Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
© 2016 Imperva, Inc. All rights reserved.
Hacking HTTP/2
New attacks on the Internet’s Next Generation Foundation
Itsik Ma...
© 2016 Imperva, Inc. All rights reserved.
• Itsik Mantin
• Director of Security Research at Imperva
• 15 years experience ...
© 2016 Imperva, Inc. All rights reserved.
Credit
• Noam Mazor,
Application Security researcher at Imperva
• Alex Maidanik ...
© 2016 Imperva, Inc. All rights reserved.
The Research
• Unexplored territories of HTTP/2
– New mechanisms
– New server im...
© 2016 Imperva, Inc. All rights reserved.
The Servers
© 2016 Imperva, Inc. All rights reserved.
Outline
HTTP/2 Motivation and Background
HTTP/2 Technology
The Attacks
Summary a...
© 2016 Imperva, Inc. All rights reserved.
HTTP/2 Motivation
• HTTP 1.1 is no longer suitable for
modern web content
– Larg...
© 2016 Imperva, Inc. All rights reserved.
2016 Web
© 2016 Imperva, Inc. All rights reserved.
HTTP/2 Design Principles
• Main goal: speed
– Reduce latency
– Reduce bandwidth
...
© 2016 Imperva, Inc. All rights reserved.
© 2016 Imperva, Inc. All rights reserved.
Lightfast Adoption
Web Clients
Content Delivery
Networks
Sites
Web Servers
© 2016 Imperva, Inc. All rights reserved.
HTTP/2 Technology
© 2016 Imperva, Inc. All rights reserved.
HTTP/2 Technology
HPACK
Server Push
Stream
Multiplexing
HPACK
Compression
Flow C...
© 2016 Imperva, Inc. All rights reserved.
HTTP/2 Transport Layer
•Binary objects
•The smallest data delivery unit
•Can inc...
© 2016 Imperva, Inc. All rights reserved.
HTTP/2 Binary Layer
© 2016 Imperva, Inc. All rights reserved.
© 2016 Imperva, Inc. All rights reserved.
New 0-day DoS Attacks
CVE-2016-1546
CVE-2015-8659* (not by Imperva)
CVE-2016-015...
© 2016 Imperva, Inc. All rights reserved.
Attack Summary
Compression
Stream
Dependency
& Priority
Stream
Multiplexing
Flow...
© 2016 Imperva, Inc. All rights reserved.
• CVE-2016-1546 – Window size Compression
Stream
Dependency
& Priority
Stream
Mu...
© 2016 Imperva, Inc. All rights reserved.
Flow Control
• Based on WINDOW_UPDATE frames
• Defined to protect endpoints that...
© 2016 Imperva, Inc. All rights reserved.
Flow Control LDR Attack Flow
ClientsServer
Attacker reduces window size
Request ...
© 2016 Imperva, Inc. All rights reserved.
© 2016 Imperva, Inc. All rights reserved.
• CVE-2015-8659* - memory cleanup Compression
Stream
Dependency
& Priority
Strea...
© 2016 Imperva, Inc. All rights reserved.
Stream Priority & Dependency
• Optional (can be ignored)
• Each stream can be gi...
© 2016 Imperva, Inc. All rights reserved.
Stream Dependency Cycle
• Assume MAX_CONCURRENT_STREAM = 4 (tree size)
• Send th...
© 2016 Imperva, Inc. All rights reserved.
• Both stream 7 and 3 are located
in the same memory address
• stream_update_dep...
© 2016 Imperva, Inc. All rights reserved.
© 2016 Imperva, Inc. All rights reserved.
• CVE-2016-0150
Compression
Stream
Dependency
& Priority
Stream
Multiplexing
Flo...
© 2016 Imperva, Inc. All rights reserved.
Stream Multiplexing
• multiple request and response at
the same time over a sing...
© 2016 Imperva, Inc. All rights reserved.
Stream Abuse
ClientsServer • Attacker sends multiple
requests on the same stream...
© 2016 Imperva, Inc. All rights reserved.
© 2016 Imperva, Inc. All rights reserved.
• CVE-2016-1544 - HPACK Bomb
• CVE-2016-2525 - Wireshark
Compression
Stream
Depe...
© 2016 Imperva, Inc. All rights reserved.
Headers Compression
• Both sides (Client/ Server) maintain headers tables per TC...
© 2016 Imperva, Inc. All rights reserved.
Headers Compression
© 2016 Imperva, Inc. All rights reserved.
HPACK Bomb Attack Flow
ClientsServer • Attacker sends a request
with extremely l...
© 2016 Imperva, Inc. All rights reserved.
HPACK Bomb – Calculation
• The default size of the dynamic table is 4KB
• Reques...
© 2016 Imperva, Inc. All rights reserved.
© 2016 Imperva, Inc. All rights reserved.
HPACK Bomb – Collateral Damage
• Wireshark
– Uses nghttp2 library to decompress
...
© 2016 Imperva, Inc. All rights reserved.
Risk Mitigation
© 2016 Imperva, Inc. All rights reserved.
Mitigation
• Abandon your HTTP/2 plans?
– HTTP/2 is the next generation protocol...
© 2016 Imperva, Inc. All rights reserved.
How to win the Patching Race? How do I know that a
vulnerability exists?
When wi...
© 2016 Imperva, Inc. All rights reserved.
Web Application Firewall and Virtual Patching
Web Application Firewall
(on premi...
© 2016 Imperva, Inc. All rights reserved.
© 2016 Imperva, Inc. All rights reserved.
Summary
• HTTP/2 protocol is an excellent technology to provide the next generat...
© 2016 Imperva, Inc. All rights reserved.
Conclusions
• HTTP/2 is here to stay, and rightfully so
• HTTP/2 extends the att...
http://www.imperva.com/DefenseCenter/HackerIntelligenceReports
Download the full report here:
Prochain SlideShare
Chargement dans…5
×

Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation

1 887 vues

Publié le

Imperva Hacker Intelligence Initiative Report: HTTP/2: In-depth analysis of the top four flaws of the next-generation web protocol

Publié dans : Technologie
  • View our presentation which discusses our findings on Hacking HTTP/2: New attacks on the Internet’s Next Generation Foundation
       Répondre 
    Voulez-vous vraiment ?  Oui  Non
    Votre message apparaîtra ici

Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation

  1. 1. © 2016 Imperva, Inc. All rights reserved. Hacking HTTP/2 New attacks on the Internet’s Next Generation Foundation Itsik Mantin, Nadav Avital August 2016
  2. 2. © 2016 Imperva, Inc. All rights reserved. • Itsik Mantin • Director of Security Research at Imperva • 15 years experience in the security industry • Holds an M.Sc. in Applied Math and Computer Science • Nadav Avital • Application security research team leader • 10 years of industry experience, mostly hacking and security technology • Holds B. Sc. in Computer Science Speakers
  3. 3. © 2016 Imperva, Inc. All rights reserved. Credit • Noam Mazor, Application Security researcher at Imperva • Alex Maidanik and Avihai Cohen, Technion - Israeli Institute of Technology
  4. 4. © 2016 Imperva, Inc. All rights reserved. The Research • Unexplored territories of HTTP/2 – New mechanisms – New server implementations HTTP/2
  5. 5. © 2016 Imperva, Inc. All rights reserved. The Servers
  6. 6. © 2016 Imperva, Inc. All rights reserved. Outline HTTP/2 Motivation and Background HTTP/2 Technology The Attacks Summary and Conclusion
  7. 7. © 2016 Imperva, Inc. All rights reserved. HTTP/2 Motivation • HTTP 1.1 is no longer suitable for modern web content – Large number of web resources per page – Latency – Head of Line blocking – Large headers
  8. 8. © 2016 Imperva, Inc. All rights reserved. 2016 Web
  9. 9. © 2016 Imperva, Inc. All rights reserved. HTTP/2 Design Principles • Main goal: speed – Reduce latency – Reduce bandwidth • Support gradual deployment – Preserve HTTP 1.1 semantics (over a new binary layer) – Negotiation protocol (ALPN) • Encryption – Mandated by many implementations
  10. 10. © 2016 Imperva, Inc. All rights reserved.
  11. 11. © 2016 Imperva, Inc. All rights reserved. Lightfast Adoption Web Clients Content Delivery Networks Sites Web Servers
  12. 12. © 2016 Imperva, Inc. All rights reserved. HTTP/2 Technology
  13. 13. © 2016 Imperva, Inc. All rights reserved. HTTP/2 Technology HPACK Server Push Stream Multiplexing HPACK Compression Flow Control
  14. 14. © 2016 Imperva, Inc. All rights reserved. HTTP/2 Transport Layer •Binary objects •The smallest data delivery unit •Can include headers, data, settings, etc. Frame •Carrying Request+Response •Multiple frames Stream •Application layer connection over TCP connection •Carries multiple streams (using Stream Multiplexing) HTTP/2 Connection
  15. 15. © 2016 Imperva, Inc. All rights reserved. HTTP/2 Binary Layer
  16. 16. © 2016 Imperva, Inc. All rights reserved.
  17. 17. © 2016 Imperva, Inc. All rights reserved. New 0-day DoS Attacks CVE-2016-1546 CVE-2015-8659* (not by Imperva) CVE-2016-0150 CVE-2016-1544 CVE-2016-2525
  18. 18. © 2016 Imperva, Inc. All rights reserved. Attack Summary Compression Stream Dependency & Priority Stream Multiplexing Flow Control
  19. 19. © 2016 Imperva, Inc. All rights reserved. • CVE-2016-1546 – Window size Compression Stream Dependency & Priority Stream Multiplexing Flow Control Attacking HTTP/2 Flow Control Mechanism
  20. 20. © 2016 Imperva, Inc. All rights reserved. Flow Control • Based on WINDOW_UPDATE frames • Defined to protect endpoints that operate under resource constraints • Specific to a connection • Spec only defines format and semantics • Mandatory and cannot be disabled
  21. 21. © 2016 Imperva, Inc. All rights reserved. Flow Control LDR Attack Flow ClientsServer Attacker reduces window size Request for a large resource (Stream 1) Request for a large resource (Stream 3) • When Jetty gets a request for a resource larger than the window size, the thread that handles the request is going to sleep (30 seconds) • In ApacheIIS the attacker keeps the connection alive by slowly increasing the window size • By sending multiplies requests an attacker can make all the threads sleep for a long time and cause a denial of service Users cannot get responses Slowly increase the window size Single HTTP/2 connection
  22. 22. © 2016 Imperva, Inc. All rights reserved.
  23. 23. © 2016 Imperva, Inc. All rights reserved. • CVE-2015-8659* - memory cleanup Compression Stream Dependency & Priority Stream Multiplexing Flow Control Attacking HTTP/2 Dependency Mechanism
  24. 24. © 2016 Imperva, Inc. All rights reserved. Stream Priority & Dependency • Optional (can be ignored) • Each stream can be given an explicit dependency on another stream • Allow an endpoint to express how it would prefer its peer to allocate resources • The graph is a tree
  25. 25. © 2016 Imperva, Inc. All rights reserved. Stream Dependency Cycle • Assume MAX_CONCURRENT_STREAM = 4 (tree size) • Send the priority frames – Stream 7  stream 5 (forces the server to remove of stream 7) – Stream 5  stream 3 • Stream 3 is saved in the same address as stream 7 • Dependency cycle is created 13 11 9 7 5 3
  26. 26. © 2016 Imperva, Inc. All rights reserved. • Both stream 7 and 3 are located in the same memory address • stream_update_dep_set_top function is in infinite loop Stream 7 address Infinite loop Same address for stream 3 Stream Dependency Denial of Service
  27. 27. © 2016 Imperva, Inc. All rights reserved.
  28. 28. © 2016 Imperva, Inc. All rights reserved. • CVE-2016-0150 Compression Stream Dependency & Priority Stream Multiplexing Flow Control Attacking HTTP/2 Stream Multiplexing Mechanism
  29. 29. © 2016 Imperva, Inc. All rights reserved. Stream Multiplexing • multiple request and response at the same time over a single connection. • The partition of the TCP connection is purely logical
  30. 30. © 2016 Imperva, Inc. All rights reserved. Stream Abuse ClientsServer • Attacker sends multiple requests on the same stream • HTTP.sys in Windows 10 crashes (Blue Screen of Death) Open HTTP/2 connection Send two requests on one stream Users cannot get responses
  31. 31. © 2016 Imperva, Inc. All rights reserved.
  32. 32. © 2016 Imperva, Inc. All rights reserved. • CVE-2016-1544 - HPACK Bomb • CVE-2016-2525 - Wireshark Compression Stream Dependency & Priority Stream Multiplexing Flow Control Attacking HTTP/2 Compression Mechanism
  33. 33. © 2016 Imperva, Inc. All rights reserved. Headers Compression • Both sides (Client/ Server) maintain headers tables per TCP connection direction • These tables consist of static and dynamic parts • These tables are used as dictionaries to compress/ decompress the headers
