 Okay, so thank you very much. Thank you very much for attending this talk. There's a lot of people here. It's really amazing My name is Sebastian Schinzel. I have a few words about me on the next slide So my my life is actually split in two pieces. So there's an academic part and there's a professional part For the academic part. Well, I'm right now doing my my PhD thesis at the security research group in Erlangen with Felix Freiling and I have to say that I handed in my PhD thesis last week So that is a very good reason to celebrate Thank you very much Okay, the second thing of my of my life is my professional work at virtual forge Where do SAP security and SAP has this layer a strange language called ABAP and I did certain things to this and also static code analysis penetration testing Okay, so who of you is is a did ever do any penetration testing? Can you raise your hand, please? Okay, so maybe you have seen this this movie a friend of mine. He came to me and told me okay I have seen this movie's word fish and it was so cool because penetration testing you do penetration testing, right? And I said yes, and he was like, okay Oh penetration testing is really so cool because you can break in such a short time in in arbitrary military systems And you're there guns involved and it's so awesome, right? So Yeah, and you have young women doing strange things to you right right while you're penetration testing and Well, right. Okay, so you may or may not agree and not agree in my experience That's not the case. There's no guns and usually no women involved in this And it also takes considerably more time than 60 seconds to break into a system Sometimes it works, but it's really really seldom right. So that's that's the movies That's how a Hollywood things penetration testing works, but in reality, it's a bit different, right? So Actually, I mean penetration testing is split in in in five different pieces You have preparation and then you start gathering some information on your target system you evaluate this this information and then you do the actually 60 seconds part where you do the The exploitation and the testing and and stuff like this, right? Okay, what I showed today is a little bit of testing a little bit of exploitation, but more gathering information Okay, so when you see this talk You will see that using side channel attacks and the timing channel is the side channel using side channel attacks You can gain Important information that you can use in other exploits. So right? So you may be able to take over a system not because of the side channel attack But because the side channel attack gave you information that was necessary for some other attack Okay, so that's the Pentagon, right? That's the Ministry of US Foreign Affairs and Well, what do you need to do in order to know when the next when the next big attack will happen? Right, so when they will attack Iran, let's let's put it this way, right? So usually people would say, okay, you have to infiltrate The Pentagon you have to smuggle people in there and they have to hide very well and takes a lot of preparation and it and it turns out that it's not really that necessary because When the Pentagon just before the Pentagon two days before the Pentagon does a large attack They order pizza an unusual high amount of pizza Right and so there's this article of Time Magazine where they interviewed some where they interviewed someone from Domino's Pizza Right, so there's a Domino's Pizza in the near of the Pentagon and he is saying that He realizes that the Pentagon is planning something because the pizza orders are rising and this is really strange Isn't it because just we just said okay It's really a lot of effort to smuggle someone into the Pentagon But in many cases the straightforward attack is is not necessary Right, you can also try to to find some other information that you can easily retrieve and that correlates with the secret information Okay, and this is what side channels are about side channels are often They're not really difficult to attack or there may not be difficult to attack, but it's Finding some information that correlates with a secret is quite it's quite challenging, right? So, okay So you guys have done a penetration testing and what you do there is usually you do invasive attacks Okay, what's an invasive attack? So you have usually the original control fall of of an application that you are about to attack and When you do an invasive attack and that could be a buffer overrun sequel injection Format string injection cross-site scripting and things like that What you do there is you create your own control flow in this particular application Right, so let's say this here if this were a web browser Then you can make using a buffer overrun you can transform a web browser into a web server if you want right you can do this With side channel attacks, it's a bit different right so you don't actually attack the system you use it as The designers intended their usage Okay, so you stick with the original control flow of everything you don't send any rogue Request to this to the application so there are no special characters or things like that You really just send normal requests to to a particular To a particular application that you want to attack Okay, and This is one example. This is I would say it's the opposite Side channel of timing side channel I call these a storage side channel and what you see here on the on the left side and on the right side there are two HTTP headers and both HTTP headers are from exactly the same system and from exactly the same page Because this is the login page of a typo 3 back end. Okay, and what I did there is on the On the left side, I used a non existing user and a wrong password and try to log on Obviously there comes some error username or password wrong on the right side I did exactly the same with an existing username and and this is what happened, right? So you have two different HTTP headers even though the content the HTML content is exactly the same This is really strange, isn't it? So from this you can learn from any typo 3 on this world You can learn whether a username is a registered administrative user or not