SlideShare a Scribd company logo

ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet

Cyber Security Alliance
Cyber Security Alliance

This document discusses hash flooding denial of service (DoS) attacks and defenses. It presents the theory behind exploiting weaknesses in hash functions like MurmurHash2/3 through differential cryptanalysis. Specifically, it shows how to generate multicollision inputs that result in the same hash value. This allows an attacker to force worst-case insertion times into hash tables, overloading systems. The document notes that many systems using MurmurHash2/3 remain vulnerable. It then discusses potential real-world attacks against uses of hashes in applications like web frameworks. As an example, it demonstrates how to attack internal hash tables in Ruby on Rails, though default protections prevent attacks on request parameters.

Technology
1 of 121
Download to read offline
Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois at Chicago Martin Boßlet, freelancer
Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois at Chicago Martin Boßlet, freelancer
Jean-Philippe Cryptography expert at the Kudelski Group Applied crypto researcher https://131002.net @aumasson Martin Independent SW engineer and security expert Ruby core dev team member http://www.martinbosslet.de @_emboss_
Hash-flooding DoS reloaded: attacks and defenses
Denial-of-Service (DoS) attacks “Attempt to make a machine or network resource unavailable to its intended users.” Wikipedia
Popular DoS techniques are distributed HTTP or TCP SYN flood… (DDoS)
More subtle techniques exploit properties of TCP-congestion-avoidance algorithms…
Hash-flooding DoS reloaded: attacks and defenses
Hash tables used in many applications to maintain an association between objects Example: Python dictionaries d={} # empty table d[12345]=0xc # insertion d[‘astring’]=‘foo’ # insertion d[(‘a’,‘tuple’)]=0 # insertion print d[‘a string’] # lookup
If the table is about as large as the number of elements to be stored (=n), insertion or lookup of n elements takes O(n) operations on average
If the table is about as large as the number of elements to be stored (=n), insertion or lookup of n elements takes O(n) operations on average 0 1 2 12345: 0xc d[12345]=0xc, hash(12345)=1
If the table is about as large as the number of elements to be stored (=n), insertion or lookup of n elements takes O(n) operations on average 0 1 2 ‘astring’: ‘foo’ 12345: 0xc d[‘astring’]=‘foo’ , hash(‘astring’)=0
If the table is about as large as the number of elements to be stored (=n), insertion or lookup of n elements takes O(n) operations on average 0 1 2 ‘astring’: ‘foo’ 12345: 0xc (‘a’,’tuple’): 0 d[(‘a’,’tuple’)=0; hash((‘a’,’tuple’))=2
If the table is about as large as the number of elements to be stored (=n), insertion or lookup of n elements takes O(n2) operations in the worst case 0 1 2 12345: 0xc d[12345]=0xc, hash(12345)=1
If the table is about as large as the number of elements to be stored (=n), insertion or lookup of n elements takes O(n2) operations in the worst case 0 1 2 12345: 0xc ‘astring’: ‘foo’ d[‘astring’]=‘foo’ , hash(‘astring’)=0
If the table is about as large as the number of elements to be stored (=n), insertion or lookup of n elements takes O(n2) operations in the worst case 0 1 2 12345: 0xc ‘astring’: ‘foo’ (‘a’, ‘tuple’): ‘foo’ d[(‘a’,’tuple’)=0; hash((‘a’,’tuple’))=2
Hash flooding: Send to a server many inputs with a same hash (a multicollision) so as to enforce worst-case insert time
send 2MB of POST data consisting of 200.000 colliding 10B strings ≈ 40.000.000.000 string comparisons (at least 10s on a 2GHz machine…)
Previous work Crosby, Wallach. Denial of Service via Algorithmic Complexity Attacks, USENIX Security 2003 -> attack formalized and applied to Perl, Squid, etc. Klink, Wälde. Efficient Denial of Service Attacks on Web Application Platforms. CCC 28c3 -> application to PHP, Java, Python, Ruby, etc.
Previous work Crosby, Wallach. Denial of Service via Algorithmic Complexity Attacks, USENIX Security 2003 -> attack formalized and applied to Perl, Squid, etc. Klink, Wälde. Efficient Denial of Service Attacks on Web Application Platforms. CCC 28c3 -> application to PHP, Java, Python, Ruby, etc.
Patches released consisting of a stronger hash with randomization (to make colliding values impossible to find)
MurmurHash2 “used in code by Google, Microsoft, Yahoo, and many others” http://code.google.com/p/smhasher/wiki/MurmurHash CRuby, JRuby
MurmurHash3 “successor to MurmurHash2” Oracle’s Java SE, Rubinius
Hash-flooding DoS reloaded: attacks and defenses
1. Theory
MurmurHash3 core Processes the input per blocks of 4 bytes for (i=0;i<nblocks;i++) { uint32_t k1 = getblock(blocks, i); k1 *= 0xcc9e2d51 ; k1 = ROTL32(k1 ,15); k1 *= 0x1b873593; h1 ^= k1; h1 = ROTL32 ( h1 ,13); h1 = h1 *5+0 xe6546b64;}
Differential cryptanalysis strategy 1/ introduce a difference in the state h1 via the input k1 2/ cancel this difference with a second well chosen difference for (i=0;i<nblocks;i++) { uint32_t k1 = getblock(blocks, i); k1 *= 0xcc9e2d51 ; k1 = ROTL32(k1 ,15); k1 *= 0x1b873593; h1 ^= k1; h1 = ROTL32 ( h1 ,13); h1 = h1 *5+0 xe6546b64;}
Differential cryptanalysis strategy 1/ introduce a difference in the state h1 via the input k1 2/ cancel this difference with a second well chosen difference for (i=0;i<nblocks;i++) { i=0 uint32_t k1 = getblock(blocks, i); k1 *= 0xcc9e2d51 ; inject difference D1 k1 = ROTL32(k1 ,15); k1 *= 0x1b873593; diff in k1:0x00040000 h1 ^= k1; h1 = ROTL32 ( h1 ,13); h1 = h1 *5+0 xe6546b64;}
Differential cryptanalysis strategy 1/ introduce a difference in the state h1 via the input k1 2/ cancel this difference with a second well chosen difference for (i=0;i<nblocks;i++) { i=0 uint32_t k1 = getblock(blocks, i); k1 *= 0xcc9e2d51 ; inject difference D1 k1 = ROTL32(k1 ,15); k1 *= 0x1b873593; diff in k1:0x00040000 h1 ^= k1; diff in h1 0x00040000 h1 = ROTL32 ( h1 ,13); h1 = h1 *5+0 xe6546b64;}
Differential cryptanalysis strategy 1/ introduce a difference in the state h1 via the input k1 2/ cancel this difference with a second well chosen difference for (i=0;i<nblocks;i++) { i=0 uint32_t k1 = getblock(blocks, i); k1 *= 0xcc9e2d51 ; inject difference D1 k1 = ROTL32(k1 ,15); k1 *= 0x1b873593; diff in k1:0x00040000 h1 ^= k1; diff in h1 0x00040000 h1 = ROTL32 ( h1 ,13); 0x80000000 h1 = h1 *5+0 xe6546b64;} 0x80000000
Differential cryptanalysis strategy 1/ introduce a difference in the state h1 via the input k1 2/ cancel this difference with a second well chosen difference for (i=0;i<nblocks;i++) { i=1 uint32_t k1 = getblock(blocks, i); k1 *= 0xcc9e2d51 ; inject difference D2 k1 = ROTL32(k1 ,15); k1 *= 0x1b873593; h1 ^= k1; h1 = ROTL32 ( h1 ,13); h1 = h1 *5+0 xe6546b64;}
Differential cryptanalysis strategy 1/ introduce a difference in the state h1 via the input k1 2/ cancel this difference with a second well chosen difference for (i=0;i<nblocks;i++) { i=1 uint32_t k1 = getblock(blocks, i); k1 *= 0xcc9e2d51 ; inject difference D2 k1 = ROTL32(k1 ,15); k1 *= 0x1b873593; diff in k1:0x80000000 h1 ^= k1; h1 = ROTL32 ( h1 ,13); h1 = h1 *5+0 xe6546b64;}
