HTTP! Encrypted! Information can be! Stolen through! TCP-windows

Similar documents
HEIST: HTTP Encrypted Information can be Stolen through TCP-windows

A Perfect CRIME? TIME Will Tell. Tal Be ery, Web research TL

Chapter 17. Transport-Level Security

Security Protocols/Standards

Lab Exercise SSL/TLS. Objective. Step 1: Open a Trace. Step 2: Inspect the Trace

12/8/2015. Review. Final Exam. Network Basics. Network Basics. Network Basics. Network Basics. 12/10/2015 Thursday 5:30~6:30pm Science S-3-028

Cleaning Encrypted Traffic

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

Internet Banking System Web Application Penetration Test Report

Lab Exercise SSL/TLS. Objective. Requirements. Step 1: Capture a Trace

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

elearning for Secure Application Development

Secure HTTP

Hack Proof Your Webapps

Three attacks in SSL protocol and their solutions

The Secure Sockets Layer (SSL)

, ) I Transport Layer Security

Secure Sockets Layer

Web Security Considerations

Transport Layer Security Protocols

Vulnerabilità dei protocolli SSL/TLS

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

Security vulnerabilities in the Internet and possible solutions

SENSE Security overview 2014

Auditing a Web Application. Brad Ruppert. SANS Technology Institute GWAS Presentation 1

The Top Web Application Attacks: Are you vulnerable?

Transport Level Security

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

3.2: Transport Layer: SSL/TLS Secure Socket Layer (SSL) Transport Layer Security (TLS) Protocol

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

DDoS Protecion Total AnnihilationD. DDoS Mitigation Lab

Chapter 32 Internet Security

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Web Security (SSL) Tecniche di Sicurezza dei Sistemi 1

Protocol Rollback and Network Security

Metasploit The Elixir of Network Security

Encryption, Data Integrity, Digital Certificates, and SSL. Developed by. Jerry Scott. SSL Primer-1-1

Redirecting and modifying SMTP mail with TLS session renegotiation attacks

Network Security Part II: Standards

Network Security Web Security and SSL/TLS. Angelos Keromytis Columbia University

Security (II) ISO : Security Architecture of OSI Reference Model. Outline. Course Outline: Fundamental Topics. EE5723/EE4723 Spring 2012

Network Security Fundamentals

CS 3251: Computer Networking 1 Security Protocols I

SSL/TLS: The Ugly Truth

First Midterm for ECE374 03/24/11 Solution!!

APNIC elearning: Network Security Fundamentals. 20 March :30 pm Brisbane Time (GMT+10)

Where every interaction matters.

Chapter 7 Transport-Level Security

Key Management (Distribution and Certification) (1)

Security Testing with Selenium

Insecure network services

Intrusion detection for web applications

Information Security

DDoS Vulnerability Analysis of Bittorrent Protocol

Midterm. Name: Andrew user id:

APPLICATION SECURITY AND ITS IMPORTANCE

GoToMyPC Corporate Advanced Firewall Support Features

Solution of Exercise Sheet 5

CS 640 Introduction to Computer Networks. Network security (continued) Key Distribution a first step. Lecture24

Implementation Vulnerabilities in SSL/TLS

Using etoken for SSL Web Authentication. SSL V3.0 Overview

INTERNET SECURITY: FIREWALLS AND BEYOND. Mehernosh H. Amroli

TLS/SSL in distributed systems. Eugen Babinciuc

Apache Partial HTTP Request Denial of Service Vulnerability - Zero Day. SSL Certificate - Subject Common Name Does Not Match Server FQDN

Michael Seltzer COMP 116: Security Final Paper. Client Side Encryption in the Web Browser Mentor: Ming Chow

Virtual Private Networks

HTTPS is Fast and Hassle-free with CloudFlare

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Network Security Essentials Chapter 5

INTRODUCTION TO FIREWALL SECURITY

Public Key Infrastructure (PKI)

Secure Socket Layer (SSL) and Trnasport Layer Security (TLS)

Introduction to Computer Security

SCTP-Sec: A secure Transmission Control Protocol

Firewalls. configuring a sophisticated GNU/Linux firewall involves understanding

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Real-Time Communication Security: SSL/TLS. Guevara Noubir CSU610

Barracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper

SSRF DoS Relaying and a bit more...

Attacking Automatic Wireless Network Selection. Dino A. Dai Zovi and Shane A. Macaulay

Welcome to the Protecting Your Identity. Training Module

WEB ATTACKS AND COUNTERMEASURES

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

CS5008: Internet Computing

Vulnerability Scans Remote Support 15.1

Insecure network services. Firewalls. Two separable topics. Packet filtering. Example: blocking forgeries. Example: blocking outgoing mail

Load Balancing and Sessions. C. Kopparapu, Load Balancing Servers, Firewalls and Caches. Wiley, 2002.

