SlideShare uma empresa Scribd logo

Collision vulnerability for hash data structures in web platforms

B
Berescu Ionut

Collision vulnerability for hash data structures in web platforms (Denial of Service attack)

Tecnologia
1 de 13
Collision vulnerability for hash data structures in web platforms (Denial of Service attack) Berescu Ionut 2012
Overview • A variety of programming languages suffer from a vulnerability when storing data as key/value pairs in hash data structures. • The condition can be leveraged by exploiting predictable collisions in the underlying hashing algorithms and can be used for constructing a low-bandwidth Denial of Service attack (DoS)
Vulnerable languages/servers • Java, all versions • Apache Geronimo, all versions • JRuby <= 1.6.5 • Apache Tomcat <= 5.5.34, <= 6.0.34, <= 7.0.22 • PHP <= 5.3.8, <= 5.4.0RC3 • Oracle Glassfish <= 3.1.1 • Python, all versions • Jetty, all versions • Rubinius, all versions • Plone, all versions • Ruby <= 1.8.7-p356 • Rack <= 1.3.5, <= 1.2.4, <= 1.1.2 • V8 JavaScript Engine, all versions
What is a hash table? • A hash table or hash map is a data structure that uses a hash function to map identifying values, known as keys to their associated values . • Ideally, the hash function should map each possible key to a unique slot index, but this ideal is rarely achievable in practice. Instead, most hash table designs assume that hash collisions (different keys that map to the same hash value) will occur and must be accommodated in some way.
How are the languages vulnerable? • Most languages do not provide a randomized hash function or the application server does not recognize attacks using multi-collisions, so an attacker can degenerate the hash table by sending lots of colliding keys. • The algorithmic complexity of inserting n elements into the table then goes to O(n*2), making it possible to exhaust hours of CPU time using a single HTTP request.
Hash tables in PHP • PHP internally uses hash tables to store arrays. • Hash tables are very fast for storing and getting data and that it’s why they are used heavily in every language. • Most PHP arrays have in the back a C hash table. Example: $_GET, $_POST, ARRAY, $GLOBALS, etc..
Constructing a 100% colliding hash table in PHP • In PHP if the array key is a integer the hash is the integer itself, all PHP does is apply a table mask on top of it: hash & tableMask. • The underlying C array has always a size which is a power of 2. • So if we store 10 elements the real size will be 16. If we store 33 it will be 64. If we store 63 it will also be 64. The table mask is the size minus one. So if the size is 64, i.e. 1000000 in binary the table mask will be 63, i.e. 0111111 in binary. • Basically the table mask removes all bits that are greater than the hashtable size.
Constructing a 100% colliding hash table in PHP • If we insert a total of 32 elements, the first one 0, the second one 32, the third one 64, the fourth one 128, etc., all of those elements will have the same hash and all will be put into the same linked list, creating a 100% colliding hash table.
Constructing a 100% colliding hash table in PHP • Code example: $size = pow(2, 15); $max = ($size - 1) * $size; for ($key = 0, $key <= $max; $key += $size) { $data[$key] = 0; } • The above example will require an abnormal amount of time to run, as all hash values will be in the same linked list, inserting them taking a lot longer.
DoS attack • Sending a POST request, or a request that will be decoded into an Array (JSON for example) can result in a DoS attack. • By sending a large number of parameters by POST with keys that will create a hash table with 100% collision, it will require the web platform a very large amount of time and CPU usage for inserting the elements.
DoS attack in PHP • Sending the 100% collision array in a POST request (with a size of let’s say 2^16) will make PHP consume 100% of the systems CPU for a couple of hours.
Impact • Any website running one of the technologies mentioned which provides the option to perform a POST/GET request is vulnerable to this very effective DoS attack. • With a very low-bandwith connection we can keep thousands of targeted systems cores at 100% use.
Workarounds • For languages where no fixes have been issued, there are a number of workarounds: • Limiting CPU time (max_input_time in PHP). • Limiting the maximal number of parameters (max_input_vars in PHP). • Using different data structures.