This is really quite strange, right? So usually penetration testers don't look at this They look at the HTML at the generated HTML and if if there are no differences, then they say, okay, that's that's okay Okay, but what we want to talk about in this talk is here Here we talk about timing side channels and that's a that's a different thing Right, take this take this application that does this. Okay, you start at the top Right, so you issue a username and a password and this is what happens in the back end So usually it checks does the user exist and if the user doesn't exist you immediately immediately get an error page Then there's a second check that they look whether a user is locked or not if the user is locked again You get the error page then it look is the username expired if yes Then again you get the error page and then then we look at the password, right? Then we look whether the password is correct and if you look at this they will have the first Control flow which is rather short and that there is a second control flaw which is much much longer Right and even if you if you think further you can you don't have only this one here Not only this control flaw, but you have two additional ones So you can not only find out whether username exists You can also find out is he locked is it is it expired and things like that, okay? So this example may or may not be a security relevant, right? So there are systems on the internet where this would be security relevant. There are others where where this is not relevant I Just use this as a as an example, right? So you can use any any control flow that you can measure through this Okay, so it's so much for the theory, right? So we just You would think the first control flow has exactly one response time and the second one has also exactly one response time It turns out in reality. That's that's not the case unfortunately Because the problem is when we do measurements over a network or on a multi-user system. You always have jitter Right because things are busy. The system is busy. The routers are busy There are saturated links On the way where you do the measurement and things like that So what you what you can only measure what you what you want to measure is the response time t But what you can only measure is t plus the jitter that you get And I think it really boils down This is this is the target of this of this whole talk to enable you to show you certain things How to remove this jitter from this from this timing, okay? Now that's a that's an histogram that you see here on the x-axis you have the response time and on the y-axis You have the amount of measurements that were at this particular response time Okay, so what I did here is I did I did several measurements here and that's the graph that appeared So there are what you see here This is not zero But there are some some measurements which had this particular value and there are a lot of measurements right here Okay, and when we do a timing attack right this this doesn't tell us anything because it's just we just did some measurements What we need to do is we need to compare this particular measurement with something else Right, so we use a different secret. This could be a different username and try to compare it Okay, and this is what we might get two different distributions And would you when you look at this area here when we get an measurement in this area? We don't really know to which it belongs was it an existing username or was it a non-existing username because for both It is possible right so there's a lot of overlap in the timing measurements Okay, that's why I came up. I want to show you a few do's and don'ts of timing measurements Okay, because what you want to do is you want to achieve a timing precision right so you want to measure as Exact as it is possible. Okay There's a paper which is in the reference from Scott Crosby And he claims that you can measure even down to a few hundred nanoseconds over a network over a busy network Right, so when you do the right thing, but obviously this guy is an is an academic guy So he did millions over millions of measurements right and compared these and that what that was the best result that he could achieve What we want to do is we're penetration testers we have limited amounts of time we want to go to a customer and do a penetration test against the system and Well see whether it's it's vulnerable or not Okay So first of all what we want we want to use a very fine grained timer and there's a certain certain Things that you can use as a as a timer This is just one of it There's an assembly instruction called RDSC and that's the source code this the C source code that you could use to take this Okay, so what what does it do RDSC? It gives you the amount of CPU ticks That appeared during or after boot up, right? So it's very very fine grained okay, and Here we have how fine grained it is so if this computer were a 2 gigahertz machine, then you get a resolution of Half a nanosecond, so this is very exact. You can get very exact timings So it's very good because the faster your your CPU is the better the better you can measure But it's also a problem because the timings are tied to the to the CPU clock speed So there's a problem as soon as you have power management enabled, right? So when you have power management enabled your CPU might might decide that it's right now It's idle and therefore I reduce my my frequency And when this happens during a during your timing measurements all of a sudden you get a gap you get a jump Right and this may really severely mess up your measurements What you also want to do is you want to parallelize measurements, so that's the Naive measurement approach. That's not the parallel parallel, but it's more Like in a row where you do the measurements in a row. So first of all you start And measure one data set I call this a right and you do the measurements of a that could be an existing username So you make 100 requests often with an existing username and Then you make the second data set where you take again 100 measurements with a non-existing username And then you try to compare them The problem here is that the jitter that was that was