Scribd Logo
Upload

Welcome to Scribd!

  • 邏輯優化的灰色面 針對網頁應用的時序攻擊 (Timing Attacks on Web)

    Uploaded by

    Johnho Chia
    17 views74 pages
    This document discusses timing attacks against web applications. It begins by introducing timing attacks and how variations in timing can reveal sensitive information. It then demonstrates through examples how differences in response times can be used to determine access levels and passwords. The document advocates optimizing applications to have uniform timing responses to prevent such attacks.

    Original Description:

    Original Title

    0313_101C-3

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document discusses timing attacks against web applications. It begins by introducing timing attacks and how variations in timing can reveal sensitive information. It then demonstrates through examples how differences in response times can be used to determine access levels and passwords. The document advocates optimizing applications to have uniform timing responses to prevent such attacks.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    17 views74 pages

    邏輯優化的灰色面 針對網頁應用的時序攻擊 (Timing Attacks on Web)

    Uploaded by

    Johnho Chia
    This document discusses timing attacks against web applications. It begins by introducing timing attacks and how variations in timing can reveal sensitive information. It then demonstrates through examples how differences in response times can be used to determine access levels and passwords. The document advocates optimizing applications to have uniform timing responses to prevent such attacks.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 74

    邏輯優化的灰色面

    針對網頁應用的時序攻擊
    ( Timing Attacks on Web )
    Ant
    ant@chroot.org / yftzeng@gmail.com
    2018-03-13
    Introduction

    Coding • Security • Intellectual property • Startup

    2/74
    Thank @mathias for inspiring me

    3/74
    4/74
    Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016
    5/74
    Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016
    6/74
    Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016
    1000 µs

    1000 µs

    100 µs

    200 µs

    7/74
    Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016
    8/74
    Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016
    A000000
    B000000

    E000000
    EA00000

    9/74
    Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016
    10/74
    Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016
    1000 µs

    1000 µs

    100 µs

    200 µs

    11/74
    Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016
    a little bit

    Premature optimization is the root of all evil


    ( 過早最佳化是萬惡的根源 )
    ~ Donald Knuth ~

    12/74
    PHP

    Are PHP functions safe against timing attacks ?

    13/74
    14/74
    DEMO #01

    15/74
    16/74
    Those work on web ideally ?

    17/74
    localhost

    18/74
    19/74
    Nttwoek jitte
    100-150 ms

    Applicaton jitte Databast jitte


    10-30 ms 10-300 ms

    20/74
    Attack Shift

    Timing atack against sofwaet impltmtntaton

    21/74
    Attack Shift

    a l
    Ide
    Timing atack against sofwaet impltmtntaton

    22/74
    Attack Shift

    a l
    Ide
    Timing atack against sofwaet impltmtntaton

    it y
    e al
    R Timing atack against busintss logic

    23/74
    24/74
    ~2500 ms

    25/74
    ~1500 ms

    26/74
    Login
    100 ms

    Admin User
    2500 ms 1500 ms

    27/74
    Login
    100 ms

    Admin User
    2500 ms 1500 ms

    ~1000 ms

    28/74
    Login Validate user
    100 ms 100 ms

    Admin User
    2500 ms 1500 ms

    ~1000 ms

    29/74
    30/74
    100 ms

    31/74
    100 ms

    Email guess, brute force attack

    32/74
    Which one is better ?

    33/74
    34/74
    100 ms

    35/74
    100 ms

    100 ms

    36/74
    100 ms

    100 ms

    100 ms

    37/74
    100 ms

    DEMO #02 100 ms

    100 ms

    38/74
    100 ms

    100 ms

    100 ms

    39/74
    Login Validate user
    100 ms 100 ms

    Admin User
    2500 ms 1500 ms

    …... Gender Age VIP …...


    1000 ms 1000 ms 1200 ms

    40/74
    ~1000 ms

    Welcome Ant !

    41/74
    ~500 ms

    42/74
    old

    43/74
    ~30 ms

    44/74
    Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016 (p52)
    ~15 ms

    45/74
    Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016 (p54)
    46/74
    Ref: Front-End Performance The Dark Side @ ColdFront Conference 2016 (p50)
    Login Validate user
    100 ms 100 ms

    Admin User
    2500 ms 1500 ms

    …... Gender Age VIP …...


    1000 ms 1000 ms 1200 ms

    47/74
    ~200 ms

    404
    Page not found

    48/74
    ~80 ms

    404
    Page not found

    49/74
    50/74
    Login Validate user
    100 ms 100 ms

    Admin User
    2500 ms 1500 ms

    302 / 404 …... Gender Age VIP …...


    80 ms 1000 ms 1000 ms 1200 ms 1200 ms

    51/74
    52/74
    53/74
    54/74
    55/74
    56/74
    57/74
    DEMO Online

    58/74
    Nttwoek jitte
    100-150 ms

    Applicaton jitte Databast jitte


    10-30 ms 10-300 ms

    59/74
    LAN
    IoT device

    Router

    POS / Console / etc. NAS server / etc.

    60/74
    Login Validate user
    100 ms 100 ms

    Admin User
    2500 ms 1500 ms

    302 / 404 …... Gender Age VIP …...


    80 ms 1000 ms 1000 ms 1200 ms 1200 ms

    61/74
    SuperUser Backdoor
    100 ms 400 ms

    Login Validate user


    100 ms 100 ms

    Admin User
    2500 ms 1500 ms

    302 / 404 …... Gender Age VIP …...


    80 ms 1000 ms 1000 ms 1200 ms 1200 ms

    62/74
    63/74
    DEMO #03

    64/74
    A000000
    B000000

    E000000
    EA00000

    65/74
    最佳化就像迴旋鏢,何時不小心回來打到你,可能也不知道
    ~ Ant ~

    66/74
    Attack Modes

    Pre-auth Post-auth

    Backdoor Validate user Hidden page* Administrator Permissions Hidden page*

    Passive attacks

    Active attacks

    67/74
    Passive attacks

    68/74
    Active attacks

    69/74
    Attack Modes

    Pre-auth Post-auth

    Backdoor Validate user Hidden page* Administrator Permissions Hidden page*

    Passive attacks

    Active attacks

    70/74
    password hash function ?

    71/74
    password hash function ?

    DEMO #04

    72/74
    安全就像洋蔥,一片一片地剝開,總有一片會讓人流淚
    ~ Ant ~

    73/74
    ant@chroot.org / yftzeng@gmail.com

    https://www.facebook.com/yftzeng.tw

    https://twitter.com/yftzeng

    74/74

    You might also like