Differential cryptanalysis strategy 1/ introduce a difference in the state h1 via the input k1 2/ cancel this difference with a second well chosen difference for (i=0;i<nblocks;i++) { i=1 uint32_t k1 = getblock(blocks, i); k1 *= 0xcc9e2d51 ; inject difference D2 k1 = ROTL32(k1 ,15); k1 *= 0x1b873593; diff in k1:0x80000000 diff in h1: 0x80000000 ^ 0x80000000 = 0 h1 ^= k1; h1 = ROTL32 ( h1 ,13); COLLISION! h1 = h1 *5+0 xe6546b64;}
M1 M2 32-bit 32-bit h1=f(X)=H h1=X M1^D1 M2^D2 32-bit 32-bit h1=f(X^D3^D3)=H h1=X^D3 2 colliding 8-byte inputs
M1 M2 M3 M4 M5 M6 collision collision collision Chain collisions => multicollisions 8n bytes => 2 n colliding inputs
A multicollision works for any seed => “Universal” multicollisions h1=seed; for (i=0;i<nblocks;i++) { uint32_t k1 = getblock(blocks, i); k1 *= 0xcc9e2d51 ; k1 = ROTL32(k1 ,15); k1 *= 0x1b873593; // transform of k1 independent of the seed! h1 ^= k1; h1 = ROTL32 ( h1 ,13); h1 = h1 *5+0 xe6546b64;}
Even simpler for MurmurHash2
Consequence: Systems using MurmurHash2/3 remain vulnerable to hash-flooding
Other hash attacked
Even weaker than MurmurHash2… Also vulnerable to hash flooding
CityHash64( BU9[85WWp/ HASH!, 16 ) = b82e7612e6933d2f CityHash64( 8{YDLn;d.2 HASH!, 16 ) = b82e7612e6933d2f CityHash64( d+nkK&t?yr HASH!, 16 ) = b82e7612e6933d2f CityHash64( {A.#v5i]V{ HASH!, 16 ) = b82e7612e6933d2f CityHash64( FBC=/hJeA!HASH!, 16 ) = b82e7612e6933d2f CityHash64( $03$=K1.-H!HASH!, 16 ) = b82e7612e6933d2f CityHash64( 3o'L'Piw!HASH!, 16 ) = b82e7612e6933d2f CityHash64( duDu%qaUS@"HASH!, 16 ) = b82e7612e6933d2f CityHash64( IZVo|0S=BX"HASH!, 16 ) = b82e7612e6933d2f CityHash64( X2V|P=<u,=#HASH!, 16 ) = b82e7612e6933d2f CityHash64( 9<%45yG]qG#HASH!, 16 ) = b82e7612e6933d2f CityHash64( 6?4O:'<Vho#HASH!, 16 ) = b82e7612e6933d2f CityHash64( 2u 2}7g^>3$HASH!, 16 ) = b82e7612e6933d2f CityHash64( kqwnZH=cKG$HASH!, 16 ) = b82e7612e6933d2f CityHash64( Nl+:rtvw}K$HASH!, 16 ) = b82e7612e6933d2f CityHash64( s/pI!<5u*]$HASH!, 16 ) = b82e7612e6933d2f CityHash64( f|P~n*<xPc$HASH!, 16 ) = b82e7612e6933d2f CityHash64( Cj7TCG|G}}$HASH!, 16 ) = b82e7612e6933d2f CityHash64( a4$>Jf3PF'%HASH!, 16 ) = b82e7612e6933d2f
2. Practice
Breaking Murmur: We‘ve got the recipe – Now all we need is the (hash) cake
Where are hashes used?
Internally vs. Externally
Parser symbol tables Method lookup tables Attributes / Instance variables IP Addresses Transaction IDs Database Indexing Session IDs HTTP Headers JSON Representation URL-encoded POST form data Deduplication (HashSet) A* search algorithm Dictionaries …
=> Where aren’t they used?
Can’t we use something different?
We could, but amortized constant time is just too sexy
Possible real-life attacks
Attack internal use?
Elegant, but low impact
Need a high-profile target
Web Application
Example #1 Rails
First: Attacking MurmurHash in Ruby
Straight-forward with a few quirks
Apply the recipe
Demo
Should work with Rails out of the box, no?
Unfortunately, no
Demo
def POST … @env["rack.request.form_hash"] = parse_query(form_vars) … end
def parse_query(qs) Utils.parse_nested_query(qs) end
def parse_nested_query(qs, d = nil) params = KeySpaceConstrainedParams.new (qs || '').split(d ? /[#{d}] */n : DEFAULT_SEP).each do |p| k, v = p.split('=', 2).map { |s| unescape(s) } normalize_params(params, k, v) end return params.to_params_hash end
def unescape(s, encoding = Encoding::UTF_8) URI.decode_www_form_component(s, encoding) end
def self.decode_www_form_component(str, enc=Encoding::UTF_8) raise ArgumentError, "invalid %-encoding (#{str})" unless /A[^%]*(?:%hh[^%]*)*z/ =~ str str.gsub(/+|%hh/, TBLDECWWWCOMP_).force_encoding(enc) end
/A[^%]*(?:%hh[^%]*)*z/ ???
Catches invalid % encodings (e.g. %ZV, %%1 instead of %2F)
def parse_nested_query(qs, d = nil) params = KeySpaceConstrainedParams.new (qs || '').split(d ? /[#{d}] */n : DEFAULT_SEP).each do |p| k, v = p.split('=', 2).map { |s| unescape(s) } normalize_params(params, k, v) end return params.to_params_hash end
def normalize_params(params, name, v = nil) name =~ %r(A[[]]*([^[]]+)]*) k = $1 || '' … end
%r(A[[]]*([^[]]+)]*) ???
helps transform [[]] to []
idea: pre-generate matching values
create random values passing the regular expressions
that should do it, right?
Demo
def parse_nested_query(qs, d = nil) params = KeySpaceConstrainedParams.new (qs || '').split(d ? /[#{d}] */n : DEFAULT_SEP).each do |p| k, v = p.split('=', 2).map { |s| unescape(s) } normalize_params(params, k, v) end return params.to_params_hash end
class KeySpaceConstrainedParams def []=(key, value) @size += key.size if key && !@params.key?(key) raise RangeError, 'exceeded available parameter key space‘ if @size > @limit @params[key] = value end end
What now? Rails is safe?
Remember: Hashes are used everywhere
So if application/x-www-form-urlencoded doesn't work, how about application/json ?
Again, with the encoding...
Fast-forward...
Demo
Conclusion Patchwork is not helping
too many places
code bloat
yet another loophole will be found
Fix it at the root
Example #2 Java
String(byte[] bytes)
public String(byte bytes[], int offset, int length, Charset charset) { … char[] v = StringCoding.decode(charset, bytes, offset, length); … }
Tough nut to crack
What now? Java is safe?
String(char[] value)
public String(char value[]) { int size = value.length; this.offset = 0; this.count = size; this.value = Arrays.copyOf(value, size); }
No decoding!
Substitute byte[] operations with equivalent operations on char[]
Demo
Disclosure Oracle (Java): Sep 11 CRuby, JRuby, Rubinius: Aug 30
Hash-flooding DoS reloaded: attacks and defenses
SipHash: a fast short-input PRF New crypto algorithm to fix hash-flooding: • Rigorous security requirements and analysis • Speed competitive with that of weak hashes Peer-reviewed research paper (A., Bernstein). published at DIAC 2012, INDOCRYPT 2012
SipHash initialization 256-bit state v0 v1 v2 v3 128-bit key k0 k1 v0 = k0 ⊕ 736f6d6570736575 v1 = k1 ⊕ 646f72616e646f6d v2 = k0 ⊕ 6c7967656e657261 v3 = k1 ⊕ 7465646279746573
SipHash initialization 256-bit state v0 v1 v2 v3 128-bit key k0 k1 v0 = k0 ⊕ “somepseu” v1 = k1 ⊕ “dorandom” v2 = k0 ⊕ “lygenera” v3 = k1 ⊕ “tedbytes”
SipHash compression Message parsed as 64-bit words m0, m1, … v3 ⊕= m0 c iterations of SipRound v0 ⊕= m0
SipHash compression Message parsed as 64-bit words m0, m1, … v3 ⊕= m1 c iterations of SipRound v0 ⊕= m1
SipHash compression Message parsed as 64-bit words m0, m1, … v3 ⊕= m2 c iterations of SipRound v0 ⊕= m2
SipHash compression Message parsed as 64-bit words m0, m1, … Etc.
SipRound
SipHash finalization v2 ⊕= 255 d iterations of SipRound Return v0 ⊕ v1 ⊕ v2 ⊕ v3
SipHash-2-4 hashing 15 bytes
Family SipHash-c-d Fast proposal: SipHash-2-4 Conservative proposal: SipHash-4-8 Weaker versions for cryptanalysis: SipHash-1-0, SipHash-2-0, etc. SipHash-1-1, SipHash-2-1, etc. Etc.
Proof of simplicity June 20: paper published online June 28: 18 third-party implementations C (Floodyberry, Boßlet, Neves); C# (Haynes) Cryptol (Lazar); Erlang, Javascript, PHP (Denis) Go (Chestnykh); Haskell (Hanquez) Java, Ruby (Boßlet); Lisp (Brown); Perl6 (Julin)
Who is using SipHash? http://www.opendns.com/ http://www.rust-lang.org/ Soon?
Take home message • DoS is doable with only small data/bandwidth • Java- and Ruby-based web applications vulnerable to DoS (and maybe others…) • SipHash offers both security and performance Contact us if you need to check your application
Hash-flooding DoS reloaded: attacks and defenses THANK YOU!

