Collision vulnerability for hash data    structures in web platforms      (Denial of Service attack)            Berescu Io...
Overview• A variety of programming languages suffer  from a vulnerability when storing data as  key/value pairs in hash da...
Vulnerable languages/servers• Java, all versions          • Apache Geronimo, all versions• JRuby <= 1.6.5              • A...
What is a hash table?• A hash table or hash map is a data structure that  uses a hash function to map identifying values, ...
How are the languages vulnerable?• Most languages do not provide a randomized  hash function or the application server doe...
Hash tables in PHP• PHP internally uses hash tables to store arrays.• Hash tables are very fast for storing and  getting d...
Constructing a 100% colliding hash              table in PHP• In PHP if the array key is a integer the hash is the integer...
Constructing a 100% colliding hash             table in PHP• If we insert a total of 32 elements, the first  one 0, the se...
Constructing a 100% colliding hash              table in PHP• Code example:$size = pow(2, 15);$max = ($size - 1) * $size;f...
DoS attack• Sending a POST request, or a request that will  be decoded into an Array (JSON for example)  can result in a D...
DoS attack in PHP• Sending the 100% collision array in a POST  request (with a size of let’s say 2^16) will  make PHP cons...
Impact• Any website running one of the technologies  mentioned which provides the option to  perform a POST/GET request is...
Workarounds• For languages where no fixes have been  issued, there are a number of workarounds:• Limiting CPU time (max_in...
Upcoming SlideShare
Loading in...5
×

Collision vulnerability for hash data structures in web platforms

1,951

Published on

Collision vulnerability for hash data structures in web platforms (Denial of Service attack)

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,951
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Collision vulnerability for hash data structures in web platforms"

  1. 1. Collision vulnerability for hash data structures in web platforms (Denial of Service attack) Berescu Ionut 2012
  2. 2. Overview• A variety of programming languages suffer from a vulnerability when storing data as key/value pairs in hash data structures.• The condition can be leveraged by exploiting predictable collisions in the underlying hashing algorithms and can be used for constructing a low-bandwidth Denial of Service attack (DoS)
  3. 3. Vulnerable languages/servers• Java, all versions • Apache Geronimo, all versions• JRuby <= 1.6.5 • Apache Tomcat <= 5.5.34, <= 6.0.34, <= 7.0.22• PHP <= 5.3.8, <= 5.4.0RC3 • Oracle Glassfish <= 3.1.1• Python, all versions • Jetty, all versions• Rubinius, all versions • Plone, all versions• Ruby <= 1.8.7-p356 • Rack <= 1.3.5, <= 1.2.4, <= 1.1.2 • V8 JavaScript Engine, all versions
  4. 4. What is a hash table?• A hash table or hash map is a data structure that uses a hash function to map identifying values, known as keys to their associated values .• Ideally, the hash function should map each possible key to a unique slot index, but this ideal is rarely achievable in practice. Instead, most hash table designs assume that hash collisions (different keys that map to the same hash value) will occur and must be accommodated in some way.
  5. 5. How are the languages vulnerable?• Most languages do not provide a randomized hash function or the application server does not recognize attacks using multi-collisions, so an attacker can degenerate the hash table by sending lots of colliding keys.• The algorithmic complexity of inserting n elements into the table then goes to O(n*2), making it possible to exhaust hours of CPU time using a single HTTP request.
  6. 6. Hash tables in PHP• PHP internally uses hash tables to store arrays.• Hash tables are very fast for storing and getting data and that it’s why they are used heavily in every language.• Most PHP arrays have in the back a C hash table. Example: $_GET, $_POST, ARRAY, $GLOBALS, etc..
  7. 7. Constructing a 100% colliding hash table in PHP• In PHP if the array key is a integer the hash is the integer itself, all PHP does is apply a table mask on top of it: hash & tableMask.• The underlying C array has always a size which is a power of 2.• So if we store 10 elements the real size will be 16. If we store 33 it will be 64. If we store 63 it will also be 64. The table mask is the size minus one. So if the size is 64, i.e. 1000000 in binary the table mask will be 63, i.e. 0111111 in binary.• Basically the table mask removes all bits that are greater than the hashtable size.
  8. 8. Constructing a 100% colliding hash table in PHP• If we insert a total of 32 elements, the first one 0, the second one 32, the third one 64, the fourth one 128, etc., all of those elements will have the same hash and all will be put into the same linked list, creating a 100% colliding hash table.
  9. 9. Constructing a 100% colliding hash table in PHP• Code example:$size = pow(2, 15);$max = ($size - 1) * $size;for ($key = 0, $key <= $max; $key += $size) { $data[$key] = 0;}• The above example will require an abnormal amount of time to run, as all hash values will be in the same linked list, inserting them taking a lot longer.
  10. 10. DoS attack• Sending a POST request, or a request that will be decoded into an Array (JSON for example) can result in a DoS attack.• By sending a large number of parameters by POST with keys that will create a hash table with 100% collision, it will require the web platform a very large amount of time and CPU usage for inserting the elements.
  11. 11. DoS attack in PHP• Sending the 100% collision array in a POST request (with a size of let’s say 2^16) will make PHP consume 100% of the systems CPU for a couple of hours.
  12. 12. Impact• Any website running one of the technologies mentioned which provides the option to perform a POST/GET request is vulnerable to this very effective DoS attack.• With a very low-bandwith connection we can keep thousands of targeted systems cores at 100% use.
  13. 13. Workarounds• For languages where no fixes have been issued, there are a number of workarounds:• Limiting CPU time (max_input_time in PHP).• Limiting the maximal number of parameters (max_input_vars in PHP).• Using different data structures.

×