SlideShare ist ein Scribd-Unternehmen logo

Jose Selvi - Side-Channels Uncovered [rootedvlc2018]

RootedCON
RootedCON

En los últimos años, el término "side-channel" a pasado de ser un concepto únicamente conocido en el sector de hardware hacking a ser un término popular dentro de la industria debido a las vulnerabilidades que se han ido publicando. CRIME, BREACH o FIESTA son claros ejemplos de vulnerabilidades que explotan un side-channel en TLS. Más recientemente, también hemos visto vulnerabilidades empleando este mismo concepto en procesadores, como Spectre o Meltdown. En esta charla, repasaremos el concepto de "side-channel" y haremos un repaso por las diferentes vulnerabilidades que se han ido publicando a lo largo de estos últimos años, explicando en que consisten y que limitaciones tienen.

Technologie
1 von 47
Downloaden Sie, um offline zu lesen
© NCC Group July 2018. All rights reserved Side-channels Uncovered Jose Selvi, RootedVLC 2018
But it’s just me J Jose Selvi (@JoseSelvi) 15 years in the infosec industry Principal Security Consultant and Security Researcher at SANS Institute Community Instructor GIAC Security Expert (GSE) Blogger (sometimes): http://www.pentester.es
$ ls -la /home/jselvi/rootedvlc18/ 1. Side-channels in Call For Papers 2. How a side-channel works? 3. HTTPS: Size-based Attacks 4. HTTPS: Time-based Attacks 5. CPU: Cache-based Attacks 6. Lessons Learnt
CFP Feedback
Processing Feedback
But… accepted in Ekoparty 2017
$ ls -la /home/jselvi/rootedvlc18/ | tail -5 1. Side-channels in Call For Papers 2. How does a side-channel work? 3. HTTPS: Size-based Attacks 4. HTTPS: Time-based Attacks 5. CPU: Cache-based Attacks 6. Lessons Learnt
Side-channels & Pizza Politicians DAY N DAY N+1 DAY N+2
Back to the real world
Action + Observing = Oracle
What am I?
$ ls -la /home/jselvi/rootedvlc18/ | tail -4 1. Side-channels in Call For Papers 2. How does a side-channel work? 3. HTTPS: Size-based Attacks 4. HTTPS: Time-based Attacks 5. CPU: Cache-based Attacks 6. Lessons Learnt
How does web traffic work? BROWSER DNS SERVER WEB SERVER (HTTPS) WEB SERVER (HTTPS) DNS Request HTML Scripts Images
Size-based side-channels
Overview CONSOLE SERVER BRAIN CAPTURE
Compression in theory (deflate) NCC Group is an awesome group of security geeks NCC Group is an awesome g(-20,4) of security geeks
Compression in practice $ echo "token=BEEFCAFE1337 token=A" | gzip | wc -c 44 $ echo "token=BEEFCAFE1337 token=B" | gzip | wc -c 43 $ echo "token=BEEFCAFE1337 token=BA" | gzip | wc -c 44 $ echo "token=BEEFCAFE1337 token=BE" | gzip | wc -c 43 $ echo "token=BEEFCAFE1337 token=BEEFCAFE" | gzip | wc -c 43
DEMO
WEB SERVER (HTTPS) CRIME vs BREACH CRIME BREACH BROWSER
COMPRESS & ENCRYPT Compress before encrypt still a problem APP DATA USER DATA
Search engine not CSRF-protected (XS-Search) /search/wrong 100kb /search/rigg 100kb /search/righ 200kb /search/rigi 100kb WEB SERVER (HTTPS) BROWSER
What if response size is not stable? $ curl http://www.google.es | wc -c 12424 $ curl http://www.google.es | wc -c 12401 $ curl http://www.google.es| wc -c 12372 $ curl http://www.google.es| wc -c 12437 $ curl http://www.google.es| wc -c 12423