Recommended

Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...
DefCamp
 
Ds 2 cycle
Ds 2 cycleDs 2 cycle
Ds 2 cycleChaitanya Kn
 
A verifiable random function with short proofs and keys
A verifiable random function with short proofs and keysA verifiable random function with short proofs and keys
A verifiable random function with short proofs and keysAleksandr Yampolskiy
 
Introduction to Homomorphic Encryption
Introduction to Homomorphic EncryptionIntroduction to Homomorphic Encryption
Introduction to Homomorphic Encryption
Christoph Matthies
 
Computing on Encrypted Data
Computing on Encrypted DataComputing on Encrypted Data
Computing on Encrypted Data
New York Technology Council
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic Encryption
Victor Pereira
 
Let’s talk about microbenchmarking
Let’s talk about microbenchmarkingLet’s talk about microbenchmarking
Let’s talk about microbenchmarking
Andrey Akinshin
 
A survey on Fully Homomorphic Encryption
A survey on Fully Homomorphic EncryptionA survey on Fully Homomorphic Encryption
A survey on Fully Homomorphic Encryption
iosrjce
 

Recommended

Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...
DefCamp
 
Ds 2 cycle
Ds 2 cycleDs 2 cycle
Ds 2 cycleChaitanya Kn
 
A verifiable random function with short proofs and keys
A verifiable random function with short proofs and keysA verifiable random function with short proofs and keys
A verifiable random function with short proofs and keysAleksandr Yampolskiy
 
Introduction to Homomorphic Encryption
Introduction to Homomorphic EncryptionIntroduction to Homomorphic Encryption
Introduction to Homomorphic Encryption
Christoph Matthies
 
Computing on Encrypted Data
Computing on Encrypted DataComputing on Encrypted Data
Computing on Encrypted Data
New York Technology Council
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic Encryption
Victor Pereira
 
Let’s talk about microbenchmarking
Let’s talk about microbenchmarkingLet’s talk about microbenchmarking
Let’s talk about microbenchmarking
Andrey Akinshin
 
A survey on Fully Homomorphic Encryption
A survey on Fully Homomorphic EncryptionA survey on Fully Homomorphic Encryption
A survey on Fully Homomorphic Encryption
iosrjce
 
Bartosz Milewski, “Re-discovering Monads in C++”
Bartosz Milewski, “Re-discovering Monads in C++”Bartosz Milewski, “Re-discovering Monads in C++”
Bartosz Milewski, “Re-discovering Monads in C++”
Platonov Sergey
 
COSCUP: Introduction to Julia
COSCUP: Introduction to JuliaCOSCUP: Introduction to Julia
COSCUP: Introduction to Julia
岳華 杜
 
Asssignment2
Asssignment2 Asssignment2
Asssignment2
AnnamalikAnnamalik
 
Java puzzles
Java puzzlesJava puzzles
Java puzzles
Nikola Petrov
 
Java Puzzle
Java PuzzleJava Puzzle
Java PuzzleSFilipp
 
Clojure class
Clojure classClojure class
Clojure classAysylu Greenberg
 
Java Basics - Part2
Java Basics - Part2Java Basics - Part2
Java Basics - Part2
Vani Kandhasamy
 
Computer security
Computer security Computer security
Computer security
Harry Potter
 
ZK Study Club: Sumcheck Arguments and Their Applications
ZK Study Club: Sumcheck Arguments and Their ApplicationsZK Study Club: Sumcheck Arguments and Their Applications
ZK Study Club: Sumcheck Arguments and Their Applications
Alex Pruden
 
Rainer Grimm, “Functional Programming in C++11”
Rainer Grimm, “Functional Programming in C++11”Rainer Grimm, “Functional Programming in C++11”
Rainer Grimm, “Functional Programming in C++11”
Platonov Sergey
 
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
Alex Pruden
 
Codes and Isogenies
Codes and IsogeniesCodes and Isogenies
Codes and Isogenies
Priyanka Aash
 
Distributed Machine Learning with Apache Mahout
Distributed Machine Learning with Apache MahoutDistributed Machine Learning with Apache Mahout
Distributed Machine Learning with Apache Mahout
Suneel Marthi
 
Predicate-Preserving Collision-Resistant Hashing
Predicate-Preserving Collision-Resistant HashingPredicate-Preserving Collision-Resistant Hashing
Predicate-Preserving Collision-Resistant Hashing
Philippe Camacho, Ph.D.
 