Computer Networking LAB 2 HTTP

Chapter 10. Network Security

SERENA SOFTWARE Serena Service Manager Security

First Semester Examinations 2011/12 INTERNET PRINCIPLES

HTTPS: Transport-Layer Security (TLS), aka Secure Sockets Layer (SSL)

Finding and Preventing Cross- Site Request Forgery. Tom Gallagher Security Test Lead, Microsoft

Web Application Guidelines

Identifying and Exploiting Padding Oracles. Brian Holyfield Gotham Digital Science

Overview of SSL. Outline. CSC/ECE 574 Computer and Network Security. Reminder: What Layer? Protocols. SSL Architecture

Summary of the SEED Labs For Authors and Publishers

Transcription:

HTTP! Encrypted! Information can be! Stolen through! TCP-windows by! Mathy Vanhoef & Tom Van Goethem

Agenda Technical background! Same-Origin Policy! Compression-based attacks! SSL/TLS & TCP! Nitty gritty HEIST details! Demo! Countermeasures 2

Same-Origin Policy GET /vault Mr. Sniffles https://bunnehbank.com 3

Same-Origin Policy GET /vault Mr. Sniffles https://bunnehbank.com 3

the World Wide Web Mr. Sniffles https://bunnehbank.com 4

the World Wide Web Mr. Sniffles https://bunnehbank.com 4

the World Wide Web GET /vault https://bunnehbank.com Mr. Sniffles HEIST 4

the World Wide Web GET /vault https://bunnehbank.com Mr. Sniffles HEIST 4

the World Wide Web GET /vault https://bunnehbank.com Mr. Sniffles HEIST 4

the World Wide Web GET /vault https://bunnehbank.com Mr. Sniffles HEIST 4

the World Wide Web GET /vault https://bunnehbank.com Mr. Sniffles HEIST 5

the World Wide Web GET /vault https://bunnehbank.com Mr. Sniffles HEIST 6

Agenda Technical background! Same-Origin Policy! Compression-based attacks! SSL/TLS & TCP! Nitty gritty HEIST details! Demo! Countermeasures 7

/vault Uncompressed Compressed You requested: /vault You requested: /vault vault_secret=carrots4life _secret=carrots4life 51 bytes 47 bytes 8

/vault?secret=a /vault?secret=c You requested: /vault?secret=a You requested: /vault?secret=c _ carrots4life _ arrots4life 50 bytes 49 bytes 9

/vault?secret=a /vault?secret=c You requested: You requested: /vault?secret=a /vault?secret=c 49 bytes < 50 bytes 'c' is a correct guess _ carrots4life _ arrots4life 50 bytes 49 bytes 10

/vault?secret=ca /vault?secret=cb You requested: /vault?secret=ca You requested: /vault?secret=cb _ rrots4life _ arrots4life 49 bytes 50 bytes 11

/vault?secret=ca /vault?secret=cb You requested: You requested: /vault?secret=ca /vault?secret=cb 49 bytes < 50 bytes 'ca' is a correct guess _ rrots4life _ arrots4life 49 bytes 50 bytes 12

Compression-based Attacks Compression and Information Leakage of Plaintext [FSE'02]! Chosen plaintext + compression = plaintext leakage! Phonotactic Reconstruction of Encrypted VoIP Conversations [S&P'11]! Packet length + bitrate encoding! CRIME [ekoparty'12]! Exploits SSL compression! BREACH [Black Hat USA'13]! Exploits HTTP compression 13

Agenda Technical background! Same-Origin Policy! Compression-based attacks! SSL/TLS & TCP! Nitty gritty HEIST details! Demo! Countermeasures 14

GET /vault TCP handshake SYN SYN, ACK ACK SSL handshake Client Hello Server Hello Pre-Master Secret 15

GET /vault encrypt( GET /vault HTTP/1.1 Cookie: user=mr.sniffles! Host: bunnehbank.com!... ) 1 TCP data packet 16

encrypt( ) = 19 TCP data packets 17

encrypt( ) = 19 TCP data packets TCP packet 1 TCP packet 2... TCP packet 10 initcwnd = 10 18

TCP Slow-start Not all TCP packets are sent at once! TCP packets are sent in congestion windows! Congestion windows determine the amount of TCP packets that can be sent! Starts with the initial congestion window, initcwnd, typically set to 10! When the packets of the first congestion window are ACK'd, the next congestion window is sent! Size of the next congestion window is doubled 19

encrypt( ) = 19 TCP data packets TCP packet 1 TCP packet 2... TCP packet 10 initcwnd = 10 ACK TCP packet 11... TCP packet 19 20

HEIST A set of techniques that allow attacker to determine the exact size of a network response!... purely in the browser! Leverages browser side-channels! Can be used to perform compression-based attacks, such as CRIME and BREACH, in the browser 21