F****** Javascript from Hell… $ curl http://www.google.es […] google.time=function(){return(new Date).getTime()};(function(){google.lc=[];google.li=0;google.getEI=function( a){for(var b;a&&(!a.getAttribute||!(b=a.getAttribute("eid")));)a=a.parentNode;return b||google.kEI};google.getLEI=function(a){for(var b=null;a&&(!a.getAttribute||!(b=a.getAttribute("leid")));)a=a.parentNode;r eturn b};google.https=function(){return"https:"==window.location.protocol};goog le.ml=function(){return null};google.wl=function(a,b){try{google.ml(Error(a),!1,b)}catch(d){}};google .log=function(a,b,d,c,g){if(a=google.logUrl(a,b,d,c,g)){b=new Image;var e=google.lc,f=google.li;e[f]=b;b.onerror=b.onload=b.onabort=function(){del ete e[f]};google.vel&&google.vel.lu&&google.vel.lu(a);b.src=a;google.li=f+1}};g oogle.logUrl=function(a,b,d,c,g){var e="",f=google.ls||"";d||- 1!=b.search("&ei=")||(e="&ei="+google.getEI(c),- 1==b.search("&lei=")&&(c=google.getLEI(c))&&(e+="&lei="+c));c="";!d&&g oogle.cshid&&- 1==b.search("&cshid=")&&"slh"!=a&&(c="&cshid="+google.cshid);a=d||"/" +(g||"gen_204")+"?atyp=i&ct="+a+"&cad="+b+e+f+"&zx="+google.time()+ c;/^http:/i.test(a)&&google.https()&&(google.ml(Error("a") […]
Resource loading side-channel (FIESTA)
Resource loading side-channel (FIESTA)
Resource loading side-channel (FIESTA)
Resource loading side-channel (FIESTA)
DEMO
$ ls -la /home/jselvi/rootedvlc18/ | tail -3 1. Side-channels in Call For Papers 2. How does a side-channel work? 3. HTTPS: Size-based Attacks 4. HTTPS: Time-based Attacks 5. CPU: Cache-based Attacks 6. Lessons Learnt
Overview CONSOLE SERVER BRAIN
Size ~= Load time Nethanel Gelernter @ Blackhat USA 2016
Measuring Time https://tom.vg/2016/08/browser-based-timing-attacks/
Are timing attacks practical in HTTPS?
Where is the Proof of Concept?
$ ls -la /home/jselvi/rootedvlc18/ | tail -2 1. Side-channels in Call For Papers 2. How does a side-channel work? 3. HTTPS: Size-based Attacks 4. HTTPS: Time-based Attacks 5. CPU: Cache-based Attacks 6. Lessons Learnt
Continuously improving performance
Meltdown & Spectre https://meltdownattack.com/
CPU Caching http://archive.arstechnica.com/paedia/c/caching/m-caching-2.html
Out-of-order / Speculative Execution
Meltdown (Out of Order Execution) access_kernel(); access(probe_array[data * 4096]); again: mov al, byte [rcx] shl rax, 0x0C jz again mov rbx qword [rbx + rax]
Meltdown (Out of Order Execution) again: mov al, byte [rcx] shl rax, 0x0C jz again mov rbx qword [rbx + rax] 510 489 495 502 513 499 105 525 487 00 01 02 03 04 05 06 07 08
Spectre (Speculative Execution) if ( x < array1_size ) y = array2[ array1[x] * 4096 ]; 1. array1[x] points to a SECRET byte 2. array1_size and array2 are not cached 3. previous values for “x” were valid (so branch predictor will probably think the current value of “x” is valid as well)
Spectre (Speculative Execution) 510 489 495 502 513 499 105 525 487 00 01 02 03 04 05 06 07 08 if ( x < array1_size ) y = array2[ array1[x] * 4096 ];
Why 4096?? 0 4096 8192 12288 16384 20480 24576 28672 32768 if ( x < array1_size ) y = array2[ array1[x] * 4096 ]; access_kernel(); access(probe_array[data * 4096]);
$ ls -la /home/jselvi/rootedvlc18/ | tail -1 1. Side-channels in Call For Papers 2. How does a side-channel work? 3. HTTPS: Size-based Attacks 4. HTTPS: Time-based Attacks 5. CPU: Cache-based Attacks 6. Lessons Learnt
Lessons Learnt • Compression is Evil • Cache is Evil • Speculative Execution is Evil • Exploiting side-channels is slow (but it works) • Avoiding side-channels is difficult (researchers find new ones over and over again).
© NCC Group July 2018. All rights reserved jose.selvi@nccgroup.com jselvi@pentester.es @JoseSelvi Thanks a lot! Questions!

