All in the timing: How side channel attacks work
By Philip "Phildini" James, Asheesh Laroia

In this talk, you’ll learn about a category of security issue known as side channel attacks. You’ll be amused to see how features like automatic data compression, short-circuit execution, and deterministic hashing can be abused to bypass security systems. No security background knowledge is required. The talk assumes at least intermediate Python experience.

Saturday 2:35 p.m.–3:05 p.m.

In this talk, you’ll learn about a category of security issue known as side channel attacks. You’ll be amused to see how features like automatic data compression, short-circuit execution, and deterministic hashing can be abused to bypass security systems. No security background knowledge is required. The talk assumes at least intermediate Python experience.

We’ll take a tour of real side channel vulnerabilities in open source Python codebases, including the patches that fixed them. It also offers practical advice for avoiding these issues. My goal is to demystify this topic, even if you aren’t writing security-critical software.

This talk is for intermediate or higher Python developers who want a foundation for understanding side channel security vulnerabilities. We hope to allow software developers without a security background to understand the security mindset.

Philip "Phildini" James

Philip is a Senior Apiarist with the BeeWare Project, an organizer for DjangoCon US, and the Co-Founder of Bay Bridge Python. He has spoken at over a dozen conferences worldwide, including multiple PyCons and DjangoCons. He works for Patreon in San Francisco.

Twitter

Asheesh Laroia

Asheesh Laroia is a software engineer currently on vacation.

His professional background touches machine learning, security, and linguistics. He ran an open source outreach nonprofit called OpenHatch for five years; helped start the Boston Python Workshop for women and their friends; has been teaching Python to newcomers since 2004, including at Noisebridge and the EFF; and has advised user groups on how to make their events more newcomer-friendly and gender-diverse. He's worked at Stripe, Eventbrite, Sandstorm, Creative Commons, and OpenHatch.

Twitter

Sponsors