  34. 34. © 2016 Imperva, Inc. All rights reserved. Headers Compression
  35. 35. © 2016 Imperva, Inc. All rights reserved. HPACK Bomb Attack Flow ClientsServer • Attacker sends a request with extremely long header “X” (Header frame) • The request contains maximum number of references to header “X” • By sending 14 frames, attacker can crash nghttp Send requests with thousands header references Insert long header to the dynamic table Users cannot get responses 16,000 references x 4 KByte -------------- 64 MByte 16,000 references x 1-byte -------------- 16 KByte
  36. 36. © 2016 Imperva, Inc. All rights reserved. HPACK Bomb – Calculation • The default size of the dynamic table is 4KB • Request can contain 16KB of headers • One request can be decompressed to 16K*4KB = 64MB • 14 requests will be decompressed to 14*64MB = 896MB, enough to crash our nghttp server
  37. 37. © 2016 Imperva, Inc. All rights reserved.
  38. 38. © 2016 Imperva, Inc. All rights reserved. HPACK Bomb – Collateral Damage • Wireshark – Uses nghttp2 library to decompress headers – Other application that rely on nghttp2 library may be vulnerable
  39. 39. © 2016 Imperva, Inc. All rights reserved. Risk Mitigation
  40. 40. © 2016 Imperva, Inc. All rights reserved. Mitigation • Abandon your HTTP/2 plans? – HTTP/2 is the next generation protocol for the Internet – HTTP/2 serves acute business needs – Dozens of CVEs published every month for non-HTTP/2 servers • Choose “secure” server implementation? – None was found immune – What about 3rd party software? – More vulnerabilities to come • Patch? – Build patching framework Compression Stream Dependency & Priority Stream Multiplexing Flow Control
  41. 41. © 2016 Imperva, Inc. All rights reserved. How to win the Patching Race? How do I know that a vulnerability exists? When will patch be ready? What’s the impact of patch (and reboot) on my business? Is patch stable? Am I risking my business?
  42. 42. © 2016 Imperva, Inc. All rights reserved. Web Application Firewall and Virtual Patching Web Application Firewall (on premise/ cloud) Security flaw Business owner focuses on business Server remains intact Server remains protected
  43. 43. © 2016 Imperva, Inc. All rights reserved.
  44. 44. © 2016 Imperva, Inc. All rights reserved. Summary • HTTP/2 protocol is an excellent technology to provide the next generation of the Internet • HTTP/2 is gaining popularity and support by all significant web stake holders • We demonstrated new attacks on implementations of significant HTTP/2 servers – Utilizing the significant power given to the sender – Implementation pitfalls
  45. 45. © 2016 Imperva, Inc. All rights reserved. Conclusions • HTTP/2 is here to stay, and rightfully so • HTTP/2 extends the attack surface for web attackers – New highly customizable transport mechanisms – New code released to the wild – Unplowed land • The HTTP/2 ecosystem is still not security-mature. Moreover, things may get worse when websites start utilizing HTTP/2 capabilities • Without external protection and virtual patching, the business owner will always be behind in the patching race
  46. 46. http://www.imperva.com/DefenseCenter/HackerIntelligenceReports Download the full report here:

×