added to both of the measurements sets may have changed between both right, so It's we will see this later on jitter is also a very temporal thing. So you may have at this particular second You may have jitter of five milliseconds and a minute later. It may be two milliseconds Therefore, it's much better When you measure Alternating Lee right so you take an existing username just do one measurement Then you take a non-existing username take another measurement and so on and so forth and the good thing There is that the changes in a jitter over time Effect both data sets approximately the same Okay, so we have the same effects in both data sets approximately so that's much better when you do this Then a different thing is you need to decide where you start the measurement and you need to decide where to stop the measurement okay, I Have drawn this here's on the left hand side You see there's the sender and on the right hand side There's the receiver and the further down we get the later it is right so the the y-axis is actually the time And there's a block at the bottom at the very top and that's the request and there You see a request is not it's not a single packet where you send something out and it and it comes back in but it may be several TCP IP packets that go back and forth And you have the same for the response Right, so you receive the first packet of the response than the second and the third and there are acknowledgement package packages going back and forth And the problem is with each and every round trip you add the jitter to it Okay, so if you have ten round trips you also have the jitter of ten round trips So you want to reduce the amount of round trips that you do and there are Three different three different ways that I have detected what you can use that you can use as a starting and as an end point So there's first of all at the very outer part. There's the naive approach Then there's an approach that I called when you use blocking sockets I'll go deeper in this on the next slide and Per packet timings Okay, let's look at it at a more detail So that's the naive approach you start the timer you take your request send it over And then you receive the the response right and when you have fully received the response you stop the timer That's a very naive approach And we can make this a little better Because in most operating systems you have you have blocking sockets and that means I can do the following I sent n minus one bytes of that particular request and wait until it's finished Then I start the timer and then I sent the very the very last bite of this particular request in most cases This will result in just one TCP packet with one byte payload Okay, you have already started the timer then you receive the full response and then you stop the timer Okay, you may ask yourself. Why don't you start here when you when you receive the first packet Well, the the the reason for this is When you have let's say you have a patchy web server a patchy And you send over this request to the Apache and then the PHP application That's let's let it be a PHP application while this PHP application is running Apache may decide to already send the the response headers as Synchronously okay, and if you measure this you don't get the actual PHP application But you get the you get the amount of time that it took the Apache to to send the the response header Right, so okay, and then there's the last one Again you start at the very last byte in the in the request and Then if there were a way to know Which particular packet denotes the first packet of the real response of the PHP response, right? Then we want to measure there that will be the best approach Because then you have reduced the amount of round trips that go back and forth and therefore you have reduced the jitter Okay, so and there are some further tips So first yeah, that's what I already said disable the power management that is that you can do on Linux very easily Measure over the wire so right so don't use Wi-Fi because when you do Wi-Fi It may happen that some some other machine is is doing some measurement And then your packets get dropped and things like that because it's just a collision domain, right? Do everything to reduce any disturbances on your local machine So that means any periodic tasks or so disable your your email program and things like that, okay, and Also try to keep your part of the network idle So if you have your home network DSL or so you should shut down the file sharing for the time being and then start your measurement And then do the file sharing later on, okay? Right and that's what I added two hours ago I don't do it from hacker conferences because the network quality is very Very weird, but we're gonna see this later on Okay, and then the last one is the first few dozen or the first hundred measurements Contain much more jitter because of all the caches that warm up during your measurements, right? So there are caches on your local machine There are caches on the on the on the distance server on the routers and so on So that means basically throw away the first measurements, right and use the later ones Okay Before I continue what I want to do is Because it reminded me to start the actual demo Okay, let's continue Okay, so what I want to want I want to share with you and the penetration testing community are two different programs The first one is is a programming library, which is written in C We call it FAU timer FAU is Friedrich Alexander University on the Arlang University The reason that we have written this in C is because there we can use inline assembler because we use the RDTSC Assembler assembler thing and we ported this to Python. So that's what I have already here with me And it it encapsulates the logic for for the timing measurement and if you look at this This is what you usually do. So right at the top you have a timing attack script And this timing attack script this calls some network sockets and does all the time all the timings measurement by himself Right and what we do here is we use this library just as an intermediate part Okay, so in your timing attack script You need to generate a request and you pass this over to FAU