Page 1
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Time is on my SideExploiting Timing Side Channel Vulnerabilities on the Web
Sebastian Schinzel*Friedrich-Alexander Universität Erlangen-NürnbergLehrstuhl für Informatik 1IT-Sicherheitsinfrastrukturen
Web 1.0: [email protected] 2.0: https://twitter.com/seecurity
*Supported by Deutsche Forschungsgemeinschaft (DFG) as part of SPP 1496 “Reliably Secure Software Systems”
1
Thursday, 29. December11
Page 2
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Me
• PhD candidate at the Security Research Group within the Department of Computer Science in Erlangen (Prof. Felix Freiling)
• Side Channel attacks & mitigations
• Software security, Penetration Testing
• Professional work at Virtual Forge GmbH
• SAP Security, focus on SAP’s programming language ABAP
• Static code analysis, Penetration Testing
2
Thursday, 29. December11
Page 3
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Penetration Testing - Movies vs. Reality
Hollywood-style penetration testing:
http://en.wikipedia.org/wiki/Swordfish_(film)
“Gabriel pressures Stanley [...] to hack a government system in 60 seconds while simultaneously being held at gunpoint by Gabriel's bodyguard [...] and receiving fellatio from a young woman. [...]
Stanley succeeded in hacking the system.”
3
Thursday, 29. December11
Page 4
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Penetration Testing - Movies vs. Reality
A bit more structure when outside of Hollywood:
• Preparation
• Reconnaissance (gather information)
• Evaluation of gathered information
• Testing & Exploiting
• Reporting
4
Thursday, 29. December11
Page 5
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
What “Domino’s Pizza” knows about US foreign affairs...
5
“And Bomb The Anchovies” - http://www.time.com/time/magazine/article/0,9171,970860,00.html
Thursday, 29. December11
Page 6
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
What “Domino’s Pizza” knows about US foreign affairs...
5
“And Bomb The Anchovies” - http://www.time.com/time/magazine/article/0,9171,970860,00.html
nom, nom, ...nom, nom, ...
nom, nom, ...
Thursday, 29. December11
Page 7
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Common Invasive Attacks vs. Side Channel Attacks
Invasive attacks (e.g. Buffer Overflows, SQL Injection, XSS, Format String Injection, ...)
➡ change original control flow
Side Channels (storage side channels, timing side channels)
➡ don’t change original control flow
6
Thursday, 29. December11
Page 8
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Common Invasive Attacks vs. Side Channel Attacks
Invasive attacks (e.g. Buffer Overflows, SQL Injection, XSS, Format String Injection, ...)
➡ change original control flow
Side Channels (storage side channels, timing side channels)
➡ don’t change original control flow
Originalcontrol
flow
6
Thursday, 29. December11
Page 9
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Common Invasive Attacks vs. Side Channel Attacks
Invasive attacks (e.g. Buffer Overflows, SQL Injection, XSS, Format String Injection, ...)
➡ change original control flow
Side Channels (storage side channels, timing side channels)
➡ don’t change original control flow
Originalcontrol
flow
Roguecontrol
flow
6
Thursday, 29. December11
Page 10
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Common Invasive Attacks vs. Side Channel Attacks
Invasive attacks (e.g. Buffer Overflows, SQL Injection, XSS, Format String Injection, ...)
➡ change original control flow
Side Channels (storage side channels, timing side channels)
➡ don’t change original control flow
Originalcontrol
flow
Roguecontrol
flow
6
Thursday, 29. December11
Page 11
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Storage Side Channels
Benign differences on protocol level correlate with sensitive information [7] (here Typo3 backend)
7
HTTP/1.1 200 OKDate: Mon, 25 Jan 2010 11:47:45 GMTServer: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny4 with Suhosin-PatchX-Powered-By: PHP/5.2.6-1+lenny4Expires: 0Cache-Control: no-cache, must-revalidatePragma: no-cacheLast-Modified: Mon, 25 Jan 2010 11:47:45 GMTVary: Accept-EncodingContent-Type: text/html;charset=iso-8859-1Content-Length: 5472
HTTP/1.1 200 OKDate: Mon, 25 Jan 2010 11:47:55 GMTServer: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny4 with Suhosin-PatchX-Powered-By: PHP/5.2.6-1+lenny4Expires: Thu, 19 Nov 1981 08:52:00 GMTLast-Modified: Mon, 25 Jan 2010 11:47:55 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheVary: Accept-EncodingContent-Type: text/html;charset=iso-8859-1Content-Length: 5472
Non-existent user name (s=0) Existing user name (s=1)
Thursday, 29. December11
Page 12
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Timing Side Channels
Response time depends on secret information (Typo3 backend)
8
No
User exists?
Error pageNo
Yes
User locked?
Yes
User expired?
Yes
No
Password correct?
No
YesThursday, 29. December11
Page 13
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Timing Side Channels
Response time depends on secret information (Typo3 backend)
8
No
User exists?
Error pageNo
Yes
User locked?
Yes
User expired?
Yes
No
Password correct?
No
Yes
1
Thursday, 29. December11
Page 14
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Timing Side Channels
Response time depends on secret information (Typo3 backend)
8
No
User exists?
