Presentation is loading. Please wait.

Presentation is loading. Please wait.

On Timing and Teaching marco slaviero SensePost 2009.

Similar presentations

Presentation on theme: "On Timing and Teaching marco slaviero SensePost 2009."— Presentation transcript:

1 On Timing and Teaching marco slaviero SensePost 2009

2 Who we are.. SensePost Formed in 2001 Security assessment services to finance, industrial, mining, telecoms Written a few papers.. Spoken at a number of conferences Contributed to a handful of books Done some Training

3 Agenda Who we are What this talk is about Background Timing vulnerabilities Timing channels Developers need our help Conclusion / Questions

4 Main thrust Message from users There is a gap between what implementers know, and what they face with respect to security Industry is failing to address this Universities are uniquely positioned to help For fun, lets frame it with with respect to timing attacks Received significant academic attention Allows for new demos :)

5 Stepping Back a Little An illustrious history of side channel attacks on computing systems differential power analysis hardware EM radiation emission analysis hardware timing analysis software/hardware

6 Traditional Timing Timing has received lots of attention over the years in the area of crypt-analysis Kocher [1996] 1st local results against RSA and DH Brumley & Boneh [2003] Derived partial RSA over network due to weaknesses in OpenSSL Bernstein [2004] Derived full AES key across custom network clients Percival [2005] L1 cache access times could be used on HT processors to derive RSA key bits

7 Web Time Felten & Schneider [2000] early results on timing and the web focused on privacy browser cache snooping dns cache snooping Grossman & Niedzialkowski [2006] SPI Dynamics [2006] Both released a JavaScript port scanner using JSs onerror feature. Implicitly uses timing attacks (connection timed out, hence it is closed) Bortz, Boneh & Nandy [2007] Direct timing (valid usernames, hidden gallery sizes) Cross Site Timing

8 All that research == solved, right? In a perfect world, the pioneer work on timing should be reflected in todays systems

9 Making the jump Username enumeration can be a significant issue *really* useful in certain circumstances But what if the application returns a standard error page?

10 Happened last week… Application could authenticate users itself (local DB) or against a configured AD Local lookup is fast AD lookup is across the network



13 Timing and Privacy JavaScript portscanning Using CSS to determine if links were visited. Ed Felten in 2000 examined the dangers of Java and Timing to users Privacy by timing load times. Feltens 2000 Timing Attack on Privacy.

14 X.S.R.T Cross Site Request Timing.. Simply: 1. Victim visits attackers website 2. JavaScript causes Victims browser to surf to 3. JavaScript determines load time, to decide if user is (or isnt logged in) (> 50ms - user logged in) Problem: This doesnt work the same for U.S victims and.ZA victims! (.za adds 100ms just by default!)

15 X.S.R.T We introduced the concept of a base-page 1. Fetch page available to both Logged-in and Logged-out users (base-page) (X Seconds) 2. Fetch the page available only to Logged-in users (Y Seconds) 3. Calculate X/Y This gives us a latency resistant method of determining logged-in/logged-out status

16 So serious? Cmon, those are binary decisions, wheres the real harm? Its inference only. (Apart from SPAMmer mining) They were timing *vulnerabilities* What about using timing as a channel?

17 Web app provides an interface A secure box from a network hardening point of view.. Only a single search page exposed $search_term = $user_input; if($recordset =~ /$search_term/ig) do_stuff();

18 Perl timing Regex injection (?{`uname`;}) We can also make execution pause (?{`sleep 20`;}) Now vary the pause and infer data (?{`perl -e 'sleep(ord(substr(qx/uname/, 0,1)))'`;}) Finally, pause in one branch of a conditional and extract a bit at a time (max 8*pause) (?{`perl -e 'sleep(substr((unpack('B32',pack('N',ord(s ubstr(qx/ls/, 0, 1))))), 24,1) * 2)'`;})

19 So, for all the research, we still find timing issues and can communicate over timing channels (Of course, this IS NOT limited to timing work)

20 Feel the application development pain (architect on down) Not exposed to security thinking in formative years Devs struggling to bolt-on the knowledge Battling to counteract the latest exploit Always one step behind Fundamental knowledge clearly available in academic circles

21 Why are devs hurting so much? Deficient dev lifecycle Security testing != secure software Inadequate design Crypto Data flow Knowledge Spot the bug Fixing takes clue Crypto != basic knowledge Security fail

22 Where security education should occur Premise: We depend on well-written programs Security is fundamental to well-written programs Not equivalent to learning libraries or frameworks I argue: Industry has failed at this As important as compilers / graphics / AI Undergraduate level Defensive thinking techniques Practical examples help, but goal is NOT to train hackers or push exploits

23 Prioritised wishlist for undergrads 1. Secure coding techniques Never trusting user input Exposure to common attack vectors Realising the power of the return code 2. Threat modeling (attack trees etc.) Powerful pen-and-paper technique for exposing design flaws 3. Destructive testing Reward resilient applications 4. SDLC modifications For the software engineers, realisation that a sole security check before deployment is like reading a manual on the Waltz on the morning of your wedding 5. Security libraries Introduction to common libs

24 How can we help? Have a fair idea of whats going wrong Improving security education could be a joint effort Your expertise is in security theory, education, curriculum development etc. We (industry) break systems, giving current relevant insight Contact us with ideas (we have a few of our own)

25 Conclusion. Timing attacks received much academic attention We still find them day-to-day, something is missing Security not core to developer education Include security in undergrad! Really, talk to us, we want to get involved.

26 Questions ???

Download ppt "On Timing and Teaching marco slaviero SensePost 2009."

Similar presentations

Ads by Google