timer And it will do all the all the sending back and forth for you and it will also do the timing measurement for you Right, so you don't have to deal with network sockets and you don't have to deal with the timing measurement Okay So let's have a look at this. I've written a very small hello world Okay, so at the very top you see there is a request. That's a very simple HTTP request That's the one that we are going to send to the to the server and Here we just have have a loop We do some in its initialization to this to this library here We sent the see the request and this is where all the magic happens Okay, this is where yeah where we do everything and right here at the bottom We just get we just get all the things that we require from the library So at this particular point everything everything was done already, okay? So we get the CPU speed So our library is capable of determining how fast this particular CPU runs We get the ticks we get the time and we can also get the actual response from this and if I Whoops If I let this run This is pretty much how it looks like Okay, so it does everything for you You can just use this for your attack scripts in your and while penetration testing and just use this library and it does everything that is that is Related to measurement and socket handling and and so on Okay, what I need to say here is my my both student help us help me a lot doing this So that would be Isabel Schmidt and Nils Ichig. Thank you very much guys for this Okay, now we're at a point where we can where we can do measurements, right? so we do the best that we can to do To produce a data set that has as little jitter as any possible Okay, now we have but then we have just a comma separated value file with all the timings in there and now we do we need to do some analysis, right? So there are tools right to do this analysis and basically Basically what we're doing here statistics, right? So you can use any statistics program that you want that would be new plot math lab Stata are or just your favorite spreadsheet so you can use an open office Excel and and so on and so forth Right and there when you use these tools you can display the data that you have just measured in in in various plot styles styles So for example, there's the classical scatterplot. We will see this in the next slide how they look like and there You can detect temporal disturbances So right so let's assume that the link quality dropped immediately at the at some certain point Right, or we can we also see a very good at the overall quality of measurements Then we have a box plot and there we have several values Graphically tied together So that would be the median for example the minimum of the measurements the maximum of the measurements and so on and so forth and then we also have a histogram or Accumulative a distribution function a CDF and there we can compare the distributions of these data, right? Okay, let's have a look That's a that's a scatterplot and this is a scatterplot that I did in my home network I did this in a university And what you first see there is there are no obvious timing differences, right? So I zoomed in here and it doesn't really look that different Okay, but it's also I have to say that a scatterplot is not very good in determining differences But what we see here? We have a lot of outliers, right? So we have Outliers to the to the top and we have also outliers to the bottom and those very low outliers They are really strange because I would assume if let's say a Certain process takes a certain amount of time and I add jitter to it to this then I can only add jitter Right, so when I have a process that takes two milliseconds to finish And I get jitter on this then all of a sudden it can't be one millisecond. It has to be higher But what we have here is we have outliers at the very bottom So that's very strange, but you see this in all network measurements. You see these guys and Also, what what you see here is where things were messed up in a way, right? So here's a jump Right, all of a sudden here all the measurements took considerably Longer time and here they are smaller smaller smaller. So this this may be a case of a of a Timing data set that is not very good. I Thought this one was not very good until I came to this Congress Sorry animation takes some time Okay, so that was two hours ago I was sitting in a in a speakers room and I looked at the dashboard of the of this Congress and they told me 18% and 5% And then I did a demo scan and I saw this, right? Okay, so there's so many outliers right so you see a cloud of measurements You see them here you see another cloud of measurements here and you see another cloud of measurements here This doesn't make any sense Right, so this data set is unusable for timing attacks What you could do if this is the best that you can is you could filter out these ones So it could take this cloud only the measurements in this cloud or better only the measurements in this cloud and do a comparison on this It's worth a try, but I wouldn't go so far I would if you see this try to repeat the measurement from a different network for example Okay, so I'm really not so sure about that it looks much more saturated to me The network Okay, then we have a whisker diagram and a whisker diagram shows us a certain things So first of all the the fine line in the middle is the medium the 50 percent percentile and 50 percent percentile means that 50 percent of all the measurements that we have in the data set are in below this line and 50 percent the other 50 percent are above this line Okay, then we have the upper quartile This is the 70 75th percentile and also we have a lower quartile and there it works is just the same Right, so for the lower quartile We know that 55 percent of all the measurements are below this and 75 percent are above this Okay, I haven't shown the 25 percent and then we have the cumulative distribution function and you read this as such So this here is a probability and this here is a time the x-axis and What we see here, this is approximately 75 percent because that's a probability and when we put the line down here We see we are at this particular value and then we know