Network Attacks
Network AttacksNetwork Attacks
Network Attacks
SecurityTube.Net
 
F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices
Lior Rotkovitch
 
DDoS Resiliency with Amazon Web Services (SEC305) | AWS re:Invent 2013
DDoS Resiliency with Amazon Web Services (SEC305) | AWS re:Invent 2013DDoS Resiliency with Amazon Web Services (SEC305) | AWS re:Invent 2013
DDoS Resiliency with Amazon Web Services (SEC305) | AWS re:Invent 2013
Amazon Web Services
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attackKaustubh Padwad
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
Ahmed Ghazey
 
How to launch and defend against a DDoS
How to launch and defend against a DDoSHow to launch and defend against a DDoS
How to launch and defend against a DDoSjgrahamc
 
(SEC306) Defending Against DDoS Attacks
(SEC306) Defending Against DDoS Attacks(SEC306) Defending Against DDoS Attacks
(SEC306) Defending Against DDoS Attacks
Amazon Web Services
 
Denial of Service Attacks
Denial of Service AttacksDenial of Service Attacks
Denial of Service AttacksPascal Flöschel
 

More Related Content

What's hot

Bartosz Milewski, “Re-discovering Monads in C++”
Bartosz Milewski, “Re-discovering Monads in C++”Bartosz Milewski, “Re-discovering Monads in C++”
Bartosz Milewski, “Re-discovering Monads in C++”
Platonov Sergey
 
COSCUP: Introduction to Julia
COSCUP: Introduction to JuliaCOSCUP: Introduction to Julia
COSCUP: Introduction to Julia
岳華 杜
 
Asssignment2
Asssignment2 Asssignment2
Asssignment2
AnnamalikAnnamalik
 
Java puzzles
Java puzzlesJava puzzles
Java puzzles
Nikola Petrov
 
Java Puzzle
Java PuzzleJava Puzzle
Java PuzzleSFilipp
 
Java Basics - Part2
Java Basics - Part2Java Basics - Part2
Java Basics - Part2
Vani Kandhasamy
 
Computer security
Computer security Computer security
Computer security
Harry Potter
 
ZK Study Club: Sumcheck Arguments and Their Applications
ZK Study Club: Sumcheck Arguments and Their ApplicationsZK Study Club: Sumcheck Arguments and Their Applications
ZK Study Club: Sumcheck Arguments and Their Applications
Alex Pruden
 
Rainer Grimm, “Functional Programming in C++11”
Rainer Grimm, “Functional Programming in C++11”Rainer Grimm, “Functional Programming in C++11”
Rainer Grimm, “Functional Programming in C++11”
Platonov Sergey
 
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
Alex Pruden
 
Codes and Isogenies
Codes and IsogeniesCodes and Isogenies
Codes and Isogenies
Priyanka Aash
 
Distributed Machine Learning with Apache Mahout
Distributed Machine Learning with Apache MahoutDistributed Machine Learning with Apache Mahout
Distributed Machine Learning with Apache Mahout
Suneel Marthi
 
Predicate-Preserving Collision-Resistant Hashing
Predicate-Preserving Collision-Resistant HashingPredicate-Preserving Collision-Resistant Hashing
Predicate-Preserving Collision-Resistant Hashing
Philippe Camacho, Ph.D.
 

What's hot (14)

Bartosz Milewski, “Re-discovering Monads in C++”
Bartosz Milewski, “Re-discovering Monads in C++”Bartosz Milewski, “Re-discovering Monads in C++”
Bartosz Milewski, “Re-discovering Monads in C++”
 
COSCUP: Introduction to Julia
COSCUP: Introduction to JuliaCOSCUP: Introduction to Julia
COSCUP: Introduction to Julia
 
Asssignment2
Asssignment2 Asssignment2
Asssignment2
 
Java puzzles
Java puzzlesJava puzzles
Java puzzles
 
Java Puzzle
Java PuzzleJava Puzzle
Java Puzzle
 
Clojure class
Clojure classClojure class
Clojure class
 
Java Basics - Part2
Java Basics - Part2Java Basics - Part2
Java Basics - Part2
 
Computer security
Computer security Computer security
Computer security
 
ZK Study Club: Sumcheck Arguments and Their Applications
ZK Study Club: Sumcheck Arguments and Their ApplicationsZK Study Club: Sumcheck Arguments and Their Applications
ZK Study Club: Sumcheck Arguments and Their Applications
 
Rainer Grimm, “Functional Programming in C++11”
Rainer Grimm, “Functional Programming in C++11”Rainer Grimm, “Functional Programming in C++11”
Rainer Grimm, “Functional Programming in C++11”
 
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
 
Codes and Isogenies
Codes and IsogeniesCodes and Isogenies
Codes and Isogenies
 
Distributed Machine Learning with Apache Mahout
Distributed Machine Learning with Apache MahoutDistributed Machine Learning with Apache Mahout
Distributed Machine Learning with Apache Mahout
 
Predicate-Preserving Collision-Resistant Hashing
Predicate-Preserving Collision-Resistant HashingPredicate-Preserving Collision-Resistant Hashing
Predicate-Preserving Collision-Resistant Hashing
 

Viewers also liked

Network Attacks
Network AttacksNetwork Attacks
Network Attacks
SecurityTube.Net
 
F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices
Lior Rotkovitch
 
DDoS Resiliency with Amazon Web Services (SEC305) | AWS re:Invent 2013
DDoS Resiliency with Amazon Web Services (SEC305) | AWS re:Invent 2013DDoS Resiliency with Amazon Web Services (SEC305) | AWS re:Invent 2013
DDoS Resiliency with Amazon Web Services (SEC305) | AWS re:Invent 2013
Amazon Web Services
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attackKaustubh Padwad
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
Ahmed Ghazey
 
How to launch and defend against a DDoS
How to launch and defend against a DDoSHow to launch and defend against a DDoS
How to launch and defend against a DDoSjgrahamc
 
(SEC306) Defending Against DDoS Attacks
(SEC306) Defending Against DDoS Attacks(SEC306) Defending Against DDoS Attacks
(SEC306) Defending Against DDoS Attacks
Amazon Web Services
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
Jignesh Patel
 
10 DDoS Mitigation Techniques
10 DDoS Mitigation Techniques10 DDoS Mitigation Techniques
10 DDoS Mitigation Techniques
IntruGuard
 

Viewers also liked (10)

Network Attacks
Network AttacksNetwork Attacks
Network Attacks
 
F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices
 
DDoS Resiliency with Amazon Web Services (SEC305) | AWS re:Invent 2013
DDoS Resiliency with Amazon Web Services (SEC305) | AWS re:Invent 2013DDoS Resiliency with Amazon Web Services (SEC305) | AWS re:Invent 2013
DDoS Resiliency with Amazon Web Services (SEC305) | AWS re:Invent 2013
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
 
How to launch and defend against a DDoS
How to launch and defend against a DDoSHow to launch and defend against a DDoS
How to launch and defend against a DDoS
 
(SEC306) Defending Against DDoS Attacks
(SEC306) Defending Against DDoS Attacks(SEC306) Defending Against DDoS Attacks
(SEC306) Defending Against DDoS Attacks
 
Denial of Service Attacks
Denial of Service AttacksDenial of Service Attacks
Denial of Service Attacks
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
 
10 DDoS Mitigation Techniques
10 DDoS Mitigation Techniques10 DDoS Mitigation Techniques
10 DDoS Mitigation Techniques
 

Similar to ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet

Computer graphics lab report with code in cpp
Computer graphics lab report with code in cppComputer graphics lab report with code in cpp
Computer graphics lab report with code in cpp
Alamgir Hossain
 
Fractal Rendering in Developer C++ - 2012-11-06
Fractal Rendering in Developer C++ - 2012-11-06Fractal Rendering in Developer C++ - 2012-11-06
Fractal Rendering in Developer C++ - 2012-11-06
Aritra Sarkar
 
Lecture3 combinational blocks
Lecture3 combinational blocksLecture3 combinational blocks
Lecture3 combinational blocks
Nima Shafiee
 
Stefan Kanev: Clojure, ClojureScript and Why They're Awesome at I T.A.K.E. Un...
Stefan Kanev: Clojure, ClojureScript and Why They're Awesome at I T.A.K.E. Un...Stefan Kanev: Clojure, ClojureScript and Why They're Awesome at I T.A.K.E. Un...
Stefan Kanev: Clojure, ClojureScript and Why They're Awesome at I T.A.K.E. Un...
Mozaic Works
 
Computer graphics lab manual
Computer graphics lab manualComputer graphics lab manual
Computer graphics lab manual
Uma mohan
 
Ee693 sept2014midsem
Ee693 sept2014midsemEe693 sept2014midsem
Ee693 sept2014midsem
Gopi Saiteja
 
QMC Error SAMSI Tutorial Aug 2017
QMC Error SAMSI Tutorial Aug 2017QMC Error SAMSI Tutorial Aug 2017
QMC Error SAMSI Tutorial Aug 2017
Fred J. Hickernell
 
Ch01 basic concepts_nosoluiton
Ch01 basic concepts_nosoluitonCh01 basic concepts_nosoluiton
Ch01 basic concepts_nosoluiton
shin
 
Introduction to Neural Networks and Deep Learning from Scratch
Introduction to Neural Networks and Deep Learning from ScratchIntroduction to Neural Networks and Deep Learning from Scratch
Introduction to Neural Networks and Deep Learning from Scratch
Ahmed BESBES
 
Program on Quasi-Monte Carlo and High-Dimensional Sampling Methods for Applie...
Program on Quasi-Monte Carlo and High-Dimensional Sampling Methods for Applie...Program on Quasi-Monte Carlo and High-Dimensional Sampling Methods for Applie...
Program on Quasi-Monte Carlo and High-Dimensional Sampling Methods for Applie...
The Statistical and Applied Mathematical Sciences Institute
 
Blockchain Cryptography for Developers (Nakov @ BlockWorld 2018, San Jose)
Blockchain Cryptography for Developers (Nakov @ BlockWorld 2018, San Jose)Blockchain Cryptography for Developers (Nakov @ BlockWorld 2018, San Jose)
Blockchain Cryptography for Developers (Nakov @ BlockWorld 2018, San Jose)
Svetlin Nakov
 
C++ TUTORIAL 10
C++ TUTORIAL 10C++ TUTORIAL 10
C++ TUTORIAL 10
Farhan Ab Rahman
 
Efficient SIMD Vectorization for Hashing in OpenCL
Efficient SIMD Vectorization for Hashing in OpenCLEfficient SIMD Vectorization for Hashing in OpenCL
Efficient SIMD Vectorization for Hashing in OpenCL
Jonas Traub
 
PyconKR 2018 Deep dive into Coroutine
PyconKR 2018 Deep dive into CoroutinePyconKR 2018 Deep dive into Coroutine
PyconKR 2018 Deep dive into Coroutine
Daehee Kim
 
03.01 hash tables
03.01 hash tables03.01 hash tables
03.01 hash tables
Jyotsna Suryadevara
 
QMC: Operator Splitting Workshop, Forward-Backward Splitting Algorithm withou...
QMC: Operator Splitting Workshop, Forward-Backward Splitting Algorithm withou...QMC: Operator Splitting Workshop, Forward-Backward Splitting Algorithm withou...
QMC: Operator Splitting Workshop, Forward-Backward Splitting Algorithm withou...
The Statistical and Applied Mathematical Sciences Institute
 
C++ lectures all chapters in one slide.pptx
C++ lectures all chapters in one slide.pptxC++ lectures all chapters in one slide.pptx
C++ lectures all chapters in one slide.pptx
ssuser3cbb4c
 
Understanding the Disruptor
Understanding the DisruptorUnderstanding the Disruptor
Understanding the Disruptor
Trisha Gee
 
Introduction VHDL.ppt
Introduction VHDL.pptIntroduction VHDL.ppt
Introduction VHDL.ppt
SravanKumar743222
 

Similar to ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet (20)

Computer graphics lab report with code in cpp
Computer graphics lab report with code in cppComputer graphics lab report with code in cpp
Computer graphics lab report with code in cpp
 
Fractal Rendering in Developer C++ - 2012-11-06
Fractal Rendering in Developer C++ - 2012-11-06Fractal Rendering in Developer C++ - 2012-11-06
Fractal Rendering in Developer C++ - 2012-11-06
 
Lecture3 combinational blocks
Lecture3 combinational blocksLecture3 combinational blocks
Lecture3 combinational blocks
 
Stefan Kanev: Clojure, ClojureScript and Why They're Awesome at I T.A.K.E. Un...
Stefan Kanev: Clojure, ClojureScript and Why They're Awesome at I T.A.K.E. Un...Stefan Kanev: Clojure, ClojureScript and Why They're Awesome at I T.A.K.E. Un...
Stefan Kanev: Clojure, ClojureScript and Why They're Awesome at I T.A.K.E. Un...
 
Computer graphics lab manual
Computer graphics lab manualComputer graphics lab manual
Computer graphics lab manual
 
Ee693 sept2014midsem
Ee693 sept2014midsemEe693 sept2014midsem
Ee693 sept2014midsem
 
Faster Python, FOSDEM
Faster Python, FOSDEMFaster Python, FOSDEM
Faster Python, FOSDEM
 
QMC Error SAMSI Tutorial Aug 2017
QMC Error SAMSI Tutorial Aug 2017QMC Error SAMSI Tutorial Aug 2017
QMC Error SAMSI Tutorial Aug 2017
 
Ch01 basic concepts_nosoluiton
Ch01 basic concepts_nosoluitonCh01 basic concepts_nosoluiton
Ch01 basic concepts_nosoluiton
 
Introduction to Neural Networks and Deep Learning from Scratch
Introduction to Neural Networks and Deep Learning from ScratchIntroduction to Neural Networks and Deep Learning from Scratch
Introduction to Neural Networks and Deep Learning from Scratch
 
Program on Quasi-Monte Carlo and High-Dimensional Sampling Methods for Applie...
Program on Quasi-Monte Carlo and High-Dimensional Sampling Methods for Applie...Program on Quasi-Monte Carlo and High-Dimensional Sampling Methods for Applie...
Program on Quasi-Monte Carlo and High-Dimensional Sampling Methods for Applie...
 
Blockchain Cryptography for Developers (Nakov @ BlockWorld 2018, San Jose)
Blockchain Cryptography for Developers (Nakov @ BlockWorld 2018, San Jose)Blockchain Cryptography for Developers (Nakov @ BlockWorld 2018, San Jose)
Blockchain Cryptography for Developers (Nakov @ BlockWorld 2018, San Jose)
 
C++ TUTORIAL 10
C++ TUTORIAL 10C++ TUTORIAL 10
C++ TUTORIAL 10
 
Efficient SIMD Vectorization for Hashing in OpenCL
Efficient SIMD Vectorization for Hashing in OpenCLEfficient SIMD Vectorization for Hashing in OpenCL
Efficient SIMD Vectorization for Hashing in OpenCL
 
PyconKR 2018 Deep dive into Coroutine
PyconKR 2018 Deep dive into CoroutinePyconKR 2018 Deep dive into Coroutine
PyconKR 2018 Deep dive into Coroutine
 
03.01 hash tables
03.01 hash tables03.01 hash tables
03.01 hash tables
 
QMC: Operator Splitting Workshop, Forward-Backward Splitting Algorithm withou...
QMC: Operator Splitting Workshop, Forward-Backward Splitting Algorithm withou...QMC: Operator Splitting Workshop, Forward-Backward Splitting Algorithm withou...
QMC: Operator Splitting Workshop, Forward-Backward Splitting Algorithm withou...
 
C++ lectures all chapters in one slide.pptx
C++ lectures all chapters in one slide.pptxC++ lectures all chapters in one slide.pptx
C++ lectures all chapters in one slide.pptx
 
Understanding the Disruptor
Understanding the DisruptorUnderstanding the Disruptor
Understanding the Disruptor
 
Introduction VHDL.ppt
Introduction VHDL.pptIntroduction VHDL.ppt
Introduction VHDL.ppt
 

More from Cyber Security Alliance

Bug Bounty @ Swisscom
Bug Bounty @ SwisscomBug Bounty @ Swisscom
Bug Bounty @ Swisscom
Cyber Security Alliance
 
Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?
Cyber Security Alliance
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce it
Cyber Security Alliance
 
Why huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacksWhy huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacks
Cyber Security Alliance
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomware
Cyber Security Alliance
 
Blockchain for Beginners
Blockchain for Beginners Blockchain for Beginners
Blockchain for Beginners
Cyber Security Alliance
 
Le pentest pour les nuls #cybsec16
Le pentest pour les nuls #cybsec16Le pentest pour les nuls #cybsec16
Le pentest pour les nuls #cybsec16
Cyber Security Alliance
 
Introducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsIntroducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging apps
Cyber Security Alliance
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacks
Cyber Security Alliance
 
Rump : iOS patch diffing
Rump : iOS patch diffingRump : iOS patch diffing
Rump : iOS patch diffing
Cyber Security Alliance
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0
Cyber Security Alliance
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
Cyber Security Alliance
 
Easy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fEasy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 f
Cyber Security Alliance
 
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Cyber Security Alliance
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setup
Cyber Security Alliance
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
Cyber Security Alliance
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Cyber Security Alliance
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureCyber Security Alliance
 

More from Cyber Security Alliance (20)

Bug Bounty @ Swisscom
Bug Bounty @ SwisscomBug Bounty @ Swisscom
Bug Bounty @ Swisscom
 
Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce it
 
Why huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacksWhy huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacks
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomware
 
Blockchain for Beginners
Blockchain for Beginners Blockchain for Beginners
Blockchain for Beginners
 
Le pentest pour les nuls #cybsec16
Le pentest pour les nuls #cybsec16Le pentest pour les nuls #cybsec16
Le pentest pour les nuls #cybsec16
 
Introducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsIntroducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging apps
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacks
 
Rump : iOS patch diffing
Rump : iOS patch diffingRump : iOS patch diffing
Rump : iOS patch diffing
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
Easy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fEasy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 f
 
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setup
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented feature
 
Rump attaque usb_caralinda_fabrice
Rump attaque usb_caralinda_fabriceRump attaque usb_caralinda_fabrice
Rump attaque usb_caralinda_fabrice
 
Operation emmental appsec
Operation emmental appsecOperation emmental appsec
Operation emmental appsec
 

Recently uploaded

GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
g2nightmarescribd
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 

Recently uploaded (20)

GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 

ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philippe Aumasson / Martin Boßlet

