Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation

1,567 views

Published on

Imperva Hacker Intelligence Initiative Report: HTTP/2: In-depth analysis of the top four flaws of the next-generation web protocol

Published in: Technology
  • View our presentation which discusses our findings on Hacking HTTP/2: New attacks on the Internet’s Next Generation Foundation
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation

  1. 1. © 2016 Imperva, Inc. All rights reserved. Hacking HTTP/2 New attacks on the Internet’s Next Generation Foundation Itsik Mantin, Nadav Avital August 2016
  2. 2. © 2016 Imperva, Inc. All rights reserved. • Itsik Mantin • Director of Security Research at Imperva • 15 years experience in the security industry • Holds an M.Sc. in Applied Math and Computer Science • Nadav Avital • Application security research team leader • 10 years of industry experience, mostly hacking and security technology • Holds B. Sc. in Computer Science Speakers
  3. 3. © 2016 Imperva, Inc. All rights reserved. Credit • Noam Mazor, Application Security researcher at Imperva • Alex Maidanik and Avihai Cohen, Technion - Israeli Institute of Technology
  4. 4. © 2016 Imperva, Inc. All rights reserved. The Research • Unexplored territories of HTTP/2 – New mechanisms – New server implementations HTTP/2
  5. 5. © 2016 Imperva, Inc. All rights reserved. The Servers
  6. 6. © 2016 Imperva, Inc. All rights reserved. Outline HTTP/2 Motivation and Background HTTP/2 Technology The Attacks Summary and Conclusion
  7. 7. © 2016 Imperva, Inc. All rights reserved. HTTP/2 Motivation • HTTP 1.1 is no longer suitable for modern web content – Large number of web resources per page – Latency – Head of Line blocking – Large headers
  8. 8. © 2016 Imperva, Inc. All rights reserved. 2016 Web
  9. 9. © 2016 Imperva, Inc. All rights reserved. HTTP/2 Design Principles • Main goal: speed – Reduce latency – Reduce bandwidth • Support gradual deployment – Preserve HTTP 1.1 semantics (over a new binary layer) – Negotiation protocol (ALPN) • Encryption – Mandated by many implementations
  10. 10. © 2016 Imperva, Inc. All rights reserved.
  11. 11. © 2016 Imperva, Inc. All rights reserved. Lightfast Adoption Web Clients Content Delivery Networks Sites Web Servers
  12. 12. © 2016 Imperva, Inc. All rights reserved. HTTP/2 Technology
  13. 13. © 2016 Imperva, Inc. All rights reserved. HTTP/2 Technology HPACK Server Push Stream Multiplexing HPACK Compression Flow Control
  14. 14. © 2016 Imperva, Inc. All rights reserved. HTTP/2 Transport Layer •Binary objects •The smallest data delivery unit •Can include headers, data, settings, etc. Frame •Carrying Request+Response •Multiple frames Stream •Application layer connection over TCP connection •Carries multiple streams (using Stream Multiplexing) HTTP/2 Connection
  15. 15. © 2016 Imperva, Inc. All rights reserved. HTTP/2 Binary Layer
  16. 16. © 2016 Imperva, Inc. All rights reserved.
  17. 17. © 2016 Imperva, Inc. All rights reserved. New 0-day DoS Attacks CVE-2016-1546 CVE-2015-8659* (not by Imperva) CVE-2016-0150 CVE-2016-1544 CVE-2016-2525
  18. 18. © 2016 Imperva, Inc. All rights reserved. Attack Summary Compression Stream Dependency & Priority Stream Multiplexing Flow Control
  19. 19. © 2016 Imperva, Inc. All rights reserved. • CVE-2016-1546 – Window size Compression Stream Dependency & Priority Stream Multiplexing Flow Control Attacking HTTP/2 Flow Control Mechanism
  20. 20. © 2016 Imperva, Inc. All rights reserved. Flow Control • Based on WINDOW_UPDATE frames • Defined to protect endpoints that operate under resource constraints • Specific to a connection • Spec only defines format and semantics • Mandatory and cannot be disabled
  21. 21. © 2016 Imperva, Inc. All rights reserved. Flow Control LDR Attack Flow ClientsServer Attacker reduces window size Request for a large resource (Stream 1) Request for a large resource (Stream 3) • When Jetty gets a request for a resource larger than the window size, the thread that handles the request is going to sleep (30 seconds) • In ApacheIIS the attacker keeps the connection alive by slowly increasing the window size • By sending multiplies requests an attacker can make all the threads sleep for a long time and cause a denial of service Users cannot get responses Slowly increase the window size Single HTTP/2 connection
  22. 22. © 2016 Imperva, Inc. All rights reserved.
  23. 23. © 2016 Imperva, Inc. All rights reserved. • CVE-2015-8659* - memory cleanup Compression Stream Dependency & Priority Stream Multiplexing Flow Control Attacking HTTP/2 Dependency Mechanism
  24. 24. © 2016 Imperva, Inc. All rights reserved. Stream Priority & Dependency • Optional (can be ignored) • Each stream can be given an explicit dependency on another stream • Allow an endpoint to express how it would prefer its peer to allocate resources • The graph is a tree