that 75 percent of this are below this particular value. This is just so that you know how to read this particular Graph if you had a uniform distribution, it would be it would be a line a diagonal line Okay, so what can we see here if we zoom in? Then we see where these two functions are not Perfectly overlapping and those are the ones that we are looking at Okay, so if you look at the at the green line, you see certain red spots and that is the The the red function luring behind the the the green one and those are the parts where we can distinguish both data sets This is the ones that we are looking for Okay What we have did right now was to show it graphically right to take our data set and make graphs out of it There are algorithms where you can do this as well So there's for example the students t-test or the Wilcoxon test Those are two tests hypothesis test that will tell you if two data sets are significantly different or not Okay, and again Crosby in this paper that I already mentioned he he tried out both of these and he found that they don't really work very well For a timing attack because they're there too many false negatives and too many false positives And therefore he came up with this with his own Test which I don't want to describe in detail But we're planning to include this in a second tool that I'm going to release today Later on so this is work in progress. We know how to build a very good Algorithm to compare these on an automatically way, but it's not yet implemented And I do a demo on this in a few slides Okay But let's get over for for the attacks Okay, the attack that I want to show you was We want to guess a username at a typo 3 backend again the one with a different HTTP headers But this time we don't look at the HTTP headers. We want to look at the response times Okay, how do you do this? So first of all you have the username in question So we want to know whether admin exists whether this is a an existing username But we need to compare it to something else. So either you know one existing username or You choose an excuse and username which doesn't exist with very high Probability right so you can randomly generate a username and use this as a username Which doesn't exist then you compare both both the measurements and we also have an hypothesis here We say the login request with admin take measurably longer than those with something else, right? So I I use this particular number and I assume that it doesn't exist. It doesn't exist Okay Let's see how many we have okay, so only we so far have only a 500 500 measurements and I think that the the data set that we get from this will be very bad So I tried several from this particular network here and they all look very bad But we we try them we try it anyway Okay, so the reason for this is that this is not yet finished. I'll quit this and I have a look at the That looks good fingers crossed There we go Okay, and so what this tool really does is it's a reporting tool So all the graphs that I have shown you on this on the slides were generated by exactly this program Okay, so what we are releasing we we're gonna release these two tools in January The first is there for you to produce measurements to produce a data set and the second one is a tool to generate Plots from this particular measurement data set. Now, let's have a look Okay, it generates a PDF report Right. Oh, yeah, a lot of ads in there Sure, okay, so there's a bit of text where I can explain where I explain exactly the same things that I've just explained you What these particular plots are for? Let's scroll down and you see again. Okay, this data set is really messed up, right? So again, we have this strange clustering here. We have three clusters here The first the second and the third Well, let's let's look at it a bit deeper Okay, so we would think that the red thing here should be higher in general than this particular thing And if you look at the lower quartile, it really looks different, but here the median doesn't look that different So let's look further Yeah Here you see the different clouds, right? So we have these different bows in here because because the data set is really really not good Okay, and in a second chapter what we did there we applied a filter So we do some filtering in this tool and we try to give you we try to reduce this data set in a certain way that only those measurements are included and are displayed that Show the most information to our knowledge Okay, so that's a scatterplot. We don't see much and Here we see a thing that we wouldn't that we wouldn't expect so admin is actually lower than the other one So this data set is really is really not good Right here. This is exactly this the opposite what we would expect. So that is the reason, right? Okay, so the data set is really bad What I can show you is I Should have a report So that's how I would expect a measurement to look like right so that's that's how it's supposed to look and this is This is done on an ordinary DSL Connection that was idle. So I did this at home. So you don't need any fancy links, right? So I would even expect if I were if I would do the measurements in With with a UMTS connection. It would be much better than the network in here, right? So that's just the case Sorry Okay, here we see already the differences median is very different and we go down to the filtered ones Right and this is this is how it's supposed to look So that's the reduced data set, right? And there you see there's a significant timing difference And this is also how we how it's supposed to look right and from this one This is a step which I can't show you because of because of the time Pesh pressure that we have in this talk. You could use the Values that you have learned from these graphs in order to make to make a real script and to do a brute force attack To find out whether username exists or not this you can do with with this information. Okay There's a second example and this example. I've taken from an from an existing Paper which was already published not by me by other people, but I tried this by myself So what we want to do here is We want to know whether private pictures are included in an album of an online