Error pageNo
Yes
User locked?
Yes
User expired?
Yes
No
Password correct?
No
Yes
1
2
Thursday, 29. December11
Page 15
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Timing Side Channels
Response time depends on secret information (Typo3 backend)
8
Unfortunately, it’s not that easy...
• Problem: random like delays (jitter) makes measuring response times difficult
• You cannot directly measure response time t, but only t + jitter
• Analysing timing channels can be quite challenging...
No
User exists?
Error pageNo
Yes
User locked?
Yes
User expired?
Yes
No
Password correct?
No
Yes
1
2
Thursday, 29. December11
Page 16
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
• Example: Two different values measured many times
Analysing Timing Measurements Difficulty of Timing Measurements
9
000.1
.1.1.2
.2.2.3
.3.3Density
Dens
ity
Density35
35
3540
40
4045
45
4550
50
50Response Time (ms)
Response Time (ms)
Response Time (ms)
s=0s=1
Thursday, 29. December11
Page 17
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
• Example: Two different values measured many times
Analysing Timing Measurements Difficulty of Timing Measurements
9
000.1
.1.1.2
.2.2.3
.3.3Density
Dens
ity
Density35
35
3540
40
4045
45
4550
50
50Response Time (ms)
Response Time (ms)
Response Time (ms)
s=0s=1
Min: 34Max: 150Avg: 39Med: 37
Thursday, 29. December11
Page 18
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Dos and Don’ts of Timing Measurements
10
Dos and Don’ts of Timing Measurements
Thursday, 29. December11
Page 19
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Dos and Don’ts of Timing MeasurementsTiming Precision
Timing precision
• Measurement precision over network down to single digit microseconds
• ... and even hundreds of nanoseconds in certain scenarios [1]
• A few tips of how to do timing measurements over networks:
11
Thursday, 29. December11
Page 20
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Dos and Don’ts of Timing MeasurementsFine-grained timer
Use fine-grained timer (rdtsc assembly instruction)
12
unsigned long long ret;unsigned long minor;unsigned long mayor;
asm volatile( "cpuid \n" // Prevent out of order execution "rdtsc" : "=a"(minor), // lower 32bit of result "=d"(mayor) // lower 32bit of result : "a" (0) : "%ebx", "%ecx");ret = ((((ticks) mayor) << 32) | ((ticks) minor));
// Result: 64 bit value with clock ticks// since CPU initialisation
Thursday, 29. December11
Page 21
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Dos and Don’ts of Timing MeasurementsFine-grained timer
Use fine-grained timer (rdtsc assembly instruction)
• PRO: tied to the CPU clock speed
• 1 rdtsc tick = 1/clock speed
• 1 rdtsc tick on 2GHz CPU = 0.5 nanoseconds
13
Thursday, 29. December11
Page 22
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Dos and Don’ts of Timing MeasurementsFine-grained timer
Use fine-grained timer (rdtsc assembly instruction)
• PRO: tied to the CPU clock speed
• 1 rdtsc tick = 1/clock speed
• 1 rdtsc tick on 2GHz CPU = 0.5 nanoseconds
• CON: tied to the CPU clock speed
• Clock speed fluctuations because of power management
• Convertion from rdtsc tickt to second? No platform-independent way to get CPU clock speed
13
Thursday, 29. December11
Page 23
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Dos and Don’ts of Timing MeasurementsParallelise measurements
Parallelise measurements
14
Naïve timing measurement approach: 1. measure A = ⟨A1, A2, A3, A4, ..., An⟩ at time ta 2. measure B = ⟨B1, B2, B3, B4, ..., Bn⟩ at time tb 3. compare the sets of timings A and B for significant timing differences
Problem: The jitter at time ta was probably different than at time tb
Thursday, 29. December11
Page 24
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Dos and Don’ts of Timing MeasurementsParallelise measurements
Parallelise measurements
14
Naïve timing measurement approach: 1. measure A = ⟨A1, A2, A3, A4, ..., An⟩ at time ta 2. measure B = ⟨B1, B2, B3, B4, ..., Bn⟩ at time tb 3. compare the sets of timings A and B for significant timing differences
Problem: The jitter at time ta was probably different than at time tb
Better timing measurement approach: 1. measure alternatingly A1, B1, A2, B2, A3, B3, A4, B4, ..., An Bn
2. separate A and B 3. compare the sets of timings A and B
Solution: Jitter in A and B are approximately the same
Thursday, 29. December11
Page 25
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Dos and Don’ts of Timing MeasurementsChoose starting and end point for measurements
Starting & end point for measurements
15
Req
uest
Res
pons
e
T T
Sender Receiver
Thursday, 29. December11
Page 26
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Dos and Don’ts of Timing MeasurementsChoose starting and end point for measurements
Starting & end point for measurements
15
Req
uest
Res
pons
e
T T
Sender Receiver
naïv
e ap
proa
ch
Thursday, 29. December11
Page 27
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Dos and Don’ts of Timing MeasurementsChoose starting and end point for measurements
Starting & end point for measurements
15
Req
uest
Res
pons
e
T T
Sender Receiver
usin
g bl
ocki
ng s
ocke
ts
naïv
e ap
proa
ch
Thursday, 29. December11
Page 28
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Dos and Don’ts of Timing MeasurementsChoose starting and end point for measurements
Starting & end point for measurements
15
Req
uest
Res
pons
e
T T
Sender Receiver
usin
g bl
ocki
ng s
ocke
ts
naïv
e ap
proa
ch
per-
pack
et t
imin
gsThursday, 29. December11
Page 29
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Dos and Don’ts of Timing MeasurementsChoose starting and end point for measurements
Starting & end point for measurements
1. ⌛ start timer
2. send request
3. receive request
4. ⌛ stop timer
15T T
Sender Receiver
Thursday, 29. December11
Page 30
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Dos and Don’ts of Timing MeasurementsChoose starting and end point for measurements
Starting & end point for measurements
1. ⌛ start timer
2. send request
3. receive request
4. ⌛ stop timer
15T T
Sender Receiver
naïv
e ap
proa
ch
Thursday, 29. December11
Page 31
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Starting & end pointfor measurements
1. send n-1 bytes of request
2. ⌛ start timer
3. send last byte of request
4. receive response
5. ⌛ stop timer
Dos and Don’ts of Timing MeasurementsChoose starting and end point for measurements
17
T T
Sender Receiver
Thursday, 29. December11
Page 32
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Starting & end pointfor measurements
1. send n-1 bytes of request
2. ⌛ start timer
3. send last byte of request
4. receive response
5. ⌛ stop timer
Dos and Don’ts of Timing MeasurementsChoose starting and end point for measurements
17
T T
Sender Receiver
usin
g bl
ocki
ng s
ocke
ts
Thursday, 29. December11
Page 33
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Dos and Don’ts of Timing MeasurementsChoose starting and end point for measurements
18
Starting & end pointfor measurements
1. send n-1 bytes of request
2. ⌛ start timer
3. send last byte of request
4. wait for receival of nth byte of response
5. ⌛ stop timer
Req
uest
Res
pons
e
T T
Sender Receiver
Thursday, 29. December11
Page 34
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Dos and Don’ts of Timing MeasurementsChoose starting and end point for measurements
18
Starting & end pointfor measurements
1. send n-1 bytes of request
2. ⌛ start timer
3. send last byte of request
4. wait for receival of nth byte of response
5. ⌛ stop timer
Req
uest
Res
pons
e
T T
Sender Receiver
per-
pack
et t
imin
gsThursday, 29. December11
Page 35
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Dos and Don’ts of Timing MeasurementsMiscellaneous tips
Miscellaneous tips for timing measurements
• Disable power management (e.g. SpeedStep)
• Measure over the wire (no WI-FI)
• Disable periodic tasks on your local maschine
• Keep your part of the network idle (in other words, don’t do it from hacker conferences...)
• Skip the first few dozen measurements (jitter because of cache warm-up)
19
Thursday, 29. December11
Page 36
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
FAU Timer
Dos and Don’ts of Timing MeasurementsPresenting FAU Timer
20
Presenting FAU Timer
• Request/response handling within a compact C library
• Ported to Python (others are planned)
• Encapsulates logic for timing measurement
• Just send your requests, the lib does all the measurements
Timing Attack Script
Network Sockets
Target Server
TimingMeasurement
Thursday, 29. December11
Page 37
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
FAU Timer
Dos and Don’ts of Timing MeasurementsPresenting FAU Timer
20
Presenting FAU Timer
• Request/response handling within a compact C library
• Ported to Python (others are planned)
• Encapsulates logic for timing measurement
• Just send your requests, the lib does all the measurements
Timing Attack Script
Network Sockets
Target Server
TimingMeasurement
Thursday, 29. December11
Page 38
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Dos and Don’ts of Timing MeasurementsPresenting FAU Timer
21
Demo
Lots of help from Isabell Schmitt and Niels Iciek
Planned release in January, will be announced on Twitter: @seecurity
Thursday, 29. December11
Page 39
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Analysing Timing Measurements
22
Analysing Timing Measurements
Thursday, 29. December11
Page 40
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Analysing Timing MeasurementsAnalyse measurements graphically
Analyse measurements graphically
• Tools
• Your favorite spreadsheet
• Gnuplot, Mathlab, Stata, R, ...
• Display data in various plot types
• Scatter-Plot (detect temporal disturbances, overall quality of measurements)
• Box-Plot (compare median, min, max, lower & upper quartile)
• Histogram, Cumulative Distribution Function (CDF) (compare distributions of data sets)
23
Thursday, 29. December11
Page 41
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Analysing Timing Measurements Analyse measurements graphically - Scatterplot
24
• Show raw data in Scatterplot
• Apply filter
• Min-filter is intuitive but not optimal
• Low-percentile filter is better
Thursday, 29. December11
Page 42
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Analysing Timing Measurements Analyse measurements graphically - Scatterplot
24
• Show raw data in Scatterplot
• Apply filter
• Min-filter is intuitive but not optimal
• Low-percentile filter is better🔎
No obvious timing differences
Thursday, 29. December11
Page 43
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Analysing Timing Measurements Analyse measurements graphically - Scatterplot
24
• Show raw data in Scatterplot
• Apply filter
• Min-filter is intuitive but not optimal
• Low-percentile filter is better
Outliers
🔎
No obvious timing differences
Thursday, 29. December11
Page 44
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Analysing Timing Measurements Analyse measurements graphically - Scatterplot
24
• Show raw data in Scatterplot
• Apply filter
• Min-filter is intuitive but not optimal
• Low-percentile filter is better
Outliers
WTF?🔎
No obvious timing differences
Thursday, 29. December11
Page 45
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Analysing Timing Measurements 28c3 in Action
25
Time: 16:30 in the speakers’ room:
28c3 in action...
