200 µs
12/74 Premature optimization is the root of all evil (
過早最佳化是萬惡的根源 ) ~ Donald Knuth ~ a little bit
13/74 PHP Are PHP functions safe against timing attacks ?
14/74
15/74 DEMO #01
16/74
17/74 Those work on web ideally ?
18/74 localhost
19/74
20/74 Applicaton jitte 10-30 ms Databast jitte 10-300 ms Nttwoek
jitte 100-150 ms
21/74 Attack Shift Timing atack against sofwaet impltmtntaton
22/74 Attack Shift Timing atack against sofwaet impltmtntaton Ideal
23/74 Attack Shift Timing atack against sofwaet impltmtntaton Ideal Timing
atack against busintss logic Reality
24/74
25/74 ~2500 ms
26/74 ~1500 ms
27/74 Login Admin User 100 ms 2500 ms 1500 ms
28/74 Login Admin User 100 ms 2500 ms 1500 ms
~1000 ms
29/74 Login Admin User 100 ms 2500 ms 1500 ms
Validate user 100 ms ~1000 ms
30/74
31/74 100 ms
32/74 100 ms Email guess, brute force attack
33/74 Which one is better ?
34/74
35/74 100 ms
36/74 100 ms 100 ms
37/74 100 ms 100 ms 100 ms
38/74 100 ms 100 ms 100 ms DEMO #02
39/74 100 ms 100 ms 100 ms
40/74 Login Admin User Gender Age VIP 100 ms 2500
ms 1500 ms 1000 ms 1000 ms 1200 ms …... …... Validate user 100 ms
41/74 Welcome Ant ! ~1000 ms
42/74 ~500 ms
43/74 old
44/74 ~30 ms Ref: Front-End Performance The Dark Side @
ColdFront Conference 2016 (p52)
45/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference
2016 (p54) ~15 ms
46/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference
2016 (p50)
47/74 Login Admin User Gender Age VIP 100 ms 2500
ms 1500 ms 1000 ms 1000 ms 1200 ms …... …... Validate user 100 ms
48/74 404 Page not found ~200 ms
49/74 404 Page not found ~80 ms
50/74
51/74 Login Admin User Gender Age VIP 100 ms 2500
ms 1500 ms 1000 ms 1000 ms 1200 ms …... …... Validate user 100 ms 302 / 404 80 ms 1200 ms
52/74
53/74
54/74
55/74
56/74
57/74
58/74 DEMO Online
59/74 Applicaton jitte 10-30 ms Databast jitte 10-300 ms Nttwoek
jitte 100-150 ms
60/74 LAN Router IoT device NAS server / etc. POS
/ Console / etc.
61/74 Login Admin User Gender Age VIP 100 ms 2500
ms 1500 ms 1000 ms 1000 ms 1200 ms …... …... Validate user 100 ms 302 / 404 80 ms 1200 ms
62/74 SuperUser Login Admin User Gender Age VIP 100 ms
100 ms 2500 ms 1500 ms 1000 ms 1000 ms 1200 ms Backdoor …... …... 400 ms Validate user 100 ms 302 / 404 80 ms 1200 ms
63/74
64/74 DEMO #03
65/74 A000000 B000000 … E000000 EA00000 …
66/74 最佳化就像迴旋鏢,何時不小心回來打到你,可能也不知道 ~ Ant ~
67/74 Attack Modes Post-auth Administrator Permissions Hidden page* Pre-auth Hidden
page* Validate user Backdoor Active attacks Passive attacks
68/74 Passive attacks
69/74 Active attacks
70/74 Attack Modes Post-auth Administrator Permissions Hidden page* Pre-auth Hidden
page* Validate user Backdoor Active attacks Passive attacks
71/74 password hash function ?
72/74 password hash function ? DEMO #04
73/74 安全就像洋蔥,一片一片地剝開,總有一片會讓人流淚 ~ Ant ~
74/74
[email protected]
/
[email protected]
https://www.facebook.com/yftzeng.tw https://twitter.com/yftzeng
yftzeng
masakazu178
findy_eventslides
iselegant
fujikawa8
shukob
toshi_atsumi
snoozer05
baseballyama
.jpg){kind=avatar}
lamaglama39
x86taka
lycorptech_jp
takabow
chriscoyier
tammyeverts
notwaldorf
gr2m
eileencodes
garrettdimon
andyhume
jnunemaker
marcelosomers
honnibal
pedronauck
sferik
![邏輯優化的灰色面 針對網頁應用的時序攻擊 ( Timing Attacks on Web ) Ant [email protected]](https://files.speakerdeck.com/presentations/693152c10f7045e8bc3c8666622964df/slide_0.jpg){kind=link}
![74/74 [email protected] / [email protected] https://www.facebook.com/yftzeng.tw https://twitter.com/yftzeng](https://files.speakerdeck.com/presentations/693152c10f7045e8bc3c8666622964df/slide_73.jpg){kind=link}