gallery Okay, so the thing is you have let's let's say you have a gallery and it only shows five pictures But I want to know whether there are more hidden pictures in in the back end and this is really what we got So we created a lot of albums and all those albums only showed a single picture to anonymous users All right, so down here we have the the different albums So the different the albums are numbered and here we have the microseconds and this is not I have not drawn this by hand But this is really how the filtered data set looks like so you can tell for example This particular album here has ten hidden pictures in it and this particular one here has 30 hidden pictures in it There's a lot of things that you can do with with these timing measurements Also a difference here compared to the typo 3 example with a typo 3 example you have a binary result So does a username exists or not and in this particular case? We don't have a binary thing. We have more like an amount of things. We can do this using timing as well Okay, those were the known attacks and now we have what we call a zero day even it's even a zero day Oh my gosh, come on. Okay, so this is a there's a standard out there and it's called XML encryption and Well, this is a the whole thing that I'm showing you right now is a joint work with Yura Samorowski and Tiva Yaga So what is XML encryption? Okay, so with XML encryption you'd take sub trees of an XML document and encrypt this and paste it again in the In the in the XML document and send it over some some line. Okay in this case. We have we have two blobs here It's an hybrid encryption That they use there so they use a session a session key which is encrypted with RSA. That's this one That's a session key It's RSA encrypted and included in here and that's the actual data So this is the encrypted sub tree of the XML document that was there was pasted in there Okay, how does the decryption of XML messages work? So first of all you take this cipher data and RSA decrypted Right because you want to have the session the session key in the second step you return an error if this If this session key does not comply with a pkcs one. We see later on what this is exactly is it's in a coding format Else if there was no error if it does comply with a pkcs one we decrypt We decrypt see data Over here. Oh, sorry wrong button we decrypt We decrypt see data that is this one We copy the sub tree that we have just decrypted again back to the XML document Then we pass the XML document and we return an error if the XML was not valid and That means we have a timing difference and through this timing difference We can determine whether this is pkcs one encoded or not this particular part. That's the first puzzle piece of our attack Now comes the second one In 1998 there was a guy called Daniel Bleichenbacher and he He showed in his paper that you can break RSA Within one million requests using an adaptive chosen cipher text attack under the condition that you get an oracle And this oracle does nothing more than tell you whether a certain cipher text was pkcs one compliant or not So that's an algorithm, right? And you don't have to understand the math of this, right? It's really just important to know that when you have RSA encryption and someone gives you an oracle that tells you Whether or not a given cipher text is pkcs one Encoded or not then you can break the whole then you can break the whole hours a right so you get you get Exactly the clear text out of this So that's the second puzzle piece Right. I just said in XML encryption in this standard the way that it works We can determine from the amount of time that it takes to process an XML encryption message We can learn whether it's pkcs compliant or not and here we have an algorithm that allows us to decrypt it Given the fact that we have this oracle Okay, how do you how do you know whether something is pkcs one conformant this here is how? How it looks like okay, so you have this you have an RSA encrypted session key And it always starts with a zero zero two always Then you have some padding then you have a zero bite and here comes the data block This is the session key and what most implementations of XML encryption do is they check whether this starts with a zero zero zero two Okay Now and this is what we have done Okay, I Already told you that This one here will only be decrypted if this key that is included here is pkcs one compliant and Here we can fill in anything right because the attacker can change this So I can include here a megabyte of data and this megabyte of data will be decrypted It doesn't have to decrypt to something meaningful. It just decrypts it. That's all that we need right So this is only only decrypted if this is pkcs compliant and the the size of this Information here of this data blob can be set by the attacker and This is what we've did here. So What we what do you see here is the the the size of this particular block? so here we have 100 kilobytes here we have one megabyte and Here you see the milliseconds and there for this we get two different graphs So the lower one where the decryption does not start It's this one and the higher one where the decryption starts which is pkcs compliant is the upper one So we have a significant timing difference and thus we can use this to decrypt XML encrypted Messages Okay, how did we do this? How did we do the attack? First of all we split our attack into two phases? So we have a learning phase and an attack phase and then we start Measuring the response time of a pkcs one come a compliant measurement Then we get this that's a cloud of measurements Then we take the lowest one So we find the minimum the minimum response time and call it just a pkc was pkcs one Compliance boundary, okay, and now that's a question for you if I get a measurement here What does this tell me? It's not compliant correct Okay, so any measurement below this boundary definitely is not pkcs compliant because the decryption didn't start right it didn't start What happens if I have a measurement here? Sorry, you can't know that's exactly the case So when you when you are here, it's it is above the compliance boundary But it could be two cases