Thursday, 29. December11
Page 46
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Analysing Timing Measurements 28c3 in Action
25
Time: 16:30 in the speakers’ room:
28c3 in action...
Not so sure about that...
Thursday, 29. December11
Page 47
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Analysing Timing Measurements Analyse measurements graphically - Box Plot (also Whisker Plot)
26
Thursday, 29. December11
Page 48
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Analysing Timing Measurements Analyse measurements graphically - Box Plot (also Whisker Plot)
26
Median (50th percentile)
Thursday, 29. December11
Page 49
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Analysing Timing Measurements Analyse measurements graphically - Box Plot (also Whisker Plot)
26
upper quartile (75th percentile)
Median (50th percentile)
Thursday, 29. December11
Page 50
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Analysing Timing Measurements Analyse measurements graphically - Box Plot (also Whisker Plot)
26
upper quartile (75th percentile)
lower quartile (25th percentile)
Median (50th percentile)
Thursday, 29. December11
Page 51
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Analysing Timing Measurements Analyse measurements graphically - Cumulative Distribution Function (CDF)
27
Thursday, 29. December11
Page 52
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Analysing Timing Measurements Analyse measurements graphically - Cumulative Distribution Function (CDF)
27
~75% of all valuesare < 2e+08
Thursday, 29. December11
Page 53
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Analysing Timing Measurements Analyse measurements graphically - Cumulative Distribution Function (CDF)
27
Uniformdistribution
~75% of all valuesare < 2e+08
Thursday, 29. December11
Page 54
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Analysing Timing Measurements Analyse measurements graphically - Cumulative Distribution Function (CDF)
28
Thursday, 29. December11
Page 55
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Analysing Timing Measurements Analyse measurements graphically - Cumulative Distribution Function (CDF)
28
🔎
🔎
Thursday, 29. December11
Page 56
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Analysing Timing MeasurementsPresenting FAU Analyser
Analyse measurements with algorithms
• Standard algorithms
• Student’s t-test (requires normally distributed data → not applicable)
• Wilcoxon-Test (applicable, but performs poor)
• Crosby’s “Box Test” [1] seems to work best
• Filter: only use measurements between 5th and 10th percentile
• Stay tuned for demo...
29
Thursday, 29. December11
Page 57
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Examples for attacks
30
Examples for attacks
Thursday, 29. December11
Page 58
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Examples for attacks User Name Guessing at Typo3 Backend
31
Guessing administrative user names at Typo3 backend (similar to [3])
• Attacker chooses non-existing user name, e.g. ‘31337’
• the user name in question: ‘admin’
• Hypothesis: login requests with ‘admin’ take measurably longer than those with ‘31137’
Thursday, 29. December11
Page 59
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Examples for attacks User Name Guessing at Typo3 Backend
32
Demo
Lots of help from Isabell Schmitt and Niels Iciek
Planned release in January, will be announced on Twitter: @seecurity
Thursday, 29. December11
Page 60
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Examples for attacks Amount of Private Pictures in Gallery
33
Guessing amount of hidden pictures in Gallery [3]
• Attacker wants to view private pictures in Gallery
• Question: which album contains many private pictures?
• Hypothesis: response time of displaying album depends on the absolute amount of pictures
• response_time ~= #public pictures + #private pictures
Thursday, 29. December11
Page 61
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Examples for attacks Amount of Private Pictures in Gallery
All albums show only a single picture to anonymous users
100000
150000
200000
0 10 20 30 40 50 60 70
Filte
red
resp
onse
tim
e(m
icro
seco
nds)
Amount of hidden subalbums per album
No delay
34
Amount of Hidden Pictures per Album
Mic
rose
cond
s
Thursday, 29. December11
Page 62
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Examples for attacks Breaking XML Encryption - What is XML Encryption?
Breaking XML Encryption
• Joint work with Juraj Somorovsky and Tibor Jager from Ruhr-Uni-Bochum
What is XML Encrpytion?
• ⇒ encrypt subtrees of XML doc
• session key is RSA-encrypted (hybrid encryption)
• subtree AES-encrypted with session key
<Envelope> <Header> <Security> <EncryptedKey Id="EncKeyId"> <EncryptionMethod Algorithm="...xmlenc#rsa-1_5"/> <KeyInfo>...</KeyInfo> <CipherData> <CipherValue>Y2bh...fPw==</CipherValue> </CipherData> <ReferenceList> <DataReference URI="#EncDataId-2"/> </ReferenceList> </EncryptedKey> </Security> </Header> <Body> <EncryptedData Id="EncDataId-2"> <EncryptionMethod Algorithm="...xmlenc#aes128-cbc"/> <CipherData> <CipherValue>3bP...Zx0=</CipherValue> </CipherData> </EncryptedData> </Body></Envelope>
cdata
ckey
35
Thursday, 29. December11
Page 63
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Examples for attacks Breaking XML Encryption - What is XML Encryption?