  • 1. Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois at Chicago Martin Boßlet, freelancer
  • 2. Hash-flooding DoS reloaded: attacks and defenses Jean-Philippe Aumasson, Kudelski Group Daniel J. Bernstein, University of Illinois at Chicago Martin Boßlet, freelancer
  • 3. Jean-Philippe Cryptography expert at the Kudelski Group Applied crypto researcher https://131002.net @aumasson Martin Independent SW engineer and security expert Ruby core dev team member http://www.martinbosslet.de @_emboss_
  • 4. Hash-flooding DoS reloaded: attacks and defenses
  • 5. Denial-of-Service (DoS) attacks “Attempt to make a machine or network resource unavailable to its intended users.” Wikipedia
  • 6. Popular DoS techniques are distributed HTTP or TCP SYN flood… (DDoS)
  • 7. More subtle techniques exploit properties of TCP-congestion-avoidance algorithms…
  • 8. Hash-flooding DoS reloaded: attacks and defenses
  • 9. Hash tables used in many applications to maintain an association between objects Example: Python dictionaries d={} # empty table d[12345]=0xc # insertion d[‘astring’]=‘foo’ # insertion d[(‘a’,‘tuple’)]=0 # insertion print d[‘a string’] # lookup
  • 10. If the table is about as large as the number of elements to be stored (=n), insertion or lookup of n elements takes O(n) operations on average
  • 11. If the table is about as large as the number of elements to be stored (=n), insertion or lookup of n elements takes O(n) operations on average 0 1 2 12345: 0xc d[12345]=0xc, hash(12345)=1
  • 12. If the table is about as large as the number of elements to be stored (=n), insertion or lookup of n elements takes O(n) operations on average 0 1 2 ‘astring’: ‘foo’ 12345: 0xc d[‘astring’]=‘foo’ , hash(‘astring’)=0
  • 13. If the table is about as large as the number of elements to be stored (=n), insertion or lookup of n elements takes O(n) operations on average 0 1 2 ‘astring’: ‘foo’ 12345: 0xc (‘a’,’tuple’): 0 d[(‘a’,’tuple’)=0; hash((‘a’,’tuple’))=2
  • 14. If the table is about as large as the number of elements to be stored (=n), insertion or lookup of n elements takes O(n2) operations in the worst case 0 1 2 12345: 0xc d[12345]=0xc, hash(12345)=1
  • 15. If the table is about as large as the number of elements to be stored (=n), insertion or lookup of n elements takes O(n2) operations in the worst case 0 1 2 12345: 0xc ‘astring’: ‘foo’ d[‘astring’]=‘foo’ , hash(‘astring’)=0
  • 16. If the table is about as large as the number of elements to be stored (=n), insertion or lookup of n elements takes O(n2) operations in the worst case 0 1 2 12345: 0xc ‘astring’: ‘foo’ (‘a’, ‘tuple’): ‘foo’ d[(‘a’,’tuple’)=0; hash((‘a’,’tuple’))=2
  • 17. Hash flooding: Send to a server many inputs with a same hash (a multicollision) so as to enforce worst-case insert time
  • 18. send 2MB of POST data consisting of 200.000 colliding 10B strings ≈ 40.000.000.000 string comparisons (at least 10s on a 2GHz machine…)
  • 19. Previous work Crosby, Wallach. Denial of Service via Algorithmic Complexity Attacks, USENIX Security 2003 -> attack formalized and applied to Perl, Squid, etc. Klink, Wälde. Efficient Denial of Service Attacks on Web Application Platforms. CCC 28c3 -> application to PHP, Java, Python, Ruby, etc.
  • 20. Previous work Crosby, Wallach. Denial of Service via Algorithmic Complexity Attacks, USENIX Security 2003 -> attack formalized and applied to Perl, Squid, etc. Klink, Wälde. Efficient Denial of Service Attacks on Web Application Platforms. CCC 28c3 -> application to PHP, Java, Python, Ruby, etc.
  • 21.
  • 22. Patches released consisting of a stronger hash with randomization (to make colliding values impossible to find)
  • 23. MurmurHash2 “used in code by Google, Microsoft, Yahoo, and many others” http://code.google.com/p/smhasher/wiki/MurmurHash CRuby, JRuby
  • 24. MurmurHash3 “successor to MurmurHash2” Oracle’s Java SE, Rubinius
  • 25. Hash-flooding DoS reloaded: attacks and defenses
  • 27. MurmurHash3 core Processes the input per blocks of 4 bytes for (i=0;i<nblocks;i++) { uint32_t k1 = getblock(blocks, i); k1 *= 0xcc9e2d51 ; k1 = ROTL32(k1 ,15); k1 *= 0x1b873593; h1 ^= k1; h1 = ROTL32 ( h1 ,13); h1 = h1 *5+0 xe6546b64;}
  • 28. Differential cryptanalysis strategy 1/ introduce a difference in the state h1 via the input k1 2/ cancel this difference with a second well chosen difference for (i=0;i<nblocks;i++) { uint32_t k1 = getblock(blocks, i); k1 *= 0xcc9e2d51 ; k1 = ROTL32(k1 ,15); k1 *= 0x1b873593; h1 ^= k1; h1 = ROTL32 ( h1 ,13); h1 = h1 *5+0 xe6546b64;}
  • 29. Differential cryptanalysis strategy 1/ introduce a difference in the state h1 via the input k1 2/ cancel this difference with a second well chosen difference for (i=0;i<nblocks;i++) { i=0 uint32_t k1 = getblock(blocks, i); k1 *= 0xcc9e2d51 ; inject difference D1 k1 = ROTL32(k1 ,15); k1 *= 0x1b873593; diff in k1:0x00040000 h1 ^= k1; h1 = ROTL32 ( h1 ,13); h1 = h1 *5+0 xe6546b64;}
  • 30. Differential cryptanalysis strategy 1/ introduce a difference in the state h1 via the input k1 2/ cancel this difference with a second well chosen difference for (i=0;i<nblocks;i++) { i=0 uint32_t k1 = getblock(blocks, i); k1 *= 0xcc9e2d51 ; inject difference D1 k1 = ROTL32(k1 ,15); k1 *= 0x1b873593; diff in k1:0x00040000 h1 ^= k1; diff in h1 0x00040000 h1 = ROTL32 ( h1 ,13); h1 = h1 *5+0 xe6546b64;}
  • 31. Differential cryptanalysis strategy 1/ introduce a difference in the state h1 via the input k1 2/ cancel this difference with a second well chosen difference for (i=0;i<nblocks;i++) { i=0 uint32_t k1 = getblock(blocks, i); k1 *= 0xcc9e2d51 ; inject difference D1 k1 = ROTL32(k1 ,15); k1 *= 0x1b873593; diff in k1:0x00040000 h1 ^= k1; diff in h1 0x00040000 h1 = ROTL32 ( h1 ,13); 0x80000000 h1 = h1 *5+0 xe6546b64;} 0x80000000
  • 32. Differential cryptanalysis strategy 1/ introduce a difference in the state h1 via the input k1 2/ cancel this difference with a second well chosen difference for (i=0;i<nblocks;i++) { i=1 uint32_t k1 = getblock(blocks, i); k1 *= 0xcc9e2d51 ; inject difference D2 k1 = ROTL32(k1 ,15); k1 *= 0x1b873593; h1 ^= k1; h1 = ROTL32 ( h1 ,13); h1 = h1 *5+0 xe6546b64;}
  • 33. Differential cryptanalysis strategy 1/ introduce a difference in the state h1 via the input k1 2/ cancel this difference with a second well chosen difference for (i=0;i<nblocks;i++) { i=1 uint32_t k1 = getblock(blocks, i); k1 *= 0xcc9e2d51 ; inject difference D2 k1 = ROTL32(k1 ,15); k1 *= 0x1b873593; diff in k1:0x80000000 h1 ^= k1; h1 = ROTL32 ( h1 ,13); h1 = h1 *5+0 xe6546b64;}
  • 34. Differential cryptanalysis strategy 1/ introduce a difference in the state h1 via the input k1 2/ cancel this difference with a second well chosen difference for (i=0;i<nblocks;i++) { i=1 uint32_t k1 = getblock(blocks, i); k1 *= 0xcc9e2d51 ; inject difference D2 k1 = ROTL32(k1 ,15); k1 *= 0x1b873593; diff in k1:0x80000000 diff in h1: 0x80000000 ^ 0x80000000 = 0 h1 ^= k1; h1 = ROTL32 ( h1 ,13); COLLISION! h1 = h1 *5+0 xe6546b64;}