Recomendados

Hash DoS Attack
Hash DoS AttackHash DoS Attack
Hash DoS Attack
Miroslav Stampar
 
Riding the Overflow - Then and Now
Riding the Overflow - Then and NowRiding the Overflow - Then and Now
Riding the Overflow - Then and Now
Miroslav Stampar
 
Riding the Overflow - Then and Now
Riding the Overflow - Then and NowRiding the Overflow - Then and Now
Riding the Overflow - Then and Now
Miroslav Stampar
 
Analysis of mass SQL injection attacks
Analysis of mass SQL injection attacksAnalysis of mass SQL injection attacks
Analysis of mass SQL injection attacks
Miroslav Stampar
 
How-to crack 43kk passwords while drinking your juice/smoozie in the Hood
How-to crack 43kk passwords while drinking your juice/smoozie in the HoodHow-to crack 43kk passwords while drinking your juice/smoozie in the Hood
How-to crack 43kk passwords while drinking your juice/smoozie in the Hood
Yurii Bilyk
 
The Cryptography has YOU
The Cryptography has YOUThe Cryptography has YOU
The Cryptography has YOU
Yurii Bilyk
 
Cryptography - Simplified - Hash Functions
Cryptography - Simplified - Hash FunctionsCryptography - Simplified - Hash Functions
Cryptography - Simplified - Hash Functions
Abdul Manaf Vellakodath
 
Synchronization
SynchronizationSynchronization
Synchronization
David Evans
 

Recomendados

Hash DoS Attack
Hash DoS AttackHash DoS Attack
Hash DoS Attack
Miroslav Stampar
 
Riding the Overflow - Then and Now
Riding the Overflow - Then and NowRiding the Overflow - Then and Now
Riding the Overflow - Then and Now
Miroslav Stampar
 
Riding the Overflow - Then and Now
Riding the Overflow - Then and NowRiding the Overflow - Then and Now
Riding the Overflow - Then and Now
Miroslav Stampar
 
Analysis of mass SQL injection attacks
Analysis of mass SQL injection attacksAnalysis of mass SQL injection attacks
Analysis of mass SQL injection attacks
Miroslav Stampar
 
How-to crack 43kk passwords while drinking your juice/smoozie in the Hood
How-to crack 43kk passwords while drinking your juice/smoozie in the HoodHow-to crack 43kk passwords while drinking your juice/smoozie in the Hood
How-to crack 43kk passwords while drinking your juice/smoozie in the Hood
Yurii Bilyk
 
The Cryptography has YOU
The Cryptography has YOUThe Cryptography has YOU
The Cryptography has YOU
Yurii Bilyk
 
Cryptography - Simplified - Hash Functions
Cryptography - Simplified - Hash FunctionsCryptography - Simplified - Hash Functions
Cryptography - Simplified - Hash Functions
Abdul Manaf Vellakodath
 
Synchronization
SynchronizationSynchronization
Synchronization
David Evans
 
Parsing JSON Really Quickly: Lessons Learned
Parsing JSON Really Quickly: Lessons LearnedParsing JSON Really Quickly: Lessons Learned
Parsing JSON Really Quickly: Lessons Learned
Daniel Lemire
 
Redis - for duplicate detection on real time stream
Redis - for duplicate detection on real time streamRedis - for duplicate detection on real time stream
Redis - for duplicate detection on real time stream
Codemotion
 
SSL/POODLE: History repeats itself
SSL/POODLE: History repeats itselfSSL/POODLE: History repeats itself
SSL/POODLE: History repeats itself
Yurii Bilyk
 
How does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen OomsHow does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen Ooms
Ajay Ohri
 
Network security cryptographic hash function
Network security cryptographic hash functionNetwork security cryptographic hash function
Network security cryptographic hash function
Mijanur Rahman Milon
 
ToroDB: scaling PostgreSQL like MongoDB / Álvaro Hernández Tortosa (8Kdata)
ToroDB: scaling PostgreSQL like MongoDB / Álvaro Hernández Tortosa (8Kdata)ToroDB: scaling PostgreSQL like MongoDB / Álvaro Hernández Tortosa (8Kdata)
ToroDB: scaling PostgreSQL like MongoDB / Álvaro Hernández Tortosa (8Kdata)
Ontico
 
Text tagging with finite state transducers
Text tagging with finite state transducersText tagging with finite state transducers
Text tagging with finite state transducers
lucenerevolution
 
Briefly Rust - Daniele Esposti - Codemotion Rome 2017
Briefly Rust - Daniele Esposti - Codemotion Rome 2017Briefly Rust - Daniele Esposti - Codemotion Rome 2017
Briefly Rust - Daniele Esposti - Codemotion Rome 2017
Codemotion
 
Natural Language Toolkit (NLTK), Basics
Natural Language Toolkit (NLTK), Basics Natural Language Toolkit (NLTK), Basics
Natural Language Toolkit (NLTK), Basics
Prakash Pimpale
 