Breaking XML Encryption
• Joint work with Juraj Somorovsky and Tibor Jager from Ruhr-Uni-Bochum
What is XML Encrpytion?
• ⇒ encrypt subtrees of XML doc
• session key is RSA-encrypted (hybrid encryption)
• subtree AES-encrypted with session key
<Envelope> <Header> <Security> <EncryptedKey Id="EncKeyId"> <EncryptionMethod Algorithm="...xmlenc#rsa-1_5"/> <KeyInfo>...</KeyInfo> <CipherData> <CipherValue>Y2bh...fPw==</CipherValue> </CipherData> <ReferenceList> <DataReference URI="#EncDataId-2"/> </ReferenceList> </EncryptedKey> </Security> </Header> <Body> <EncryptedData Id="EncDataId-2"> <EncryptionMethod Algorithm="...xmlenc#aes128-cbc"/> <CipherData> <CipherValue>3bP...Zx0=</CipherValue> </CipherData> </EncryptedData> </Body></Envelope>
cdata
ckey
35
Thursday, 29. December11
Page 64
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Examples for attacks Breaking XML Encryption - What is XML Encryption?
36
<Envelope> <Header> <Security> <EncryptedKey Id="EncKeyId"> <EncryptionMethod Algorithm="...xmlenc#rsa-1_5"/> <KeyInfo>...</KeyInfo> <CipherData> <CipherValue>Y2bh...fPw==</CipherValue> </CipherData> <ReferenceList> <DataReference URI="#EncDataId-2"/> </ReferenceList> </EncryptedKey> </Security> </Header> <Body> <EncryptedData Id="EncDataId-2"> <EncryptionMethod Algorithm="...xmlenc#aes128-cbc"/> <CipherData> <CipherValue>3bP...Zx0=</CipherValue> </CipherData> </EncryptedData> </Body></Envelope>
cdata
ckey
Thursday, 29. December11
Page 65
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Examples for attacks Breaking XML Encryption - What is XML Encryption?
36
<Envelope> <Header> <Security> <EncryptedKey Id="EncKeyId"> <EncryptionMethod Algorithm="...xmlenc#rsa-1_5"/> <KeyInfo>...</KeyInfo> <CipherData> <CipherValue>Y2bh...fPw==</CipherValue> </CipherData> <ReferenceList> <DataReference URI="#EncDataId-2"/> </ReferenceList> </EncryptedKey> </Security> </Header> <Body> <EncryptedData Id="EncDataId-2"> <EncryptionMethod Algorithm="...xmlenc#aes128-cbc"/> <CipherData> <CipherValue>3bP...Zx0=</CipherValue> </CipherData> </EncryptedData> </Body></Envelope>
cdata
ckey
Thursday, 29. December11
Page 66
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Examples for attacks Breaking XML Encryption - What is XML Encryption?
<Envelope> <Header> <Security> <EncryptedKey Id="EncKeyId"> <EncryptionMethod Algorithm="...xmlenc#rsa-1_5"/> <KeyInfo>...</KeyInfo> <CipherData> <CipherValue>Y2bh...fPw==</CipherValue> </CipherData> <ReferenceList> <DataReference URI="#EncDataId-2"/> </ReferenceList> </EncryptedKey> </Security> </Header> <Body> <EncryptedData Id="EncDataId-2"> <EncryptionMethod Algorithm="...xmlenc#aes128-cbc"/> <CipherData> <CipherValue>3bP...Zx0=</CipherValue> </CipherData> </EncryptedData> </Body></Envelope>
cdata
ckey
37
Thursday, 29. December11
Page 67
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Decrypting XML Encryption messages
1. Decrypt session key m = decrsa( ckey )
2. Return error if m does not comply with PKCS#1, else:
3. Decrypt cdata (results in XML subtree)
4. Copy subtree in XML doc
5. Parse XML doc
6. Return error if XML doc is invalid
Examples for attacks Breaking XML Encryption - What is XML Encryption?
<Envelope> <Header> <Security> <EncryptedKey Id="EncKeyId"> <EncryptionMethod Algorithm="...xmlenc#rsa-1_5"/> <KeyInfo>...</KeyInfo> <CipherData> <CipherValue>Y2bh...fPw==</CipherValue> </CipherData> <ReferenceList> <DataReference URI="#EncDataId-2"/> </ReferenceList> </EncryptedKey> </Security> </Header> <Body> <EncryptedData Id="EncDataId-2"> <EncryptionMethod Algorithm="...xmlenc#aes128-cbc"/> <CipherData> <CipherValue>3bP...Zx0=</CipherValue> </CipherData> </EncryptedData> </Body></Envelope>
cdata
ckey
37
Thursday, 29. December11
Page 68
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Decrypting XML Encryption messages
1. Decrypt session key m = decrsa( ckey )
2. Return error if m does not comply with PKCS#1, else:
3. Decrypt cdata (results in XML subtree)
4. Copy subtree in XML doc
5. Parse XML doc
6. Return error if XML doc is invalid
Examples for attacks Breaking XML Encryption - What is XML Encryption?