Empfohlen

BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopAjay Choudhary
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]RootedCON
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat Security Conference
 
Minieri CS6262 Project Poster
Minieri CS6262 Project PosterMinieri CS6262 Project Poster
Minieri CS6262 Project PosterJoe Minieri
 
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation BlueHat Security Conference
 
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...BlueHat Security Conference
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 

Empfohlen

BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopAjay Choudhary
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]RootedCON
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat Security Conference
 
Minieri CS6262 Project Poster
Minieri CS6262 Project PosterMinieri CS6262 Project Poster
Minieri CS6262 Project PosterJoe Minieri
 
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation BlueHat Security Conference
 
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...BlueHat Security Conference
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
My Bro The ELK
My Bro The ELKMy Bro The ELK
My Bro The ELKTripwire
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECShumon Huque
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S... BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...BlueHat Security Conference
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsAPNIC
 
An Overview of DNSSEC
An Overview of DNSSECAn Overview of DNSSEC
An Overview of DNSSECCarlos Martinez Cagnazzo
 
Sniffing SSL Traffic
Sniffing SSL TrafficSniffing SSL Traffic
Sniffing SSL Trafficdkaya
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRootedCON
 
Death of Web App Firewall
Death of Web App FirewallDeath of Web App Firewall
Death of Web App FirewallBrian A. McHenry
 
Death of WAF - GoSec '15
Death of WAF - GoSec '15Death of WAF - GoSec '15
Death of WAF - GoSec '15Brian A. McHenry
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal PurzynskiPROIDEA
 
Fileextraction with suricata
Fileextraction with suricataFileextraction with suricata
Fileextraction with suricataMrArora Arjuna
 
Building a Microgateway in Ballerina_KubeCon 2108
Building a Microgateway in Ballerina_KubeCon 2108Building a Microgateway in Ballerina_KubeCon 2108
Building a Microgateway in Ballerina_KubeCon 2108Ballerina
 
General Method of HTTP Messages Authentication Based on Hash Functions in Web...
General Method of HTTP Messages Authentication Based on Hash Functions in Web...General Method of HTTP Messages Authentication Based on Hash Functions in Web...
General Method of HTTP Messages Authentication Based on Hash Functions in Web...Denis Kolegov
 
Experiences in Providing Secure Mult-Tenant Lustre Access to OpenStack
Experiences in Providing Secure Mult-Tenant Lustre Access to OpenStackExperiences in Providing Secure Mult-Tenant Lustre Access to OpenStack
Experiences in Providing Secure Mult-Tenant Lustre Access to OpenStackinside-BigData.com
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...OpenDNS
 
Secure Storage: COMPOSABLE AND ROBUST OUTSOURCED STORAGE
Secure Storage: COMPOSABLE AND ROBUST OUTSOURCED STORAGESecure Storage: COMPOSABLE AND ROBUST OUTSOURCED STORAGE
Secure Storage: COMPOSABLE AND ROBUST OUTSOURCED STORAGEPriyanka Aash
 
rsa_usa_2019_paula_januszkiewicz
rsa_usa_2019_paula_januszkiewiczrsa_usa_2019_paula_januszkiewicz
rsa_usa_2019_paula_januszkiewiczZuzannaKornecka
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssln|u - The Open Security Community
 
