O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation

1.814 visualizações

Publicada em

Imperva Hacker Intelligence Initiative Report: HTTP/2: In-depth analysis of the top four flaws of the next-generation web protocol

Publicada em: Tecnologia
  • View our presentation which discusses our findings on Hacking HTTP/2: New attacks on the Internet’s Next Generation Foundation
       Responder 
    Tem certeza que deseja  Sim  Não
    Insira sua mensagem aqui

Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation

  1. 1. © 2016 Imperva, Inc. All rights reserved. Hacking HTTP/2 New attacks on the Internet’s Next Generation Foundation Itsik Mantin, Nadav Avital August 2016
  2. 2. © 2016 Imperva, Inc. All rights reserved. • Itsik Mantin • Director of Security Research at Imperva • 15 years experience in the security industry • Holds an M.Sc. in Applied Math and Computer Science • Nadav Avital • Application security research team leader • 10 years of industry experience, mostly hacking and security technology • Holds B. Sc. in Computer Science Speakers
  3. 3. © 2016 Imperva, Inc. All rights reserved. Credit • Noam Mazor, Application Security researcher at Imperva • Alex Maidanik and Avihai Cohen, Technion - Israeli Institute of Technology
  4. 4. © 2016 Imperva, Inc. All rights reserved. The Research • Unexplored territories of HTTP/2 – New mechanisms – New server implementations HTTP/2
  5. 5. © 2016 Imperva, Inc. All rights reserved. The Servers
  6. 6. © 2016 Imperva, Inc. All rights reserved. Outline HTTP/2 Motivation and Background HTTP/2 Technology The Attacks Summary and Conclusion
  7. 7. © 2016 Imperva, Inc. All rights reserved. HTTP/2 Motivation • HTTP 1.1 is no longer suitable for modern web content – Large number of web resources per page – Latency – Head of Line blocking – Large headers
  8. 8. © 2016 Imperva, Inc. All rights reserved. 2016 Web
  9. 9. © 2016 Imperva, Inc. All rights reserved. HTTP/2 Design Principles • Main goal: speed – Reduce latency – Reduce bandwidth • Support gradual deployment – Preserve HTTP 1.1 semantics (over a new binary layer) – Negotiation protocol (ALPN) • Encryption – Mandated by many implementations
  10. 10. © 2016 Imperva, Inc. All rights reserved.
  11. 11. © 2016 Imperva, Inc. All rights reserved. Lightfast Adoption Web Clients Content Delivery Networks Sites Web Servers
  12. 12. © 2016 Imperva, Inc. All rights reserved. HTTP/2 Technology
  13. 13. © 2016 Imperva, Inc. All rights reserved. HTTP/2 Technology HPACK Server Push Stream Multiplexing HPACK Compression Flow Control
  14. 14. © 2016 Imperva, Inc. All rights reserved. HTTP/2 Transport Layer •Binary objects •The smallest data delivery unit •Can include headers, data, settings, etc. Frame •Carrying Request+Response •Multiple frames Stream •Application layer connection over TCP connection •Carries multiple streams (using Stream Multiplexing) HTTP/2 Connection
  15. 15. © 2016 Imperva, Inc. All rights reserved. HTTP/2 Binary Layer
  16. 16. © 2016 Imperva, Inc. All rights reserved.
  17. 17. © 2016 Imperva, Inc. All rights reserved. New 0-day DoS Attacks CVE-2016-1546 CVE-2015-8659* (not by Imperva) CVE-2016-0150 CVE-2016-1544 CVE-2016-2525
  18. 18. © 2016 Imperva, Inc. All rights reserved. Attack Summary Compression Stream Dependency & Priority Stream Multiplexing Flow Control
  19. 19. © 2016 Imperva, Inc. All rights reserved. • CVE-2016-1546 – Window size Compression Stream Dependency & Priority Stream Multiplexing Flow Control Attacking HTTP/2 Flow Control Mechanism
  20. 20. © 2016 Imperva, Inc. All rights reserved. Flow Control • Based on WINDOW_UPDATE frames • Defined to protect endpoints that operate under resource constraints • Specific to a connection • Spec only defines format and semantics • Mandatory and cannot be disabled
  21. 21. © 2016 Imperva, Inc. All rights reserved. Flow Control LDR Attack Flow ClientsServer Attacker reduces window size Request for a large resource (Stream 1) Request for a large resource (Stream 3) • When Jetty gets a request for a resource larger than the window size, the thread that handles the request is going to sleep (30 seconds) • In ApacheIIS the attacker keeps the connection alive by slowly increasing the window size • By sending multiplies requests an attacker can make all the threads sleep for a long time and cause a denial of service Users cannot get responses Slowly increase the window size Single HTTP/2 connection
  22. 22. © 2016 Imperva, Inc. All rights reserved.
  23. 23. © 2016 Imperva, Inc. All rights reserved. • CVE-2015-8659* - memory cleanup Compression Stream Dependency & Priority Stream Multiplexing Flow Control Attacking HTTP/2 Dependency Mechanism
  24. 24. © 2016 Imperva, Inc. All rights reserved. Stream Priority & Dependency • Optional (can be ignored) • Each stream can be given an explicit dependency on another stream • Allow an endpoint to express how it would prefer its peer to allocate resources • The graph is a tree