  • 35. M1 M2 32-bit 32-bit h1=f(X)=H h1=X M1^D1 M2^D2 32-bit 32-bit h1=f(X^D3^D3)=H h1=X^D3 2 colliding 8-byte inputs
  • 36. M1 M2 M3 M4 M5 M6 collision collision collision Chain collisions => multicollisions 8n bytes => 2 n colliding inputs
  • 37. A multicollision works for any seed => “Universal” multicollisions h1=seed; for (i=0;i<nblocks;i++) { uint32_t k1 = getblock(blocks, i); k1 *= 0xcc9e2d51 ; k1 = ROTL32(k1 ,15); k1 *= 0x1b873593; // transform of k1 independent of the seed! h1 ^= k1; h1 = ROTL32 ( h1 ,13); h1 = h1 *5+0 xe6546b64;}
  • 38. Even simpler for MurmurHash2
  • 39. Consequence: Systems using MurmurHash2/3 remain vulnerable to hash-flooding
  • 41. Even weaker than MurmurHash2… Also vulnerable to hash flooding
  • 42. CityHash64( BU9[85WWp/ HASH!, 16 ) = b82e7612e6933d2f CityHash64( 8{YDLn;d.2 HASH!, 16 ) = b82e7612e6933d2f CityHash64( d+nkK&t?yr HASH!, 16 ) = b82e7612e6933d2f CityHash64( {A.#v5i]V{ HASH!, 16 ) = b82e7612e6933d2f CityHash64( FBC=/hJeA!HASH!, 16 ) = b82e7612e6933d2f CityHash64( $03$=K1.-H!HASH!, 16 ) = b82e7612e6933d2f CityHash64( 3o'L'Piw!HASH!, 16 ) = b82e7612e6933d2f CityHash64( duDu%qaUS@"HASH!, 16 ) = b82e7612e6933d2f CityHash64( IZVo|0S=BX"HASH!, 16 ) = b82e7612e6933d2f CityHash64( X2V|P=<u,=#HASH!, 16 ) = b82e7612e6933d2f CityHash64( 9<%45yG]qG#HASH!, 16 ) = b82e7612e6933d2f CityHash64( 6?4O:'<Vho#HASH!, 16 ) = b82e7612e6933d2f CityHash64( 2u 2}7g^>3$HASH!, 16 ) = b82e7612e6933d2f CityHash64( kqwnZH=cKG$HASH!, 16 ) = b82e7612e6933d2f CityHash64( Nl+:rtvw}K$HASH!, 16 ) = b82e7612e6933d2f CityHash64( s/pI!<5u*]$HASH!, 16 ) = b82e7612e6933d2f CityHash64( f|P~n*<xPc$HASH!, 16 ) = b82e7612e6933d2f CityHash64( Cj7TCG|G}}$HASH!, 16 ) = b82e7612e6933d2f CityHash64( a4$>Jf3PF'%HASH!, 16 ) = b82e7612e6933d2f
  • 44. Breaking Murmur: We‘ve got the recipe – Now all we need is the (hash) cake
  • 47. Parser symbol tables Method lookup tables Attributes / Instance variables IP Addresses Transaction IDs Database Indexing Session IDs HTTP Headers JSON Representation URL-encoded POST form data Deduplication (HashSet) A* search algorithm Dictionaries …
  • 48. => Where aren’t they used?
  • 49. Can’t we use something different?
  • 50. We could, but amortized constant time is just too sexy
  • 56. Example #1 Rails
  • 60. Demo
  • 61. Should work with Rails out of the box, no?
  • 63. Demo
  • 64. def POST … @env["rack.request.form_hash"] = parse_query(form_vars) … end
  • 66. def parse_nested_query(qs, d = nil) params = KeySpaceConstrainedParams.new (qs || '').split(d ? /[#{d}] */n : DEFAULT_SEP).each do |p| k, v = p.split('=', 2).map { |s| unescape(s) } normalize_params(params, k, v) end return params.to_params_hash end
  • 67. def unescape(s, encoding = Encoding::UTF_8) URI.decode_www_form_component(s, encoding) end
  • 68. def self.decode_www_form_component(str, enc=Encoding::UTF_8) raise ArgumentError, "invalid %-encoding (#{str})" unless /A[^%]*(?:%hh[^%]*)*z/ =~ str str.gsub(/+|%hh/, TBLDECWWWCOMP_).force_encoding(enc) end
  • 70. Catches invalid % encodings (e.g. %ZV, %%1 instead of %2F)
  • 71. def parse_nested_query(qs, d = nil) params = KeySpaceConstrainedParams.new (qs || '').split(d ? /[#{d}] */n : DEFAULT_SEP).each do |p| k, v = p.split('=', 2).map { |s| unescape(s) } normalize_params(params, k, v) end return params.to_params_hash end
  • 72. def normalize_params(params, name, v = nil) name =~ %r(A[[]]*([^[]]+)]*) k = $1 || '' … end
  • 76. create random values passing the regular expressions
  • 77. that should do it, right?
  • 78. Demo
  • 79.
  • 80. def parse_nested_query(qs, d = nil) params = KeySpaceConstrainedParams.new (qs || '').split(d ? /[#{d}] */n : DEFAULT_SEP).each do |p| k, v = p.split('=', 2).map { |s| unescape(s) } normalize_params(params, k, v) end return params.to_params_hash end
  • 81. class KeySpaceConstrainedParams def []=(key, value) @size += key.size if key && !@params.key?(key) raise RangeError, 'exceeded available parameter key space‘ if @size > @limit @params[key] = value end end
  • 82.
  • 83. What now? Rails is safe?
  • 85. So if application/x-www-form-urlencoded doesn't work, how about application/json ?
  • 86. Again, with the encoding...
  • 88. Demo
  • 92. yet another loophole will be found
  • 93. Fix it at the root
  • 94. Example #2 Java
  • 96. public String(byte bytes[], int offset, int length, Charset charset) { … char[] v = StringCoding.decode(charset, bytes, offset, length); … }
  • 97. Tough nut to crack
  • 98. What now? Java is safe?
  • 100. public String(char value[]) { int size = value.length; this.offset = 0; this.count = size; this.value = Arrays.copyOf(value, size); }
  • 102. Substitute byte[] operations with equivalent operations on char[]
  • 103. Demo
  • 104. Disclosure Oracle (Java): Sep 11 CRuby, JRuby, Rubinius: Aug 30
  • 105. Hash-flooding DoS reloaded: attacks and defenses
  • 106. SipHash: a fast short-input PRF New crypto algorithm to fix hash-flooding: • Rigorous security requirements and analysis • Speed competitive with that of weak hashes Peer-reviewed research paper (A., Bernstein). published at DIAC 2012, INDOCRYPT 2012
  • 107. SipHash initialization 256-bit state v0 v1 v2 v3 128-bit key k0 k1 v0 = k0 ⊕ 736f6d6570736575 v1 = k1 ⊕ 646f72616e646f6d v2 = k0 ⊕ 6c7967656e657261 v3 = k1 ⊕ 7465646279746573
  • 108. SipHash initialization 256-bit state v0 v1 v2 v3 128-bit key k0 k1 v0 = k0 ⊕ “somepseu” v1 = k1 ⊕ “dorandom” v2 = k0 ⊕ “lygenera” v3 = k1 ⊕ “tedbytes”
  • 109. SipHash compression Message parsed as 64-bit words m0, m1, … v3 ⊕= m0 c iterations of SipRound v0 ⊕= m0
  • 110. SipHash compression Message parsed as 64-bit words m0, m1, … v3 ⊕= m1 c iterations of SipRound v0 ⊕= m1
  • 111. SipHash compression Message parsed as 64-bit words m0, m1, … v3 ⊕= m2 c iterations of SipRound v0 ⊕= m2
  • 112. SipHash compression Message parsed as 64-bit words m0, m1, … Etc.
  • 114. SipHash finalization v2 ⊕= 255 d iterations of SipRound Return v0 ⊕ v1 ⊕ v2 ⊕ v3
  • 116. Family SipHash-c-d Fast proposal: SipHash-2-4 Conservative proposal: SipHash-4-8 Weaker versions for cryptanalysis: SipHash-1-0, SipHash-2-0, etc. SipHash-1-1, SipHash-2-1, etc. Etc.
  • 117.
  • 118. Proof of simplicity June 20: paper published online June 28: 18 third-party implementations C (Floodyberry, Boßlet, Neves); C# (Haynes) Cryptol (Lazar); Erlang, Javascript, PHP (Denis) Go (Chestnykh); Haskell (Hanquez) Java, Ruby (Boßlet); Lisp (Brown); Perl6 (Julin)
  • 119. Who is using SipHash? http://www.opendns.com/ http://www.rust-lang.org/ Soon?
  • 120. Take home message • DoS is doable with only small data/bandwidth • Java- and Ruby-based web applications vulnerable to DoS (and maybe others…) • SipHash offers both security and performance Contact us if you need to check your application
  • 121. Hash-flooding DoS reloaded: attacks and defenses THANK YOU!