Mitigating DNS Amplification Attacks At The DNS Server Using BGP AS Paths and...
Mitigating DNS Amplification Attacks At The DNS Server Using BGP AS Paths and...Mitigating DNS Amplification Attacks At The DNS Server Using BGP AS Paths and...
Mitigating DNS Amplification Attacks At The DNS Server Using BGP AS Paths and...
FrancisJeremiah1
 
Diagnostics & Debugging webinar
Diagnostics & Debugging webinarDiagnostics & Debugging webinar
Diagnostics & Debugging webinar
MongoDB
 
Diagnostics and Debugging
Diagnostics and DebuggingDiagnostics and Debugging
Diagnostics and Debugging
MongoDB
 
Python for Penetration testers
Python for Penetration testersPython for Penetration testers
Python for Penetration testers
Christian Martorella
 
Google Spanner
Google SpannerGoogle Spanner
Google Spanner
Vaidas Brundza
 
Hash function
Hash function Hash function
Hash function
Salman Memon
 
Python build your security tools.pdf
Python build your security tools.pdfPython build your security tools.pdf
Python build your security tools.pdf
TECHNOLOGY CONTROL CO.
 
Encryption in php
Encryption in phpEncryption in php
Encryption in php
sana mateen
 
Meetup mini conférences AFUP Paris Deezer Janvier 2017
Meetup mini conférences AFUP Paris Deezer Janvier 2017Meetup mini conférences AFUP Paris Deezer Janvier 2017
Meetup mini conférences AFUP Paris Deezer Janvier 2017
Alexis Von Glasow
 
SnortUsersWebcast-Rules_pt2
SnortUsersWebcast-Rules_pt2SnortUsersWebcast-Rules_pt2
SnortUsersWebcast-Rules_pt2
Liễu Hồng
 
Automata Invasion
Automata InvasionAutomata Invasion
Automata Invasion
lucenerevolution
 
PHP MySQL Workshop - facehook
PHP MySQL Workshop - facehookPHP MySQL Workshop - facehook
PHP MySQL Workshop - facehook
Brainware Consultancy Pvt Ltd
 
Techniques for password hashing and cracking
Techniques for password hashing and crackingTechniques for password hashing and cracking
Techniques for password hashing and cracking
Nipun Joshi
 

Mais conteúdo relacionado

Mais procurados

Parsing JSON Really Quickly: Lessons Learned
Parsing JSON Really Quickly: Lessons LearnedParsing JSON Really Quickly: Lessons Learned
Parsing JSON Really Quickly: Lessons Learned
Daniel Lemire
 
ToroDB: scaling PostgreSQL like MongoDB / Álvaro Hernández Tortosa (8Kdata)
ToroDB: scaling PostgreSQL like MongoDB / Álvaro Hernández Tortosa (8Kdata)ToroDB: scaling PostgreSQL like MongoDB / Álvaro Hernández Tortosa (8Kdata)
ToroDB: scaling PostgreSQL like MongoDB / Álvaro Hernández Tortosa (8Kdata)
Ontico
 
Diagnostics and Debugging
Diagnostics and DebuggingDiagnostics and Debugging
Diagnostics and Debugging
MongoDB
 
Automata Invasion
Automata InvasionAutomata Invasion
Automata Invasion
lucenerevolution
 

Mais procurados (20)

Parsing JSON Really Quickly: Lessons Learned
Parsing JSON Really Quickly: Lessons LearnedParsing JSON Really Quickly: Lessons Learned
Parsing JSON Really Quickly: Lessons Learned
 
Redis - for duplicate detection on real time stream
Redis - for duplicate detection on real time streamRedis - for duplicate detection on real time stream
Redis - for duplicate detection on real time stream
 
SSL/POODLE: History repeats itself
SSL/POODLE: History repeats itselfSSL/POODLE: History repeats itself
SSL/POODLE: History repeats itself
 
How does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen OomsHow does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen Ooms
 
Network security cryptographic hash function
Network security cryptographic hash functionNetwork security cryptographic hash function
Network security cryptographic hash function
 
ToroDB: scaling PostgreSQL like MongoDB / Álvaro Hernández Tortosa (8Kdata)
ToroDB: scaling PostgreSQL like MongoDB / Álvaro Hernández Tortosa (8Kdata)ToroDB: scaling PostgreSQL like MongoDB / Álvaro Hernández Tortosa (8Kdata)
ToroDB: scaling PostgreSQL like MongoDB / Álvaro Hernández Tortosa (8Kdata)
 
Text tagging with finite state transducers
Text tagging with finite state transducersText tagging with finite state transducers
Text tagging with finite state transducers
 
Briefly Rust - Daniele Esposti - Codemotion Rome 2017
Briefly Rust - Daniele Esposti - Codemotion Rome 2017Briefly Rust - Daniele Esposti - Codemotion Rome 2017
Briefly Rust - Daniele Esposti - Codemotion Rome 2017
 
Natural Language Toolkit (NLTK), Basics
Natural Language Toolkit (NLTK), Basics Natural Language Toolkit (NLTK), Basics
Natural Language Toolkit (NLTK), Basics
 
Mitigating DNS Amplification Attacks At The DNS Server Using BGP AS Paths and...
Mitigating DNS Amplification Attacks At The DNS Server Using BGP AS Paths and...Mitigating DNS Amplification Attacks At The DNS Server Using BGP AS Paths and...
Mitigating DNS Amplification Attacks At The DNS Server Using BGP AS Paths and...
 
Diagnostics & Debugging webinar
Diagnostics & Debugging webinarDiagnostics & Debugging webinar
Diagnostics & Debugging webinar
 
Diagnostics and Debugging
Diagnostics and DebuggingDiagnostics and Debugging
Diagnostics and Debugging
 
Python for Penetration testers
Python for Penetration testersPython for Penetration testers
Python for Penetration testers
 
Google Spanner
Google SpannerGoogle Spanner
Google Spanner
 
Hash function
Hash function Hash function
Hash function
 
Python build your security tools.pdf
Python build your security tools.pdfPython build your security tools.pdf
Python build your security tools.pdf
 
Encryption in php
Encryption in phpEncryption in php
Encryption in php
 
Meetup mini conférences AFUP Paris Deezer Janvier 2017
Meetup mini conférences AFUP Paris Deezer Janvier 2017Meetup mini conférences AFUP Paris Deezer Janvier 2017
Meetup mini conférences AFUP Paris Deezer Janvier 2017
 
SnortUsersWebcast-Rules_pt2
SnortUsersWebcast-Rules_pt2SnortUsersWebcast-Rules_pt2
SnortUsersWebcast-Rules_pt2
 
Automata Invasion
Automata InvasionAutomata Invasion
Automata Invasion
 

Semelhante a Collision vulnerability for hash data structures in web platforms

Techniques for password hashing and cracking
Techniques for password hashing and crackingTechniques for password hashing and cracking
Techniques for password hashing and cracking
Nipun Joshi
 

Semelhante a Collision vulnerability for hash data structures in web platforms (20)

PHP MySQL Workshop - facehook
PHP MySQL Workshop - facehookPHP MySQL Workshop - facehook
PHP MySQL Workshop - facehook
 
Techniques for password hashing and cracking
Techniques for password hashing and crackingTechniques for password hashing and cracking
Techniques for password hashing and cracking
 
Php intro
Php introPhp intro
Php intro
 
Php intro
Php introPhp intro
Php intro
 
Php intro
Php introPhp intro
Php intro
 
Materi Dasar PHP
Materi Dasar PHPMateri Dasar PHP
Materi Dasar PHP
 
test
testtest
test
 
IntroductiontoPHP.ppt
IntroductiontoPHP.pptIntroductiontoPHP.ppt
IntroductiontoPHP.ppt
 
ssfsd fsdf ds f
ssfsd fsdf ds fssfsd fsdf ds f
ssfsd fsdf ds f
 
IntroductiontoPHP.ppt
IntroductiontoPHP.pptIntroductiontoPHP.ppt
IntroductiontoPHP.ppt
 
IntroductiontoPHP.ppt
IntroductiontoPHP.pptIntroductiontoPHP.ppt
IntroductiontoPHP.ppt
 
IntroductiontoPHP.ppt
IntroductiontoPHP.pptIntroductiontoPHP.ppt
IntroductiontoPHP.ppt
 
IntroductiontoPHP.ppt
IntroductiontoPHP.pptIntroductiontoPHP.ppt
IntroductiontoPHP.ppt
 
IntroductiontoPHP.ppt
IntroductiontoPHP.pptIntroductiontoPHP.ppt
IntroductiontoPHP.ppt
 
IntroductiontoPHP.ppt
IntroductiontoPHP.pptIntroductiontoPHP.ppt
IntroductiontoPHP.ppt
 
ssfsd fsdf ds f
ssfsd fsdf ds fssfsd fsdf ds f
ssfsd fsdf ds f
 
ssfsd fsdf ds f
ssfsd fsdf ds fssfsd fsdf ds f
ssfsd fsdf ds f
 
IntroductiontoPHP.ppt
IntroductiontoPHP.pptIntroductiontoPHP.ppt
IntroductiontoPHP.ppt
 
ssfsd fsdf ds f
ssfsd fsdf ds fssfsd fsdf ds f
ssfsd fsdf ds f
 
ssfsd fsdf ds f
ssfsd fsdf ds fssfsd fsdf ds f
ssfsd fsdf ds f
 

Último

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 

Último (20)

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 

Collision vulnerability for hash data structures in web platforms

  • 1. Collision vulnerability for hash data structures in web platforms (Denial of Service attack) Berescu Ionut 2012
  • 2. Overview • A variety of programming languages suffer from a vulnerability when storing data as key/value pairs in hash data structures. • The condition can be leveraged by exploiting predictable collisions in the underlying hashing algorithms and can be used for constructing a low-bandwidth Denial of Service attack (DoS)
  • 3. Vulnerable languages/servers • Java, all versions • Apache Geronimo, all versions • JRuby <= 1.6.5 • Apache Tomcat <= 5.5.34, <= 6.0.34, <= 7.0.22 • PHP <= 5.3.8, <= 5.4.0RC3 • Oracle Glassfish <= 3.1.1 • Python, all versions • Jetty, all versions • Rubinius, all versions • Plone, all versions • Ruby <= 1.8.7-p356 • Rack <= 1.3.5, <= 1.2.4, <= 1.1.2 • V8 JavaScript Engine, all versions
  • 4. What is a hash table? • A hash table or hash map is a data structure that uses a hash function to map identifying values, known as keys to their associated values . • Ideally, the hash function should map each possible key to a unique slot index, but this ideal is rarely achievable in practice. Instead, most hash table designs assume that hash collisions (different keys that map to the same hash value) will occur and must be accommodated in some way.
  • 5. How are the languages vulnerable? • Most languages do not provide a randomized hash function or the application server does not recognize attacks using multi-collisions, so an attacker can degenerate the hash table by sending lots of colliding keys. • The algorithmic complexity of inserting n elements into the table then goes to O(n*2), making it possible to exhaust hours of CPU time using a single HTTP request.
  • 6. Hash tables in PHP • PHP internally uses hash tables to store arrays. • Hash tables are very fast for storing and getting data and that it’s why they are used heavily in every language. • Most PHP arrays have in the back a C hash table. Example: $_GET, $_POST, ARRAY, $GLOBALS, etc..
  • 7. Constructing a 100% colliding hash table in PHP • In PHP if the array key is a integer the hash is the integer itself, all PHP does is apply a table mask on top of it: hash & tableMask. • The underlying C array has always a size which is a power of 2. • So if we store 10 elements the real size will be 16. If we store 33 it will be 64. If we store 63 it will also be 64. The table mask is the size minus one. So if the size is 64, i.e. 1000000 in binary the table mask will be 63, i.e. 0111111 in binary. • Basically the table mask removes all bits that are greater than the hashtable size.
  • 8. Constructing a 100% colliding hash table in PHP • If we insert a total of 32 elements, the first one 0, the second one 32, the third one 64, the fourth one 128, etc., all of those elements will have the same hash and all will be put into the same linked list, creating a 100% colliding hash table.
  • 9. Constructing a 100% colliding hash table in PHP • Code example: $size = pow(2, 15); $max = ($size - 1) * $size; for ($key = 0, $key <= $max; $key += $size) { $data[$key] = 0; } • The above example will require an abnormal amount of time to run, as all hash values will be in the same linked list, inserting them taking a lot longer.
  • 10. DoS attack • Sending a POST request, or a request that will be decoded into an Array (JSON for example) can result in a DoS attack. • By sending a large number of parameters by POST with keys that will create a hash table with 100% collision, it will require the web platform a very large amount of time and CPU usage for inserting the elements.
  • 11. DoS attack in PHP • Sending the 100% collision array in a POST request (with a size of let’s say 2^16) will make PHP consume 100% of the systems CPU for a couple of hours.
  • 12. Impact • Any website running one of the technologies mentioned which provides the option to perform a POST/GET request is vulnerable to this very effective DoS attack. • With a very low-bandwith connection we can keep thousands of targeted systems cores at 100% use.
  • 13. Workarounds • For languages where no fixes have been issued, there are a number of workarounds: • Limiting CPU time (max_input_time in PHP). • Limiting the maximal number of parameters (max_input_vars in PHP). • Using different data structures.