Analyzing RDP traffc with Bro
Analyzing RDP traffc with BroAnalyzing RDP traffc with Bro
Analyzing RDP traffc with BroJosh Liburdi
 
Presto anatomy
Presto anatomyPresto anatomy
Presto anatomyDongmin Yu
 
Humantalk Angers 14 Mars
Humantalk Angers 14 MarsHumantalk Angers 14 Mars
Humantalk Angers 14 MarsRémi Dubois
 

Weitere ähnliche Inhalte

Was ist angesagt?

My Bro The ELK
My Bro The ELKMy Bro The ELK
My Bro The ELKTripwire
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECShumon Huque
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S... BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...BlueHat Security Conference
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsAPNIC
 
Sniffing SSL Traffic
Sniffing SSL TrafficSniffing SSL Traffic
Sniffing SSL Trafficdkaya
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRootedCON
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal PurzynskiPROIDEA
 
Fileextraction with suricata
Fileextraction with suricataFileextraction with suricata
Fileextraction with suricataMrArora Arjuna
 
Building a Microgateway in Ballerina_KubeCon 2108
Building a Microgateway in Ballerina_KubeCon 2108Building a Microgateway in Ballerina_KubeCon 2108
Building a Microgateway in Ballerina_KubeCon 2108Ballerina
 
General Method of HTTP Messages Authentication Based on Hash Functions in Web...
General Method of HTTP Messages Authentication Based on Hash Functions in Web...General Method of HTTP Messages Authentication Based on Hash Functions in Web...
General Method of HTTP Messages Authentication Based on Hash Functions in Web...Denis Kolegov
 
Experiences in Providing Secure Mult-Tenant Lustre Access to OpenStack
Experiences in Providing Secure Mult-Tenant Lustre Access to OpenStackExperiences in Providing Secure Mult-Tenant Lustre Access to OpenStack
Experiences in Providing Secure Mult-Tenant Lustre Access to OpenStackinside-BigData.com
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...OpenDNS
 
Secure Storage: COMPOSABLE AND ROBUST OUTSOURCED STORAGE
Secure Storage: COMPOSABLE AND ROBUST OUTSOURCED STORAGESecure Storage: COMPOSABLE AND ROBUST OUTSOURCED STORAGE
Secure Storage: COMPOSABLE AND ROBUST OUTSOURCED STORAGEPriyanka Aash
 
rsa_usa_2019_paula_januszkiewicz
rsa_usa_2019_paula_januszkiewiczrsa_usa_2019_paula_januszkiewicz
rsa_usa_2019_paula_januszkiewiczZuzannaKornecka
 
Analyzing RDP traffc with Bro
Analyzing RDP traffc with BroAnalyzing RDP traffc with Bro
Analyzing RDP traffc with BroJosh Liburdi
 

Was ist angesagt? (20)

My Bro The ELK
My Bro The ELKMy Bro The ELK
My Bro The ELK
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSEC
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
 
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S... BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutions
 
An Overview of DNSSEC
An Overview of DNSSECAn Overview of DNSSEC
An Overview of DNSSEC
 
Sniffing SSL Traffic
Sniffing SSL TrafficSniffing SSL Traffic
Sniffing SSL Traffic
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
 
Death of Web App Firewall
Death of Web App FirewallDeath of Web App Firewall
Death of Web App Firewall
 
Death of WAF - GoSec '15
Death of WAF - GoSec '15Death of WAF - GoSec '15
Death of WAF - GoSec '15
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski
 
Fileextraction with suricata
Fileextraction with suricataFileextraction with suricata
Fileextraction with suricata
 
Building a Microgateway in Ballerina_KubeCon 2108
Building a Microgateway in Ballerina_KubeCon 2108Building a Microgateway in Ballerina_KubeCon 2108
Building a Microgateway in Ballerina_KubeCon 2108
 
General Method of HTTP Messages Authentication Based on Hash Functions in Web...
General Method of HTTP Messages Authentication Based on Hash Functions in Web...General Method of HTTP Messages Authentication Based on Hash Functions in Web...
General Method of HTTP Messages Authentication Based on Hash Functions in Web...
 