there two cases what we could measure here First of all it could be a compliant measurement that would be here But because of the measurement jitter it would be above here or the second case could be it's not compliant and we have high jitter Okay, and in this case what we do if we have a measurement above this boundary we repeat the measurements n times let's say we repeat it 50 times and If after 50 times all of them were above this we know it's pkcs pkcs one compliant The good thing about this. I told you this attack takes around one one million attacks most of them are Not pkcs compliant Right, so we don't have to repeat this very often And that's the actual attack that we did on the on a local host server, right? So here we use 100 kilobytes of data that we sent over this here We have this boundary that I just told you the upper one are the pkcs Pkcs one compliant measurements and the below one are those that are not compliant and Using this we could decrypt the ciphertext within three hours on on this laptop. So very fast actually Yeah, I already said it's 100 kilobytes of seed data. It took us a Little more than 300,000 oracle queries, but this really depends on the particular hours a key that we used So it could be above a million also really depends on the hours a key But what is really interesting here is we just needed on average one dot two four requests per oracle request And that's very fast. That's a very fast timing attack. Now. You could say that's local host We tried the is the same on an internet server and what we did there is we increased The size of data that's that's supposed to be decrypted to one megabyte so that the timing gap gets gets bigger Okay, and there we could decrypt the ciphertext in less than a week, right? And we also took only one dot two requests per oracle query And so that's a feasible attack also a timing attack over the internet which works quite well Okay One of my last slides. What time do we have how much 10 minutes left? Okay, so, okay This all is work in progress. So even when I finished my PhD I really want to continue on this and that's a call for participation. So there's many open things in this Right. So the these two programs that we are about to release in January. They do very basic stuff They do the right things but they can be improved and and there I need Students who are looking for master thesis diploma thesis bachelor thesis if you are an open source hacker and want to contribute You can do this here Just just drop me a line. Oh, and what I also wanted to say I'll I'll release the URL of the of the two programs on Twitter someone in in January. So my My Twitter is here Okay. Yeah, there's some literature and further reading right if you're interested really in this you can look also on these And that's about it. Thank you very much If you must leave now then please do but quietly until the Q&A session is over So if you have any questions raise your hand, we have a second microphone over there We'll try to get to you and let you ask the question so In the last In your in your last try test You say you needed a week for Decrypt XML What connection you had? The test okay, so that was a university connection, right? So it's it's quite fast. I would say 100 100 megabit. I would say right Now the reason that it was that it was one week was because we we do have to transfer a lot of traffic so it's it's really a lot of gigabytes that we have to send back and forth in order to do the attack and From the From the jitter and things like that it wasn't particularly well But what we needed is a big uplink so we needed to send a lot of data and that's why we did it on the university But you could do it in theory also with your DSL link would be sufficient. I think there was someone In terms of preventing these kind of attacks on my code the first thing I'm going to do when I get home is add some random sleep Statements authentication routines, but is there anything else that you can suggest might be a bit cleverer than that maybe Okay, that's that's a very good question. I have prepared a few slides to this And I'm very glad that you're asking because this is really also the interesting part What can you do about it and I can tell you it's it's it's a whole it's it's it's an own talk So I would need an own speaker slot to really talk about this in in general But what you want to do actually what you just said was a random sleep Random sleep, right? So in the first step you get a random number and then you do some modulus on this because you want to You want to prune this on to a certain maximum maximum sleep statement, right? And what we did here is a 200 microseconds and then we did this sleep Okay, and we did this with with this big data. I hope you guys can see this in the back So that's the initial data set that we see here Okay, and then we produced a data set filter this data set and this is what resulted from this So what you see here is actually now this line here and what you see here is this line now And you see it's it's more it's more edgy. It's more noisy, but it's still significant right so Random delay padding doesn't work very well if you have a smart filter if you do smart filtering you can remove this There's a paper what I'm doing what I want to so you guys have to you have to promise me that you tell no one writes about this So there's a thing which is actually provably secure right this is part of my phd thesis and it's very easy It's actually very easy. Okay. Let's take the part where you have an existing username and a non-existing username Okay The existing username or the non-existing username is this input here That's the username in the in a string Then you append some secret to it and this secret has to be static and the attacker does not must not know it And then you do some hashing on it so that you get an a number which looks random, but it's deterministic Because for the same input this will always produce the same the same measuring right and then you do again the The modulus to it and then you sleep on it and when you do exactly the same So that's the same data set as I have shown you and the same good filtering that I did you get something like this