邏輯優化的灰色面：針對網頁應用的時序攻擊 (2018臺灣資安大會: 軟體安全論壇)

Transcript

1. 邏輯優化的灰色面 針對網頁應用的時序攻擊 ( Timing Attacks on Web ) Ant [email protected]

   / [email protected] 2018-03-13

2. 2/74 Introduction Coding Security Intellectual property Startup • • •

3. 3/74 Thank @mathias for inspiring me

4. 4/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference

   2016

5. 5/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference

   2016

6. 6/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference

   2016

7. 7/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference

   2016 1000 µs 1000 µs 100 µs 200 µs

8. 8/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference

   2016

9. 9/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference

   2016 A000000 B000000 … E000000 EA00000 …

10. 10/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference

    2016

11. 11/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference

    2016 1000 µs 1000 µs 100 µs 200 µs

12. 12/74 Premature optimization is the root of all evil (

    過早最佳化是萬惡的根源 ) ~ Donald Knuth ~ a little bit

13. 13/74 PHP Are PHP functions safe against timing attacks ?

14. 14/74

15. 15/74 DEMO #01

16. 16/74

17. 17/74 Those work on web ideally ?

18. 18/74 localhost

19. 19/74

20. 20/74 Applicaton jitte 10-30 ms Databast jitte 10-300 ms Nttwoek

    jitte 100-150 ms

21. 21/74 Attack Shift Timing atack against sofwaet impltmtntaton

22. 22/74 Attack Shift Timing atack against sofwaet impltmtntaton Ideal

23. 23/74 Attack Shift Timing atack against sofwaet impltmtntaton Ideal Timing

    atack against busintss logic Reality

24. 24/74

25. 25/74 ~2500 ms

26. 26/74 ~1500 ms

27. 27/74 Login Admin User 100 ms 2500 ms 1500 ms

28. 28/74 Login Admin User 100 ms 2500 ms 1500 ms

    ~1000 ms

29. 29/74 Login Admin User 100 ms 2500 ms 1500 ms

    Validate user 100 ms ~1000 ms

30. 30/74

31. 31/74 100 ms

32. 32/74 100 ms Email guess, brute force attack

33. 33/74 Which one is better ?

34. 34/74

35. 35/74 100 ms

36. 36/74 100 ms 100 ms

37. 37/74 100 ms 100 ms 100 ms

38. 38/74 100 ms 100 ms 100 ms DEMO #02

39. 39/74 100 ms 100 ms 100 ms

40. 40/74 Login Admin User Gender Age VIP 100 ms 2500

    ms 1500 ms 1000 ms 1000 ms 1200 ms …... …... Validate user 100 ms

41. 41/74 Welcome Ant ! ~1000 ms

42. 42/74 ~500 ms

43. 43/74 old

44. 44/74 ~30 ms Ref: Front-End Performance The Dark Side @

    ColdFront Conference 2016 (p52)

45. 45/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference

    2016 (p54) ~15 ms

46. 46/74 Ref: Front-End Performance The Dark Side @ ColdFront Conference

    2016 (p50)

47. 47/74 Login Admin User Gender Age VIP 100 ms 2500

    ms 1500 ms 1000 ms 1000 ms 1200 ms …... …... Validate user 100 ms

48. 48/74 404 Page not found ~200 ms

49. 49/74 404 Page not found ~80 ms

50. 50/74

51. 51/74 Login Admin User Gender Age VIP 100 ms 2500

    ms 1500 ms 1000 ms 1000 ms 1200 ms …... …... Validate user 100 ms 302 / 404 80 ms 1200 ms

52. 52/74

53. 53/74

54. 54/74

55. 55/74

56. 56/74

57. 57/74

58. 58/74 DEMO Online

59. 59/74 Applicaton jitte 10-30 ms Databast jitte 10-300 ms Nttwoek

    jitte 100-150 ms

60. 60/74 LAN Router IoT device NAS server / etc. POS

    / Console / etc.

61. 61/74 Login Admin User Gender Age VIP 100 ms 2500

    ms 1500 ms 1000 ms 1000 ms 1200 ms …... …... Validate user 100 ms 302 / 404 80 ms 1200 ms

62. 62/74 SuperUser Login Admin User Gender Age VIP 100 ms

    100 ms 2500 ms 1500 ms 1000 ms 1000 ms 1200 ms Backdoor …... …... 400 ms Validate user 100 ms 302 / 404 80 ms 1200 ms

63. 63/74

64. 64/74 DEMO #03

65. 65/74 A000000 B000000 … E000000 EA00000 …

66. 66/74 最佳化就像迴旋鏢，何時不小心回來打到你，可能也不知道 ~ Ant ~

67. 67/74 Attack Modes Post-auth Administrator Permissions Hidden page* Pre-auth Hidden

    page* Validate user Backdoor Active attacks Passive attacks

68. 68/74 Passive attacks

69. 69/74 Active attacks

70. 70/74 Attack Modes Post-auth Administrator Permissions Hidden page* Pre-auth Hidden

    page* Validate user Backdoor Active attacks Passive attacks

71. 71/74 password hash function ?

72. 72/74 password hash function ? DEMO #04

73. 73/74 安全就像洋蔥，一片一片地剝開，總有一片會讓人流淚 ~ Ant ~

74. 74/74 [email protected] / [email protected] https://www.facebook.com/yftzeng.tw https://twitter.com/yftzeng