Experiences in Providing Secure Mult-Tenant Lustre Access to OpenStack
Experiences in Providing Secure Mult-Tenant Lustre Access to OpenStackExperiences in Providing Secure Mult-Tenant Lustre Access to OpenStack
Experiences in Providing Secure Mult-Tenant Lustre Access to OpenStack
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
 
Secure Storage: COMPOSABLE AND ROBUST OUTSOURCED STORAGE
Secure Storage: COMPOSABLE AND ROBUST OUTSOURCED STORAGESecure Storage: COMPOSABLE AND ROBUST OUTSOURCED STORAGE
Secure Storage: COMPOSABLE AND ROBUST OUTSOURCED STORAGE
 
rsa_usa_2019_paula_januszkiewicz
rsa_usa_2019_paula_januszkiewiczrsa_usa_2019_paula_januszkiewicz
rsa_usa_2019_paula_januszkiewicz
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssl
 
Analyzing RDP traffc with Bro
Analyzing RDP traffc with BroAnalyzing RDP traffc with Bro
Analyzing RDP traffc with Bro
 

Ähnlich wie Jose Selvi - Side-Channels Uncovered [rootedvlc2018]

Presto anatomy
Presto anatomyPresto anatomy
Presto anatomyDongmin Yu
 
Humantalk Angers 14 Mars
Humantalk Angers 14 MarsHumantalk Angers 14 Mars
Humantalk Angers 14 MarsRémi Dubois
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processguest3379bd
 
Non-blocking I/O, Event loops and node.js
Non-blocking I/O, Event loops and node.jsNon-blocking I/O, Event loops and node.js
Non-blocking I/O, Event loops and node.jsMarcus Frödin
 
Fosdem10
Fosdem10Fosdem10
Fosdem10wremes
 
WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"DefCamp
 
How Secure Are Docker Containers?
How Secure Are Docker Containers?How Secure Are Docker Containers?
How Secure Are Docker Containers?Ben Hall
 
node.js - Eventful JavaScript on the Server
node.js - Eventful JavaScript on the Servernode.js - Eventful JavaScript on the Server
node.js - Eventful JavaScript on the ServerDavid Ruiz
 
Rust: Reach Further (from QCon Sao Paolo 2018)
Rust: Reach Further (from QCon Sao Paolo 2018)Rust: Reach Further (from QCon Sao Paolo 2018)
Rust: Reach Further (from QCon Sao Paolo 2018)nikomatsakis
 
NSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNoSuchCon
 
運用CNTK 實作深度學習物件辨識 Deep Learning based Object Detection with Microsoft Cogniti...
運用CNTK 實作深度學習物件辨識 Deep Learning based Object Detection with Microsoft Cogniti...運用CNTK 實作深度學習物件辨識 Deep Learning based Object Detection with Microsoft Cogniti...
運用CNTK 實作深度學習物件辨識 Deep Learning based Object Detection with Microsoft Cogniti...Herman Wu
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법guestad13b55
 
Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012Joe Arnold
 
Debugging node in prod
Debugging node in prodDebugging node in prod
Debugging node in prodYunong Xiao
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)Alexandre Moneger
 
String Comparison Surprises: Did Postgres lose my data?
String Comparison Surprises: Did Postgres lose my data?String Comparison Surprises: Did Postgres lose my data?
String Comparison Surprises: Did Postgres lose my data?Jeremy Schneider
 