Browser Side-channels fetch('https://bunnehbank.com/vault', {mode: "no-cors", credentials:"include"}) Send authenticated request to /vault resource! Returns a Promise, which resolves as soon as browser receives the first byte of the response performance.getentries()[-1].responseend Returns time when response was completely downloaded 22

HEIST Step 1: find out if response fits in a single TCP window 23

first byte TCP handshake received complete initial TCP GET /vault window received T1 T2 time initial TCP responseend fetch('...') window sent SSL handshake complete Promise resolves 24

TCP handshake complete first byte received initial TCP second TCP window received GET /vault window received T1 T2 time initial TCP ACK sent responseend fetch('...') window sent SSL handshake complete Promise resolves second TCP window sent 25

HEIST Step 1: find out if response fits in a single TCP window! Step 2: discover exact response size 26

Discover Exact Response Size initcwnd second TCP window Resource size:?? bytes Reflected content: x bytes 27

Discover Exact Response Size initcwnd second TCP window Resource size:?? bytes Reflected content: x/2 bytes 28

Discover Exact Response Size initcwnd second TCP window Resource size:?? bytes Reflected content: x/4 bytes 29

Discover Exact Response Size initcwnd second TCP window Resource size:?? bytes Reflected content: x/4+x/8 bytes 30

After log(n) checks, we find:! y bytes of reflected content = 1 TCP window!! y+1 bytes of reflected content = 2 TCP windows resource size = initcwnd - y bytes initcwnd second TCP window Resource size:?? bytes Reflected content: y bytes 31

HEIST Step 1: find out if response fits in a single TCP window! Step 2: discover exact response size! Step 3: do the same for large responses ( > initcwnd) 32

Determine size of large responses initcwnd is typically set to 10 TCP packets! ~14kB! TCP windows grow as packets are acknowledged! Second TCP window is 20 TCP packets, third is 40,...! We can arbitrarily increase window size! Send request to resource of known size! After response is in, send request to target resource, repeat step 2 33

= 19 TCP data packets GET /foo CWND = 10 10 TCP packets ACK CWND = 20 GET /vault 19 TCP packets ACK sent in single TCP window 34

HEIST Step 1: find out if response fits in a single TCP window! Step 2: discover exact response size! Step 3: do the same for large responses ( > initcwnd)! Step 4: if available, leverage HTTP/2 35

Leveraging HTTP/2 HTTP/2 is the new HTTP version! Preserves the semantics of HTTP! Main changes are on the network level! Only a single TCP connection is used for parallel requests! Headers are compressed using HPACK! Client and server build same lookup table! Header is now just a reference to an entry in the table! Mitigates CRIME 36

Leveraging HTTP/2 HTTP/2 allows us to determine exact response size without needing reflected content in the same response! Only a single TCP connection is used for parallel requests! Use (reflected) content in other responses on the same server! Note that BREACH still requires reflective content in the same resource! Response size can still be used to leak sensitive data (see examples later) 37

= 6 TCP packets /reflect = 2 TCP packets + reflected GET /reflect?x=[1 TCP packet] CWND = 10 GET /vault Promise 9 TCP packets resolves responseend ACK contains both /reflect and /vault 38

= 6 TCP packets /reflect = 2 TCP packets + reflected GET /reflect?x=[3 TCP packet] CWND = 10 GET /vault Promise 10 TCP packets resolves ACK 1 TCP packet CWND = 20 responseend ACK contains both /reflect and part of /vault 39

HEIST Step 1: find out if response fits in a single TCP window! Step 2: discover exact response size! Step 3: do the same for large responses ( > initcwnd)! Step 4: if available, leverage HTTP/2! Step 5: exploit & profit 40

Exploit & profit Use HEIST to exploit BREACH/CRIME! Extract CSRF tokens, private message content,...! Only 2 requirements: gzip/ssl compression + reflected content! Obtain sensitive content from web services! Response size is related to user (victim) state 42

DEMO 43

Other targets Compression-based attacks! gzip compression is used by virtually every website! Size-exposing attacks! Uncover victim's demographics from popular social networks! Reveal victim's health conditions from online health websites! Disclose victim's financial information! Hard to find sites that are not vulnerable 44

Countermeasures Browser layer! Prevent side-channel leak (infeasible)! Disable third-party cookies (complete)! HTTP layer! Block illicit requests (inadequate)! Disable compression (incomplete)! Network layer! Randomize TCP congestion window (inadequate)! Apply random padding (inadequate) 45

Conclusion Collection of techniques to discover network response size in the browser, for all authenticated cross-origin resources! Exploits the subtle interplay of browser and network layer! HTTP/2 makes exploitation easier! Allows for compression-based and size-exposing attacks! Many countermeasures, few that actually work 46

Questions? Mathy Vanhoef! @vanhoefm! mathy.vanhoef@cs.kuleuven.be Tom Van Goethem! @tomvangoethem! tom.vangoethem@cs.kuleuven.be

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information