Hacking HTTP/2: New attacks on the Internet’s Next Generation Foundation

2. © 2016 Imperva, Inc. All rights reserved. • Itsik Mantin • Director of Security Research at Imperva • 15 years experience in the security industry • Holds an M.Sc. in Applied Math and Computer Science • Nadav Avital • Application security research team leader • 10 years of industry experience, mostly hacking and security technology • Holds B. Sc. in Computer Science Speakers

7. © 2016 Imperva, Inc. All rights reserved. HTTP/2 Motivation • HTTP 1.1 is no longer suitable for modern web content – Large number of web resources per page – Latency – Head of Line blocking – Large headers

9. © 2016 Imperva, Inc. All rights reserved. HTTP/2 Design Principles • Main goal: speed – Reduce latency – Reduce bandwidth • Support gradual deployment – Preserve HTTP 1.1 semantics (over a new binary layer) – Negotiation protocol (ALPN) • Encryption – Mandated by many implementations

14. © 2016 Imperva, Inc. All rights reserved. HTTP/2 Transport Layer •Binary objects •The smallest data delivery unit •Can include headers, data, settings, etc. Frame •Carrying Request+Response •Multiple frames Stream •Application layer connection over TCP connection •Carries multiple streams (using Stream Multiplexing) HTTP/2 Connection

20. © 2016 Imperva, Inc. All rights reserved. Flow Control • Based on WINDOW_UPDATE frames • Defined to protect endpoints that operate under resource constraints • Specific to a connection • Spec only defines format and semantics • Mandatory and cannot be disabled

21. © 2016 Imperva, Inc. All rights reserved. Flow Control LDR Attack Flow ClientsServer Attacker reduces window size Request for a large resource (Stream 1) Request for a large resource (Stream 3) • When Jetty gets a request for a resource larger than the window size, the thread that handles the request is going to sleep (30 seconds) • In ApacheIIS the attacker keeps the connection alive by slowly increasing the window size • By sending multiplies requests an attacker can make all the threads sleep for a long time and cause a denial of service Users cannot get responses Slowly increase the window size Single HTTP/2 connection

24. © 2016 Imperva, Inc. All rights reserved. Stream Priority & Dependency • Optional (can be ignored) • Each stream can be given an explicit dependency on another stream • Allow an endpoint to express how it would prefer its peer to allocate resources • The graph is a tree

25. © 2016 Imperva, Inc. All rights reserved. Stream Dependency Cycle • Assume MAX_CONCURRENT_STREAM = 4 (tree size) • Send the priority frames – Stream 7  stream 5 (forces the server to remove of stream 7) – Stream 5  stream 3 • Stream 3 is saved in the same address as stream 7 • Dependency cycle is created 13 11 9 7 5 3

26. © 2016 Imperva, Inc. All rights reserved. • Both stream 7 and 3 are located in the same memory address • stream_update_dep_set_top function is in infinite loop Stream 7 address Infinite loop Same address for stream 3 Stream Dependency Denial of Service

30. © 2016 Imperva, Inc. All rights reserved. Stream Abuse ClientsServer • Attacker sends multiple requests on the same stream • HTTP.sys in Windows 10 crashes (Blue Screen of Death) Open HTTP/2 connection Send two requests on one stream Users cannot get responses

32. © 2016 Imperva, Inc. All rights reserved. • CVE-2016-1544 - HPACK Bomb • CVE-2016-2525 - Wireshark Compression Stream Dependency & Priority Stream Multiplexing Flow Control Attacking HTTP/2 Compression Mechanism

33. © 2016 Imperva, Inc. All rights reserved. Headers Compression • Both sides (Client/ Server) maintain headers tables per TCP connection direction • These tables consist of static and dynamic parts • These tables are used as dictionaries to compress/ decompress the headers

35. © 2016 Imperva, Inc. All rights reserved. HPACK Bomb Attack Flow ClientsServer • Attacker sends a request with extremely long header “X” (Header frame) • The request contains maximum number of references to header “X” • By sending 14 frames, attacker can crash nghttp Send requests with thousands header references Insert long header to the dynamic table Users cannot get responses 16,000 references x 4 KByte -------------- 64 MByte 16,000 references x 1-byte -------------- 16 KByte

36. © 2016 Imperva, Inc. All rights reserved. HPACK Bomb – Calculation • The default size of the dynamic table is 4KB • Request can contain 16KB of headers • One request can be decompressed to 16K*4KB = 64MB • 14 requests will be decompressed to 14*64MB = 896MB, enough to crash our nghttp server

40. © 2016 Imperva, Inc. All rights reserved. Mitigation • Abandon your HTTP/2 plans? – HTTP/2 is the next generation protocol for the Internet – HTTP/2 serves acute business needs – Dozens of CVEs published every month for non-HTTP/2 servers • Choose “secure” server implementation? – None was found immune – What about 3rd party software? – More vulnerabilities to come • Patch? – Build patching framework Compression Stream Dependency & Priority Stream Multiplexing Flow Control

41. © 2016 Imperva, Inc. All rights reserved. How to win the Patching Race? How do I know that a vulnerability exists? When will patch be ready? What’s the impact of patch (and reboot) on my business? Is patch stable? Am I risking my business?

42. © 2016 Imperva, Inc. All rights reserved. Web Application Firewall and Virtual Patching Web Application Firewall (on premise/ cloud) Security flaw Business owner focuses on business Server remains intact Server remains protected

44. © 2016 Imperva, Inc. All rights reserved. Summary • HTTP/2 protocol is an excellent technology to provide the next generation of the Internet • HTTP/2 is gaining popularity and support by all significant web stake holders • We demonstrated new attacks on implementations of significant HTTP/2 servers – Utilizing the significant power given to the sender – Implementation pitfalls

45. © 2016 Imperva, Inc. All rights reserved. Conclusions • HTTP/2 is here to stay, and rightfully so • HTTP/2 extends the attack surface for web attackers – New highly customizable transport mechanisms – New code released to the wild – Unplowed land • The HTTP/2 ecosystem is still not security-mature. Moreover, things may get worse when websites start utilizing HTTP/2 capabilities • Without external protection and virtual patching, the business owner will always be behind in the patching race

46. http://www.imperva.com/DefenseCenter/HackerIntelligenceReports Download the full report here:

Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation