on timing and teaching marco slaviero sensepost 2009
TRANSCRIPT
On Timing and Teaching
marco slaviero
SensePost 2009
Who we are.. SensePost
Formed in 2001 Security assessment services to finance,
industrial, mining, telecoms Written a few papers.. Spoken at a number of conferences Contributed to a handful of books Done some Training
www.sensepost.com/blog
Agenda Who we are What this talk is about Background Timing vulnerabilities Timing channels Developers need our help Conclusion / Questions
Main thrust Message from users There is a gap between what implementers
know, and what they face with respect to security
Industry is failing to address this Universities are uniquely positioned to help
For fun, let’s frame it with with respect to timing attacks Received significant academic attention Allows for new demos :)
Stepping Back a Little
An illustrious history of side channel attacks on computing systems
differential power analysis hardware
EM radiation emission analysis hardware
timing analysis software/hardware
Traditional Timing Timing has received lots of attention over
the years in the area of crypt-analysis Kocher [1996]
1st local results against RSA and DH Brumley & Boneh [2003]
Derived partial RSA over network due to weaknesses in OpenSSL
Bernstein [2004] Derived full AES key across custom network clients
Percival [2005] L1 cache access times could be used on HT processors to
derive RSA key bits
Web Time Felten & Schneider [2000]
early results on timing and the web focused on privacy
browser cache snooping dns cache snooping
Grossman & Niedzialkowski [2006] SPI Dynamics [2006]
Both released a JavaScript port scanner using JS’s onerror feature. Implicitly uses timing attacks (connection timed out, hence it is closed)
Bortz, Boneh & Nandy [2007] Direct timing (valid usernames, hidden gallery sizes) Cross Site Timing
<img onerror=xxxxx>
All that research == solved, right?
In a perfect world, the pioneer work on timing should be reflected in today’s systems
Making the jump Username enumeration can be a significant
issue
*really* useful in certain circumstances But what if the application returns a standard
error page?
Happened last week…
Application could authenticate users itself (local DB) or against a configured AD
Local lookup is fast AD lookup is across the network
Timing and Privacy JavaScript portscanning Using CSS to determine if links were visited. Ed Felten in 2000 examined the dangers of
Java and Timing to users Privacy by timing load times.
• Felten’s 2000 Timing Attack on Privacy.
X.S.R.T
Cross Site Request Timing.. Simply:
1. Victim visits attackers website2. JavaScript causes Victims browser to surf to
http://www.facebook.com/friends.php?r3. JavaScript determines load time, to decide if
user is (or isnt logged in) (> 50ms - user logged in)
Problem: This doesn’t work the same for U.S victims and .ZA victims! (.za adds 100ms just by default!)
X.S.R.T We introduced the concept of a base-
page1. Fetch page available to both Logged-in and
Logged-out users (base-page) (X Seconds)2. Fetch the page available only to Logged-in
users (Y Seconds)3. Calculate X/Y
• This gives us a latency resistant method of determining logged-in/logged-out status
So serious? C’mon, those are binary decisions, where’s
the real harm? It’s inference only. (Apart from SPAMmer mining)
They were timing *vulnerabilities* What about using timing as a channel?
Web app provides an interface
A “secure” box from a network hardening point of view..
Only a single search page exposed
$search_term = $user_input;if($recordset =~ /$search_term/ig)
do_stuff();
Perl timing Regex injection
(?{`uname`;}) We can also make execution pause
(?{`sleep 20`;}) Now vary the pause and infer data
(?{`perl -e 'sleep(ord(substr(qx/uname/, 0,1)))'`;}) Finally, pause in one branch of a conditional
and extract a bit at a time (max 8*pause)(?{`perl -e
'sleep(substr((unpack('B32',pack('N',ord(s ubstr(qx/ls/, 0, 1))))), 24,1) * 2)'`;})
So, for all the research, we still find timing issues and can communicate
over timing channels
(Of course, this IS NOT limited to timing work)
Feel the application development pain (architect on down) Not exposed to security thinking in formative
years Devs struggling to bolt-on the knowledge Battling to counteract the latest exploit
Always one step behind
Fundamental knowledge clearly available in academic circles
Why are devs hurting so much? Deficient dev lifecycle
Security testing != secure software Inadequate design
Crypto Data flow
Knowledge Spot the bug Fixing takes clue Crypto != basic knowledge
Security fail
Where security education should occur Premise:
We depend on well-written programs Security is fundamental to well-written programs Not equivalent to learning libraries or frameworks
I argue: Industry has failed at this As important as compilers / graphics / AI Undergraduate level Defensive thinking techniques Practical examples help, but goal is NOT to train
hackers or push exploits
Prioritised wishlist for undergrads1. Secure coding techniques
Never trusting user input Exposure to common attack vectors Realising the power of the return code
2. Threat modeling (attack trees etc.) Powerful pen-and-paper technique for exposing design flaws
3. Destructive testing Reward resilient applications
4. SDLC modifications For the software engineers, realisation that a sole security
check before deployment is like reading a manual on the Waltz on the morning of your wedding
5. Security libraries Introduction to common libs
How can we help? Have a fair idea of what’s going wrong Improving security education could be a joint
effort Your expertise is in security theory, education,
curriculum development etc. We (industry) break systems, giving current
relevant insight Contact us with ideas (we have a few of our
own)
Conclusion. Timing attacks received much academic
attention We still find them day-to-day, something is
missing Security not core to developer education Include security in undergrad!
Really, talk to us, we want to get involved.
Questions ???
[email protected]/blog