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...OWASP
 
Aaron Bedra - Effective Software Security Teams
Aaron Bedra - Effective Software Security TeamsAaron Bedra - Effective Software Security Teams
Aaron Bedra - Effective Software Security Teamscentralohioissa
 
HTTP For the Good or the Bad
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the BadXavier Mertens
 

Ähnlich wie Jose Selvi - Side-Channels Uncovered [rootedvlc2018] (20)

Presto anatomy
Presto anatomyPresto anatomy
Presto anatomy
 
Humantalk Angers 14 Mars
Humantalk Angers 14 MarsHumantalk Angers 14 Mars
Humantalk Angers 14 Mars
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
 
Non-blocking I/O, Event loops and node.js
Non-blocking I/O, Event loops and node.jsNon-blocking I/O, Event loops and node.js
Non-blocking I/O, Event loops and node.js
 
Fosdem10
Fosdem10Fosdem10
Fosdem10
 
Binary Analysis - Luxembourg
Binary Analysis - LuxembourgBinary Analysis - Luxembourg
Binary Analysis - Luxembourg
 
WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"
 
How Secure Are Docker Containers?
How Secure Are Docker Containers?How Secure Are Docker Containers?
How Secure Are Docker Containers?
 
node.js - Eventful JavaScript on the Server
node.js - Eventful JavaScript on the Servernode.js - Eventful JavaScript on the Server
node.js - Eventful JavaScript on the Server
 
Rust: Reach Further (from QCon Sao Paolo 2018)
Rust: Reach Further (from QCon Sao Paolo 2018)Rust: Reach Further (from QCon Sao Paolo 2018)
Rust: Reach Further (from QCon Sao Paolo 2018)
 
NSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNSC #2 - Challenge Solution
NSC #2 - Challenge Solution
 
運用CNTK 實作深度學習物件辨識 Deep Learning based Object Detection with Microsoft Cogniti...
運用CNTK 實作深度學習物件辨識 Deep Learning based Object Detection with Microsoft Cogniti...運用CNTK 實作深度學習物件辨識 Deep Learning based Object Detection with Microsoft Cogniti...
運用CNTK 實作深度學習物件辨識 Deep Learning based Object Detection with Microsoft Cogniti...
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법
 
Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012
 
Debugging node in prod
Debugging node in prodDebugging node in prod
Debugging node in prod
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
 
String Comparison Surprises: Did Postgres lose my data?
String Comparison Surprises: Did Postgres lose my data?String Comparison Surprises: Did Postgres lose my data?
String Comparison Surprises: Did Postgres lose my data?
 
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
 
Aaron Bedra - Effective Software Security Teams
Aaron Bedra - Effective Software Security TeamsAaron Bedra - Effective Software Security Teams
Aaron Bedra - Effective Software Security Teams
 
HTTP For the Good or the Bad
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the Bad
 

Mehr von RootedCON

Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRootedCON
 
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...RootedCON
 
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRootedCON
 
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_RootedCON
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...RootedCON
 
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...RootedCON
 
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...RootedCON
 
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRootedCON
 
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...RootedCON
 
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...RootedCON
 
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRootedCON
 
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...RootedCON
 
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRootedCON
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRootedCON
 
Rooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRootedCON
 
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...RootedCON
 
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...RootedCON
 
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRootedCON
 
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRootedCON
 
Rooted2020 emotet is-dead_long_live_emotet_-_victor_acin
Rooted2020 emotet is-dead_long_live_emotet_-_victor_acinRooted2020 emotet is-dead_long_live_emotet_-_victor_acin
Rooted2020 emotet is-dead_long_live_emotet_-_victor_acinRootedCON
 

Mehr von RootedCON (20)

Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
 
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
 
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amado
 
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
 
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
 
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
 
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
 
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
 
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
 
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molina
 
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
 
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopez
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
 
Rooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jara
 
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
 
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
 
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
 
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
 
Rooted2020 emotet is-dead_long_live_emotet_-_victor_acin
Rooted2020 emotet is-dead_long_live_emotet_-_victor_acinRooted2020 emotet is-dead_long_live_emotet_-_victor_acin
Rooted2020 emotet is-dead_long_live_emotet_-_victor_acin
 

Kürzlich hochgeladen

Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 

Kürzlich hochgeladen (20)

Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 

Jose Selvi - Side-Channels Uncovered [rootedvlc2018]

  • 1. © NCC Group July 2018. All rights reserved Side-channels Uncovered Jose Selvi, RootedVLC 2018
  • 2. But it’s just me J Jose Selvi (@JoseSelvi) 15 years in the infosec industry Principal Security Consultant and Security Researcher at SANS Institute Community Instructor GIAC Security Expert (GSE) Blogger (sometimes): http://www.pentester.es
  • 3. $ ls -la /home/jselvi/rootedvlc18/ 1. Side-channels in Call For Papers 2. How a side-channel works? 3. HTTPS: Size-based Attacks 4. HTTPS: Time-based Attacks 5. CPU: Cache-based Attacks 6. Lessons Learnt
  • 6. But… accepted in Ekoparty 2017
  • 7. $ ls -la /home/jselvi/rootedvlc18/ | tail -5 1. Side-channels in Call For Papers 2. How does a side-channel work? 3. HTTPS: Size-based Attacks 4. HTTPS: Time-based Attacks 5. CPU: Cache-based Attacks 6. Lessons Learnt
  • 8. Side-channels & Pizza Politicians DAY N DAY N+1 DAY N+2
  • 9. Back to the real world
  • 10. Action + Observing = Oracle
  • 12. $ ls -la /home/jselvi/rootedvlc18/ | tail -4 1. Side-channels in Call For Papers 2. How does a side-channel work? 3. HTTPS: Size-based Attacks 4. HTTPS: Time-based Attacks 5. CPU: Cache-based Attacks 6. Lessons Learnt
  • 13. How does web traffic work? BROWSER DNS SERVER WEB SERVER (HTTPS) WEB SERVER (HTTPS) DNS Request HTML Scripts Images
  • 16. Compression in theory (deflate) NCC Group is an awesome group of security geeks NCC Group is an awesome g(-20,4) of security geeks
  • 17. Compression in practice $ echo "token=BEEFCAFE1337 token=A" | gzip | wc -c 44 $ echo "token=BEEFCAFE1337 token=B" | gzip | wc -c 43 $ echo "token=BEEFCAFE1337 token=BA" | gzip | wc -c 44 $ echo "token=BEEFCAFE1337 token=BE" | gzip | wc -c 43 $ echo "token=BEEFCAFE1337 token=BEEFCAFE" | gzip | wc -c 43
  • 18. DEMO
  • 19. WEB SERVER (HTTPS) CRIME vs BREACH CRIME BREACH BROWSER
  • 20. COMPRESS & ENCRYPT Compress before encrypt still a problem APP DATA USER DATA
  • 21. Search engine not CSRF-protected (XS-Search) /search/wrong 100kb /search/rigg 100kb /search/righ 200kb /search/rigi 100kb WEB SERVER (HTTPS) BROWSER
  • 22. What if response size is not stable? $ curl http://www.google.es | wc -c 12424 $ curl http://www.google.es | wc -c 12401 $ curl http://www.google.es| wc -c 12372 $ curl http://www.google.es| wc -c 12437 $ curl http://www.google.es| wc -c 12423