  25. 25. © 2016 Imperva, Inc. All rights reserved. Stream Dependency Cycle • Assume MAX_CONCURRENT_STREAM = 4 (tree size) • Send the priority frames – Stream 7  stream 5 (forces the server to remove of stream 7) – Stream 5  stream 3 • Stream 3 is saved in the same address as stream 7 • Dependency cycle is created 13 11 9 7 5 3
  26. 26. © 2016 Imperva, Inc. All rights reserved. • Both stream 7 and 3 are located in the same memory address • stream_update_dep_set_top function is in infinite loop Stream 7 address Infinite loop Same address for stream 3 Stream Dependency Denial of Service
  27. 27. © 2016 Imperva, Inc. All rights reserved.
  28. 28. © 2016 Imperva, Inc. All rights reserved. • CVE-2016-0150 Compression Stream Dependency & Priority Stream Multiplexing Flow Control Attacking HTTP/2 Stream Multiplexing Mechanism
  29. 29. © 2016 Imperva, Inc. All rights reserved. Stream Multiplexing • multiple request and response at the same time over a single connection. • The partition of the TCP connection is purely logical
  30. 30. © 2016 Imperva, Inc. All rights reserved. Stream Abuse ClientsServer • Attacker sends multiple requests on the same stream • HTTP.sys in Windows 10 crashes (Blue Screen of Death) Open HTTP/2 connection Send two requests on one stream Users cannot get responses
  31. 31. © 2016 Imperva, Inc. All rights reserved.
  32. 32. © 2016 Imperva, Inc. All rights reserved. • CVE-2016-1544 - HPACK Bomb • CVE-2016-2525 - Wireshark Compression Stream Dependency & Priority Stream Multiplexing Flow Control Attacking HTTP/2 Compression Mechanism
  33. 33. © 2016 Imperva, Inc. All rights reserved. Headers Compression • Both sides (Client/ Server) maintain headers tables per TCP connection direction • These tables consist of static and dynamic parts • These tables are used as dictionaries to compress/ decompress the headers
  34. 34. © 2016 Imperva, Inc. All rights reserved. Headers Compression
  35. 35. © 2016 Imperva, Inc. All rights reserved. HPACK Bomb Attack Flow ClientsServer • Attacker sends a request with extremely long header “X” (Header frame) • The request contains maximum number of references to header “X” • By sending 14 frames, attacker can crash nghttp Send requests with thousands header references Insert long header to the dynamic table Users cannot get responses 16,000 references x 4 KByte -------------- 64 MByte 16,000 references x 1-byte -------------- 16 KByte
  36. 36. © 2016 Imperva, Inc. All rights reserved. HPACK Bomb – Calculation • The default size of the dynamic table is 4KB • Request can contain 16KB of headers • One request can be decompressed to 16K*4KB = 64MB • 14 requests will be decompressed to 14*64MB = 896MB, enough to crash our nghttp server
  37. 37. © 2016 Imperva, Inc. All rights reserved.
  38. 38. © 2016 Imperva, Inc. All rights reserved. HPACK Bomb – Collateral Damage • Wireshark – Uses nghttp2 library to decompress headers – Other application that rely on nghttp2 library may be vulnerable
  39. 39. © 2016 Imperva, Inc. All rights reserved. Risk Mitigation
  40. 40. © 2016 Imperva, Inc. All rights reserved. Mitigation • Abandon your HTTP/2 plans? – HTTP/2 is the next generation protocol for the Internet – HTTP/2 serves acute business needs – Dozens of CVEs published every month for non-HTTP/2 servers • Choose “secure” server implementation? – None was found immune – What about 3rd party software? – More vulnerabilities to come • Patch? – Build patching framework Compression Stream Dependency & Priority Stream Multiplexing Flow Control
  41. 41. © 2016 Imperva, Inc. All rights reserved. How to win the Patching Race? How do I know that a vulnerability exists? When will patch be ready? What’s the impact of patch (and reboot) on my business? Is patch stable? Am I risking my business?
  42. 42. © 2016 Imperva, Inc. All rights reserved. Web Application Firewall and Virtual Patching Web Application Firewall (on premise/ cloud) Security flaw Business owner focuses on business Server remains intact Server remains protected
  43. 43. © 2016 Imperva, Inc. All rights reserved.
  44. 44. © 2016 Imperva, Inc. All rights reserved. Summary • HTTP/2 protocol is an excellent technology to provide the next generation of the Internet • HTTP/2 is gaining popularity and support by all significant web stake holders • We demonstrated new attacks on implementations of significant HTTP/2 servers – Utilizing the significant power given to the sender – Implementation pitfalls
  45. 45. © 2016 Imperva, Inc. All rights reserved. Conclusions • HTTP/2 is here to stay, and rightfully so • HTTP/2 extends the attack surface for web attackers – New highly customizable transport mechanisms – New code released to the wild – Unplowed land • The HTTP/2 ecosystem is still not security-mature. Moreover, things may get worse when websites start utilizing HTTP/2 capabilities • Without external protection and virtual patching, the business owner will always be behind in the patching race
  46. 46. http://www.imperva.com/DefenseCenter/HackerIntelligenceReports Download the full report here:

×