Professional Documents
Culture Documents
6. Lessons Learnt
CFP Feedback
Processing Feedback
But… accepted in Ekoparty 2017
$ ls -la /home/jselvi/rootedvlc18/ | tail -5
6. Lessons Learnt
Side-channels & Pizza Politicians
6. Lessons Learnt
How does web traffic work?
WEB SERVER
HTML
(HTTPS)
BROWSER
Scripts
CONSOLE
Compression in theory (deflate)
CRIME
APP DATA
COMPRESS &
ENCRYPT
USER DATA
Search engine not CSRF-protected (XS-Search)
/search/wrong
100kb
/search/rigg
100kb
/search/rigi
100kb
What if response size is not stable?
$ curl http://www.google.es | wc -c
12424
$ curl http://www.google.es | wc -c
12401
$ curl http://www.google.es| wc -c
12372
$ curl http://www.google.es| wc -c
12437
$ curl http://www.google.es| wc -c
12423
F****** Javascript from Hell…
$ curl http://www.google.es
[…]
google.time=function(){return(new
Date).getTime()};(function(){google.lc=[];google.li=0;google.getEI=function(
a){for(var
b;a&&(!a.getAttribute||!(b=a.getAttribute("eid")));)a=a.parentNode;return
b||google.kEI};google.getLEI=function(a){for(var
b=null;a&&(!a.getAttribute||!(b=a.getAttribute("leid")));)a=a.parentNode;r
eturn
b};google.https=function(){return"https:"==window.location.protocol};goog
le.ml=function(){return
null};google.wl=function(a,b){try{google.ml(Error(a),!1,b)}catch(d){}};google
.log=function(a,b,d,c,g){if(a=google.logUrl(a,b,d,c,g)){b=new Image;var
e=google.lc,f=google.li;e[f]=b;b.onerror=b.onload=b.onabort=function(){del
ete
e[f]};google.vel&&google.vel.lu&&google.vel.lu(a);b.src=a;google.li=f+1}};g
oogle.logUrl=function(a,b,d,c,g){var e="",f=google.ls||"";d||-
1!=b.search("&ei=")||(e="&ei="+google.getEI(c),-
1==b.search("&lei=")&&(c=google.getLEI(c))&&(e+="&lei="+c));c="";!d&&g
oogle.cshid&&-
1==b.search("&cshid=")&&"slh"!=a&&(c="&cshid="+google.cshid);a=d||"/"
+(g||"gen_204")+"?atyp=i&ct="+a+"&cad="+b+e+f+"&zx="+google.time()+
c;/^http:/i.test(a)&&google.https()&&(google.ml(Error("a")
[…]
Resource loading side-channel (FIESTA)
Resource loading side-channel (FIESTA)
Resource loading side-channel (FIESTA)
Resource loading side-channel (FIESTA)
DEMO
$ ls -la /home/jselvi/rootedvlc18/ | tail -3
6. Lessons Learnt
Overview
SERVER BRAIN
CONSOLE
Size ~= Load time
https://tom.vg/2016/08/browser-based-timing-attacks/
Are timing attacks practical in HTTPS?
Where is the Proof of Concept?
$ ls -la /home/jselvi/rootedvlc18/ | tail -2
6. Lessons Learnt
Continuously improving performance
Meltdown & Spectre
https://meltdownattack.com/
CPU Caching
http://archive.arstechnica.com/paedia/c/caching/m-caching-2.html
Out-of-order / Speculative Execution
Meltdown (Out of Order Execution)
access_kernel();
access(probe_array[data * 4096]);
again:
mov al, byte [rcx]
shl rax, 0x0C
jz again
mov rbx qword [rbx + rax]
Meltdown (Out of Order Execution)
00 01 02 03 04 05 06 07 08
again:
mov al, byte [rcx]
shl rax, 0x0C
jz again
mov rbx qword [rbx + rax]
Spectre (Speculative Execution)
if ( x < array1_size )
y = array2[ array1[x] * 4096 ];
00 01 02 03 04 05 06 07 08
if ( x < array1_size )
y = array2[ array1[x] * 4096 ];
Why 4096??
access_kernel();
access(probe_array[data * 4096]);
if ( x < array1_size )
y = array2[ array1[x] * 4096 ];
$ ls -la /home/jselvi/rootedvlc18/ | tail -1
6. Lessons Learnt
Lessons Learnt
• Compression is Evil
• Cache is Evil
jose.selvi@nccgroup.com
jselvi@pentester.es
@JoseSelvi