So that seems to be much better and There's there are other ways as well what you what you can do there, right? And this is only I mean these things that I've shown you here are only those things where you can't influence the timing differences What I want to show you is I also have a slide for preventing exactly the attack that we that we have against the XML encryption And the problem the vulnerability sits exactly here because we return an error if it does not comply with a pkcs one and The fix to this and that's an implementation fix not and not a fix to the standard is we generate a random session key Right and if it does not comply with pkcs one and then continue Right, so we decrypt the data the data at the bottom with some arbitrary key which generates rubbish Right, that's not XML, but the good thing is that it's not XML. He will only learn in step six So we have no timing differences anymore. I'm sorry Yeah, okay, so the question was the question was that generating Generating a random key does take time. That's true, but what we could do is we could generate the random key here as well Right and then we have just have this single assignment and you can't really measure a single assignment I wouldn't say this is feasible well as a responsible admin I would obviously monitor the network traffic for suspicious IPs who try to send gigabytes of Data was in one week or a couple of hours and Obviously if I filled out the first wave this way Especially for planet lab. I mean you said you basically did us them and to a certain degree didn't they Catch you in some way Okay, so I mean what we did is When we when we did the measurement on planet lab, we didn't run it all the way through and the reason for this is We have implemented the bleichenbacher attack right and we know exactly at which particular step Pkcs one compliant key comes out and when not and we tried this just for let's say 10,000 measurements And as we had exactly the same signature, right the same sequence of compliant and non-compliant Keys therefore we inferred that it's the Oracle is working right The next thing is I see this attack very relevant on Let's let's say for example on the Amazon cloud right, so Let's say you have your you have you have rented and a linux server on the Amazon cloud And there's a paper which shows what I need to do to be co-located on the Amazon cloud on your particular On to be co-located on the same hardware as your VM and then I do this local host attack And there's no monitoring Right, so there I can send arbitrary amounts of data on the on the local host and nobody will look at this Okay, isn't the bug fix essentially a way to do a denial of service against yourself Because in case the attacker Gases on the random Session key incorrectly you can about earlier Well Either you have the oracle function and return early or you decrypt everything on the our attacker can throw arbitrary amounts of data at you Without guessing anything correctly and you just waste CPU cycles in a big way I'm not sure whether I have really understood it so you were saying the attacker is changing the data Strangely the data that that he sends to us and what the idea was that the fix which is suggesting Does eliminate the shortcut which you could abuse otherwise to reduce the amount of data you have to process so The attacker doesn't have to care anymore To give you some if he just wants to do a denial of service and doesn't want to break in he can just Abuse this mitigation technique to overload your CPU more easily. Okay, and I think I know what you mean you're saying that If the attacker sends arbitrary stuff to my server and the server has to decrypt it and so on he can do this Anyway, the reason for this is when he eats drop When he eats drop on one XML Encrypted message the one that he wants to break he already has a key that is pkcs one compliant So this makes him he is able to actually use the key that he wants to break and Send it with some stuff to the to the server and the server will decrypt it also in the vulnerable case So he can do this already But it's a valid attack. I mean you're you're right Any more questions? I would like to know so your tool how how low can can it measure so for example if you make an attack Local network if you make an attack in on the internet and like like you said on Amazon So what what can you measure you can measure? Microseconds how many and this kind of stuff? Okay, so I have been down to a few microseconds on the internet, but this is So the what you what you can do always is if Let's put it this way if you have a timing gap that is very low Right, what you can do is you you measure a lot of times Let me let me give you an example if you have 10 milliseconds you can you can measure this with five five Request that's enough in order to cancel out the jitter If you have a timing leak of five microseconds, you may have to you may have to measure a million times even more right, so that is There's no hard boundary of what you can measure and what you can't measure. It's more like a question of feasibility Right, it doesn't make any sense to send a billions of requests and to wait 10 years for this Yeah Have you looked at the feasibility of guessing HMAC values? Based on the time it takes to compare a valid HMAC with the invalid input Okay, no, I have no I haven't done it, but it's on my list Right, so I really want to do this. That's that's a very good one, right? So what you're talking about is more like if There's a login right and you in the back end there's some hash comparison because the password is not stored in clear text It's Paul is stored as a hash and what the attacker does is he sends over a hash that starts with zero and then he's measure Then he does the same with with a hash that starts with one and two and three and four and At one measurement he sees that it takes a bit longer Because the hash doesn't stop at the first comparison, but he goes to the second one and so you can guess Yeah, you can iterate through the hash values much more easy. Yeah, I'd like to do this. I've never done it Okay, thank you for your Probably yes, is it awesome. Thanks. Thanks for this talk. Have a run of the bowels