  25. 25. © 2016 Imperva, Inc. All rights reserved. Stream Dependency Cycle • Assume MAX_CONCURRENT_STREAM = 4 (tree size) • Send the priority frames – Stream 7  stream 5 (forces the server to remove of stream 7) – Stream 5  stream 3 • Stream 3 is saved in the same address as stream 7 • Dependency cycle is created 13 11 9 7 5 3
  26. 26. © 2016 Imperva, Inc. All rights reserved. • Both stream 7 and 3 are located in the same memory address • stream_update_dep_set_top function is in infinite loop Stream 7 address Infinite loop Same address for stream 3 Stream Dependency Denial of Service
  27. 27. © 2016 Imperva, Inc. All rights reserved.
  28. 28. © 2016 Imperva, Inc. All rights reserved. • CVE-2016-0150 Compression Stream Dependency & Priority Stream Multiplexing Flow Control Attacking HTTP/2 Stream Multiplexing Mechanism
  29. 29. © 2016 Imperva, Inc. All rights reserved. Stream Multiplexing • multiple request and response at the same time over a single connection. • The partition of the TCP connection is purely logical
  30. 30. © 2016 Imperva, Inc. All rights reserved. Stream Abuse ClientsServer • Attacker sends multiple requests on the same stream • HTTP.sys in Windows 10 crashes (Blue Screen of Death) Open HTTP/2 connection Send two requests on one stream Users cannot get responses
  31. 31. © 2016 Imperva, Inc. All rights reserved.
  32. 32. © 2016 Imperva, Inc. All rights reserved. • CVE-2016-1544 - HPACK Bomb • CVE-2016-2525 - Wireshark Compression Stream Dependency & Priority Stream Multiplexing Flow Control Attacking HTTP/2 Compression Mechanism
  33. 33. © 2016 Imperva, Inc. All rights reserved. Headers Compression • Both sides (Client/ Server) maintain headers tables per TCP connection direction • These tables consist of static and dynamic parts • These tables are used as dictionaries to compress/ decompress the headers
  34. 34. © 2016 Imperva, Inc. All rights reserved. Headers Compression
  35. 35. © 2016 Imperva, Inc. All rights reserved. HPACK Bomb Attack Flow ClientsServer • Attacker sends a request with extremely long header “X” (Header frame) • The request contains maximum number of references to header “X” • By sending 14 frames, attacker can crash nghttp Send requests with thousands header references Insert long header to the dynamic table Users cannot get responses 16,000 references x 4 KByte -------------- 64 MByte 16,000 references x 1-byte -------------- 16 KByte
  36. 36. © 2016 Imperva, Inc. All rights reserved. HPACK Bomb – Calculation • The default size of the dynamic table is 4KB • Request can contain 16KB of headers • One request can be decompressed to 16K*4KB = 64MB • 14 requests will be decompressed to 14*64MB = 896MB, enough to crash our nghttp server
  37. 37. © 2016 Imperva, Inc. All rights reserved.
  38. 38. © 2016 Imperva, Inc. All rights reserved. HPACK Bomb – Collateral Damage • Wireshark – Uses nghttp2 library to decompress headers – Other application that rely on nghttp2 library may be vulnerable
  39. 39. © 2016 Imperva, Inc. All rights reserved. Risk Mitigation
  40. 40. © 2016 Imperva, Inc. All rights reserved. Mitigation • Abandon your HTTP/2 plans? – HTTP/2 is the next generation protocol for the Internet – HTTP/2 serves acute business needs – Dozens of CVEs published every month for non-HTTP/2 servers • Choose “secure” server implementation? – None was found immune – What about 3rd party software? – More vulnerabilities to come • Patch? – Build patching framework Compression Stream Dependency & Priority Stream Multiplexing Flow Control
  41. 41. © 2016 Imperva, Inc. All rights reserved. How to win the Patching Race? How do I know that a vulnerability exists? When will patch be ready? What’s the impact of patch (and reboot) on my business? Is patch stable? Am I risking my business?
  42. 42. © 2016 Imperva, Inc. All rights reserved. Web Application Firewall and Virtual Patching Web Application Firewall (on premise/ cloud) Security flaw Business owner focuses on business Server remains intact Server remains protected
  43. 43. © 2016 Imperva, Inc. All rights reserved.
  44. 44. © 2016 Imperva, Inc. All rights reserved. Summary • HTTP/2 protocol is an excellent technology to provide the next generation of the Internet • HTTP/2 is gaining popularity and support by all significant web stake holders • We demonstrated new attacks on implementations of significant HTTP/2 servers – Utilizing the significant power given to the sender – Implementation pitfalls
  45. 45. © 2016 Imperva, Inc. All rights reserved. Conclusions • HTTP/2 is here to stay, and rightfully so • HTTP/2 extends the attack surface for web attackers – New highly customizable transport mechanisms – New code released to the wild – Unplowed land • The HTTP/2 ecosystem is still not security-mature. Moreover, things may get worse when websites start utilizing HTTP/2 capabilities • Without external protection and virtual patching, the business owner will always be behind in the patching race
  46. 46. http://www.imperva.com/DefenseCenter/HackerIntelligenceReports Download the full report here:

×