<Envelope> <Header> <Security> <EncryptedKey Id="EncKeyId"> <EncryptionMethod Algorithm="...xmlenc#rsa-1_5"/> <KeyInfo>...</KeyInfo> <CipherData> <CipherValue>Y2bh...fPw==</CipherValue> </CipherData> <ReferenceList> <DataReference URI="#EncDataId-2"/> </ReferenceList> </EncryptedKey> </Security> </Header> <Body> <EncryptedData Id="EncDataId-2"> <EncryptionMethod Algorithm="...xmlenc#aes128-cbc"/> <CipherData> <CipherValue>3bP...Zx0=</CipherValue> </CipherData> </EncryptedData> </Body></Envelope>
cdata
ckey
timingdiffererence?
37
→ Determine PKCS#1 compliance through response time
Thursday, 29. December11
Page 69
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Examples for attacks Breaking XML Encryption - Bleichenbacher attack
“Bleichenbacher attack” [9]
• breaks RSA within ~1 million requests
requires Oracle O:
• O tells if a chosen ciphertext decrypts to PKCS#1-compliant encoding
38
Thursday, 29. December11
Page 70
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Examples for attacks Breaking XML Encryption - Bleichenbacher attack
“Bleichenbacher attack” [9]
• breaks RSA within ~1 million requests
requires Oracle O:
• O tells if a chosen ciphertext decrypts to PKCS#1-compliant encoding
38
Attacker
Receiverm(c
key, c
data)
m(c1, c
data)
PKCS#1 conforming?
m(c2, c
data)
PKCS#1 conforming?
...
Sender
Oracle
Thursday, 29. December11
Page 71
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Examples for attacks Breaking XML Encryption - Bleichenbacher attack
“Bleichenbacher attack” [9]
• breaks RSA within ~1 million requests
requires Oracle O:
• O tells if a chosen ciphertext decrypts to PKCS#1-compliant encoding
00 02 00padding string data block (session key)
PKCS#1 conformance check38
Attacker
Receiverm(c
key, c
data)
m(c1, c
data)
PKCS#1 conforming?
m(c2, c
data)
PKCS#1 conforming?
...
Sender
Oracle
Thursday, 29. December11
Page 72
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Bleichenbacher attack + XML Encryption?
Examples for attacks Breaking XML Encryption - Bleichenbacher attack
0
10
20
30
40
50
60
70
80
90
100
0 100 200 300 400 500 600 700 800 900 1000
Res
pons
e tim
e (m
ilisec
onds
)
Size of cdata (KBytes)
PKCS#1 compliantNot PKCS#1 compliant
<Envelope> <Header> <Security> <EncryptedKey Id="EncKeyId"> <EncryptionMethod Algorithm="...xmlenc#rsa-1_5"/> <KeyInfo>...</KeyInfo> <CipherData> <CipherValue>Y2bh...fPw==</CipherValue> </CipherData> <ReferenceList> <DataReference URI="#EncDataId-2"/> </ReferenceList> </EncryptedKey> </Security> </Header> <Body> <EncryptedData Id="EncDataId-2"> <EncryptionMethod Algorithm="...xmlenc#aes128-cbc"/> <CipherData> <CipherValue>3bP...Zx0=</CipherValue> </CipherData> </EncryptedData> </Body></Envelope>
cdata
ckey
Res
pons
e T
ime
(mili
seco
nds)
Size of cdata (KBytes)39
Thursday, 29. December11
Page 73
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Bleichenbacher attack + XML Encryption?
Examples for attacks Breaking XML Encryption - Bleichenbacher attack
0
10
20
30
40
50
60
70
80
90
100
0 100 200 300 400 500 600 700 800 900 1000
Res
pons
e tim
e (m
ilisec
onds
)
Size of cdata (KBytes)
PKCS#1 compliantNot PKCS#1 compliant
<Envelope> <Header> <Security> <EncryptedKey Id="EncKeyId"> <EncryptionMethod Algorithm="...xmlenc#rsa-1_5"/> <KeyInfo>...</KeyInfo> <CipherData> <CipherValue>Y2bh...fPw==</CipherValue> </CipherData> <ReferenceList> <DataReference URI="#EncDataId-2"/> </ReferenceList> </EncryptedKey> </Security> </Header> <Body> <EncryptedData Id="EncDataId-2"> <EncryptionMethod Algorithm="...xmlenc#aes128-cbc"/> <CipherData> <CipherValue>3bP...Zx0=</CipherValue> </CipherData> </EncryptedData> </Body></Envelope>
cdata
ckey
Res
pons
e T
ime
(mili
seco
nds)
Size of cdata (KBytes)39
Thursday, 29. December11
Page 74
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Examples for attacks Breaking XML Encryption - Possibilistic Timing Side Channel Attack
40
PKCS#1 compliantmeasurements(decryption starts)
#
Possibilistic timing side channel attack
Learning phase Attack phase
Thursday, 29. December11
Page 75
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Examples for attacks Breaking XML Encryption - Possibilistic Timing Side Channel Attack
40
+
++
+ +
+ +
++
++
+
+
+
PKCS#1 compliantmeasurements(decryption starts)
#
Possibilistic timing side channel attack
Learning phase Attack phase
“PKCS#1 compliance boundary”
Thursday, 29. December11
Page 76
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Examples for attacks Breaking XML Encryption - Possibilistic Timing Side Channel Attack
40
+
++
+ +
+ +
++
++
+
+
+
PKCS#1 compliantmeasurements(decryption starts)
X
#
Possibilistic timing side channel attack
Learning phase Attack phase
“PKCS#1 compliance boundary”
Thursday, 29. December11
Page 77
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Examples for attacks Breaking XML Encryption - Possibilistic Timing Side Channel Attack
40
+
++
+ +
+ +
++
++
+
+
+
PKCS#1 compliantmeasurements(decryption starts)
X
Non PKCS#1 compliant measurement(decryption does not start)
#
Possibilistic timing side channel attack
Learning phase Attack phase
“PKCS#1 compliance boundary”
Thursday, 29. December11
Page 78
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Examples for attacks Breaking XML Encryption - Possibilistic Timing Side Channel Attack
40
+
++
+ +
+ +
++
++
+
+
+
PKCS#1 compliantmeasurements(decryption starts)
X
Non PKCS#1 compliant measurement(decryption does not start)
X
#
Possibilistic timing side channel attack
Learning phase Attack phase
“PKCS#1 compliance boundary”
Thursday, 29. December11
Page 79
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Examples for attacks Breaking XML Encryption - Possibilistic Timing Side Channel Attack
40
+
++
+ +
+ +
++
++
+
+
+
PKCS#1 compliantmeasurements(decryption starts)
X
Non PKCS#1 compliant measurement(decryption does not start)
X
No decision possible:a) compliant + low jitterORb) not compliant + high jitter
Repeat measurement n-times
#
Possibilistic timing side channel attack
Learning phase Attack phase
“PKCS#1 compliance boundary”
Thursday, 29. December11
Page 80
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Examples for attacks Breaking XML Encryption - Timing attack against local server
Attack against local server
• Decrypt ciphertext in ~3 hours
• Size of cdata was 100KB
• 321.870 oracle queries
• 398.123 actual requests (1.24 actual requests per oracle query)
10
15
20
25
30
35
40
45
50
0 10 20 30 40 50 60 70 80 90 100R
espo
nse
time
(milis
econ
ds)
nth request (100KB cdata)
PKCS#1 compliantLearned boundary tminNot PKCS#1 compliant
41
Mic
rose
cond
s
Thursday, 29. December11
Page 81
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Examples for attacks Breaking XML Encryption - Timing attack against PlanetLab server
Attack against Internet server (Planetlab)
• Decrypt ciphertext in < 1 week
• Size of cdata was 1MB
• 2000 requests per hour
• 1.2 requests per oracle query
100
200
300
400
500
600
700
800
900
1000
0 10 20 30 40 50 60 70 80 90 100nth request (1MB cdata)
PKCS#1 compliantLearned boundary tminNot PKCS#1 compliant
42
Mic
rose
cond
s
Thursday, 29. December11
Page 82
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Call for participation
Call for participation:
• Many open problems left, e.g.
• integrate statistical hypothesis tests in FAU Analyser
• Make interpacket timings available in FAU Timing
• Come up with new and creative timing attacks
• Test many, many applications... :-)
• Great topics for pentesters, researchers, and student theses!
43
Thursday, 29. December11
Page 83
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Literature & further reading
[1] Scott A. Crosby and Dan S. Wallach and Rudolf H. Riedi, Opportunities and Limits of Remote Timing Attacks, ACM Trans. Inf. Syst. Secur, 12(3), 2009.
[2] Tibor Jager and Juraj Somorovsky, How to break XML encryption, Proceedings of the18th ACM Conference on Computer and Communications Security, CCS 2011, Chicago, Illinois, USA, October 17-21, 2011
[3] Edward W. Felten and Michael A. Schneider. Timing attacks on web privacy. In SIGSAC: 7th ACM Conference on Computer and Communications Security. ACM SIGSAC, 2000.
[4] Andrew Bortz and Dan Boneh. Exposing private information by timing web applications. In Carey L. Williamson, Mary Ellen Zurko, Peter F. Patel-Schneider, and Prashant J. Shenoy, editors, WWW, pages 621–628. ACM, 2007.
[5] Andrew Bortz and Dan Boneh. Exposing private information by timing web applications. In Carey L. Williamson, Mary Ellen Zurko, Peter F. Patel-Schneider, and Prashant J. Shenoy, editors, WWW, pages 621–628. ACM, 2007.
[7] Sebastian Schinzel, An Efficient Mitigation Method for Timing Side Channels on the Web, Proceedings of IFIP/SEC 2011.http://sebastian-schinzel.de/_download/cosade-2011-extended-abstract.pdf
[8] Felix C. Freiling and Sebastian Schinzel, Detecting Hidden Storage Side Channel Vulnerabilities in Networked Applications, Proceedings of IFIP/SEC 2011.http://sebastian-schinzel.de/_download/ifip-sec2011.pdf
[9] Daniel Bleichenbacher. Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1. In Advances in Cryptology – CRYPTO 1998, pages 1–12, 1998.
44
Thursday, 29. December11
Page 84
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Thanks for your attention!
Discussion...
45
Web 1.0: [email protected] 2.0: https://twitter.com/seecurity
Thursday, 29. December11
Page 85
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Backup
46
Backup
Thursday, 29. December11
Page 86
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Preventing Timing Side Channel Attacks
47
Preventing Timing Side Channel Attacks
Thursday, 29. December11
Page 87
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Examples for attacks Breaking XML Encryption - Preventive Measures
48
Preventing Bleichenbacher attack against XML Encryption
Vulnerable:
1. Decrypt session key m = decrsa( ckey )
2. Return error if m does not comply with PKCS#1and stop here
3. Decrypt cdata (results in XML subtree)
4. Copy subtree in XML doc
5. Parse XML doc
6. Return error if XML doc is invalid
Thursday, 29. December11
Page 88
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Examples for attacks Breaking XML Encryption - Preventive Measures
48
Preventing Bleichenbacher attack against XML Encryption
Vulnerable:
1. Decrypt session key m = decrsa( ckey )
2. Return error if m does not comply with PKCS#1and stop here
3. Decrypt cdata (results in XML subtree)
4. Copy subtree in XML doc
5. Parse XML doc
6. Return error if XML doc is invalid
Fixed:
1. Decrypt session key m = decrsa( ckey )
2. Generate random session key m’ if m does not comply with PKCS#1 and continue
3. Decrypt cdata (results in XML subtree)
4. Copy subtree in XML doc
5. Parse XML doc
6. Return error if XML doc is invalid
Thursday, 29. December11
Page 89
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Preventing Timing Side Channel AttacksRandom delay
49
1800
2000
2200
2400
2600
2800
3000
3200
3400
0 5 10 15 20 25 30 35 40 45 50Fi
ltere
d re
spon
se ti
me
(mic
rose
cond
s)
u (user name)
Random delay
valid user name + random delayinvalid user name + random delay
valid user name (no delay)invalid user name (no delay)
0 5 10 15 20 25 30 35 40 45 50u (user name)
Deterministic and Unpredictable Delay (DUD)
valid user name + DUDinvalid user name + DUD
valid user name (no delay)invalid user name (no delay)
Random delay padding
1. r = random() % 200 µs
2. usleep( r )
• PRO: increases effort for timing analysis (attacker needs to measure more often)
• CON: proper filtering will remove the random delay
Mic
rose
cond
s
Thursday, 29. December11
Page 90
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Preventing Timing Side Channel AttacksRandom delay
49
1800
2000
2200
2400
2600
2800
3000
3200
3400
0 5 10 15 20 25 30 35 40 45 50Fi
ltere
d re
spon
se ti
me
(mic
rose
cond
s)
u (user name)
Random delay
valid user name + random delayinvalid user name + random delay
valid user name (no delay)invalid user name (no delay)
0 5 10 15 20 25 30 35 40 45 50u (user name)
Deterministic and Unpredictable Delay (DUD)
valid user name + DUDinvalid user name + DUD
valid user name (no delay)invalid user name (no delay)
Random delay padding
1. r = random() % 200 µs
2. usleep( r )
• PRO: increases effort for timing analysis (attacker needs to measure more often)
• CON: proper filtering will remove the random delay
Mic
rose
cond
s
Thursday, 29. December11
Page 91
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Preventing Timing Side Channel AttacksDeterministic and Unpredictable Delay (DUD)
50
1800
2000
2200
2400
2600
2800
3000
3200
3400
0 5 10 15 20 25 30 35 40 45 50
Filte
red
resp
onse
tim
e (m
icro
seco
nds)
u (user name)
Random delay
valid user name + random delayinvalid user name + random delay
valid user name (no delay)invalid user name (no delay)
0 5 10 15 20 25 30 35 40 45 50u (user name)
Deterministic and Unpredictable Delay (DUD)
valid user name + DUDinvalid user name + DUD
valid user name (no delay)invalid user name (no delay)
Deterministic and Unpredictable Delay
1. r = md5(input + secret) % 200 µs
2. usleep( r )
• PRO: offers security guarantees that are independent of the amount of measurements M
icro
seco
nds
Thursday, 29. December11
Page 92
Büro
für G
esta
ltung
Wan
gler
& A
bele
04.
Apr
il 20
11
Preventing Timing Side Channel AttacksDeterministic and Unpredictable Delay (DUD)
50
1800
2000
2200
2400
2600
2800
3000
3200
3400
0 5 10 15 20 25 30 35 40 45 50
Filte
red
resp
onse
tim
e (m
icro
seco
nds)
u (user name)
Random delay
valid user name + random delayinvalid user name + random delay
valid user name (no delay)invalid user name (no delay)
0 5 10 15 20 25 30 35 40 45 50u (user name)
Deterministic and Unpredictable Delay (DUD)
valid user name + DUDinvalid user name + DUD
valid user name (no delay)invalid user name (no delay)
Deterministic and Unpredictable Delay
1. r = md5(input + secret) % 200 µs
2. usleep( r )
• PRO: offers security guarantees that are independent of the amount of measurements M
icro
seco
nds
Thursday, 29. December11