  • 23. F****** Javascript from Hell… $ curl http://www.google.es […] google.time=function(){return(new Date).getTime()};(function(){google.lc=[];google.li=0;google.getEI=function( a){for(var b;a&&(!a.getAttribute||!(b=a.getAttribute("eid")));)a=a.parentNode;return b||google.kEI};google.getLEI=function(a){for(var b=null;a&&(!a.getAttribute||!(b=a.getAttribute("leid")));)a=a.parentNode;r eturn b};google.https=function(){return"https:"==window.location.protocol};goog le.ml=function(){return null};google.wl=function(a,b){try{google.ml(Error(a),!1,b)}catch(d){}};google .log=function(a,b,d,c,g){if(a=google.logUrl(a,b,d,c,g)){b=new Image;var e=google.lc,f=google.li;e[f]=b;b.onerror=b.onload=b.onabort=function(){del ete e[f]};google.vel&&google.vel.lu&&google.vel.lu(a);b.src=a;google.li=f+1}};g oogle.logUrl=function(a,b,d,c,g){var e="",f=google.ls||"";d||- 1!=b.search("&ei=")||(e="&ei="+google.getEI(c),- 1==b.search("&lei=")&&(c=google.getLEI(c))&&(e+="&lei="+c));c="";!d&&g oogle.cshid&&- 1==b.search("&cshid=")&&"slh"!=a&&(c="&cshid="+google.cshid);a=d||"/" +(g||"gen_204")+"?atyp=i&ct="+a+"&cad="+b+e+f+"&zx="+google.time()+ c;/^http:/i.test(a)&&google.https()&&(google.ml(Error("a") […]
  • 28. DEMO
  • 29. $ ls -la /home/jselvi/rootedvlc18/ | tail -3 1. Side-channels in Call For Papers 2. How does a side-channel work? 3. HTTPS: Size-based Attacks 4. HTTPS: Time-based Attacks 5. CPU: Cache-based Attacks 6. Lessons Learnt
  • 31. Size ~= Load time Nethanel Gelernter @ Blackhat USA 2016
  • 33. Are timing attacks practical in HTTPS?
  • 34. Where is the Proof of Concept?
  • 35. $ ls -la /home/jselvi/rootedvlc18/ | tail -2 1. Side-channels in Call For Papers 2. How does a side-channel work? 3. HTTPS: Size-based Attacks 4. HTTPS: Time-based Attacks 5. CPU: Cache-based Attacks 6. Lessons Learnt
  • 40. Meltdown (Out of Order Execution) access_kernel(); access(probe_array[data * 4096]); again: mov al, byte [rcx] shl rax, 0x0C jz again mov rbx qword [rbx + rax]
  • 41. Meltdown (Out of Order Execution) again: mov al, byte [rcx] shl rax, 0x0C jz again mov rbx qword [rbx + rax] 510 489 495 502 513 499 105 525 487 00 01 02 03 04 05 06 07 08
  • 42. Spectre (Speculative Execution) if ( x < array1_size ) y = array2[ array1[x] * 4096 ]; 1. array1[x] points to a SECRET byte 2. array1_size and array2 are not cached 3. previous values for “x” were valid (so branch predictor will probably think the current value of “x” is valid as well)
  • 43. Spectre (Speculative Execution) 510 489 495 502 513 499 105 525 487 00 01 02 03 04 05 06 07 08 if ( x < array1_size ) y = array2[ array1[x] * 4096 ];
  • 44. Why 4096?? 0 4096 8192 12288 16384 20480 24576 28672 32768 if ( x < array1_size ) y = array2[ array1[x] * 4096 ]; access_kernel(); access(probe_array[data * 4096]);
  • 45. $ ls -la /home/jselvi/rootedvlc18/ | tail -1 1. Side-channels in Call For Papers 2. How does a side-channel work? 3. HTTPS: Size-based Attacks 4. HTTPS: Time-based Attacks 5. CPU: Cache-based Attacks 6. Lessons Learnt
  • 46. Lessons Learnt • Compression is Evil • Cache is Evil • Speculative Execution is Evil • Exploiting side-channels is slow (but it works) • Avoiding side-channels is difficult (researchers find new ones over and over again).
  • 47. © NCC Group July 2018. All rights reserved jose.selvi@nccgroup.com jselvi@pentester.es @JoseSelvi Thanks a lot! Questions!