HTTP! Encrypted! Information can be! Stolen through! TCP-windows

Size: px

Start display at page:

Download "HTTP! Encrypted! Information can be! Stolen through! TCP-windows"

David Hoover
6 years ago
Views:

1 HTTP! Encrypted! Information can be! Stolen through! TCP-windows by! Mathy Vanhoef & Tom Van Goethem

2 Agenda Technical background! Same-Origin Policy! Compression-based attacks! SSL/TLS & TCP! Nitty gritty HEIST details! Demo! Countermeasures 2

3 Same-Origin Policy GET /vault Mr. Sniffles 3

4 Same-Origin Policy GET /vault Mr. Sniffles 3

5 the World Wide Web Mr. Sniffles 4

6 the World Wide Web Mr. Sniffles 4

7 the World Wide Web GET /vault Mr. Sniffles HEIST 4

8 the World Wide Web GET /vault Mr. Sniffles HEIST 4

9 the World Wide Web GET /vault Mr. Sniffles HEIST 4

10 the World Wide Web GET /vault Mr. Sniffles HEIST 4

11 the World Wide Web GET /vault Mr. Sniffles HEIST 5

12 the World Wide Web GET /vault Mr. Sniffles HEIST 6

13 Agenda Technical background! Same-Origin Policy! Compression-based attacks! SSL/TLS & TCP! Nitty gritty HEIST details! Demo! Countermeasures 7

14 /vault Uncompressed Compressed You requested: /vault You requested: /vault vault_secret=carrots4life _secret=carrots4life 51 bytes 47 bytes 8

15 /vault?secret=a /vault?secret=c You requested: /vault?secret=a You requested: /vault?secret=c _ carrots4life _ arrots4life 50 bytes 49 bytes 9

16 /vault?secret=a /vault?secret=c You requested: You requested: /vault?secret=a /vault?secret=c 49 bytes < 50 bytes 'c' is a correct guess _ carrots4life _ arrots4life 50 bytes 49 bytes 10

17 /vault?secret=ca /vault?secret=cb You requested: /vault?secret=ca You requested: /vault?secret=cb _ rrots4life _ arrots4life 49 bytes 50 bytes 11

18 /vault?secret=ca /vault?secret=cb You requested: You requested: /vault?secret=ca /vault?secret=cb 49 bytes < 50 bytes 'ca' is a correct guess _ rrots4life _ arrots4life 49 bytes 50 bytes 12

19 Compression-based Attacks Compression and Information Leakage of Plaintext [FSE'02]! Chosen plaintext + compression = plaintext leakage! CRIME [ekoparty'12]! Exploits SSL compression! BREACH [Black Hat USA'13]! Exploits HTTP compression 13

20 Agenda Technical background! Same-Origin Policy! Compression-based attacks! SSL/TLS & TCP! Nitty gritty HEIST details! Demo! Countermeasures 14

21 GET /vault TCP handshake SYN SYN, ACK ACK SSL handshake Client Hello Server Hello Pre-Master Secret 15

22 GET /vault encrypt( GET /vault HTTP/1.1 Cookie: user=mr.sniffles! Host: bunnehbank.com!... ) 1 TCP data packet 16

23 encrypt( ) = 29 TCP data packets 17

24 encrypt( ) = 29 TCP data packets TCP packet 1 TCP packet 2 initcwnd = TCP packet 10 18

25 encrypt( ) = 29 TCP data packets TCP packet 1 TCP packet 2 initcwnd = TCP packet ACKs 18

26 encrypt( ) = 29 TCP data packets TCP packet 1 TCP packet 2 initcwnd = TCP packet ACKs cwnd = 20 18

27 encrypt( ) = 29 TCP data packets TCP packet 1 TCP packet 2 initcwnd = TCP packet ACKs cwnd = 20 TCP packet TCP packet 29 18

28 HEIST A set of techniques that allow attacker to determine the exact size of a network response!... purely in the browser! Can be used to perform compression-based attacks, such as CRIME and BREACH, in the browser 19

29 Browser Side-channels Send authenticated request to /vault resource! fetch(' {mode: "no-cors", credentials:"include"}) Returns a Promise, which resolves as soon as browser receives the first byte of the response performance.getentries()[-1].responseend Returns time when response was completely downloaded 20

30 HEIST Step 1: find out if response fits in a single TCP window 21

31 Fetching small resource: T2 - T1 is very small TCP handshake complete GET /vault first byte received initial TCP window received T1 T2 time initial TCP responseend fetch('...') window sent SSL handshake complete Promise resolves 22

32 Fetching large resource: T2 - T1 is round-trip time TCP handshake complete first byte received second TCP window received GET /vault initial TCP window received T1 T2 time initial TCP ACK sent responseend fetch('...') window sent SSL handshake complete Promise resolves second TCP window sent 23

33 HEIST Step 1: find out if response fits in a single TCP window! Step 2: discover exact response size 24

34 Discover Exact Response Size initcwnd second TCP window Resource size:?? bytes Reflected content: x bytes 25

35 Discover Exact Response Size initcwnd second TCP window Resource size:?? bytes Reflected content: x/2 bytes 26

36 Discover Exact Response Size initcwnd second TCP window Resource size:?? bytes Reflected content: x/2+x/4 bytes 27

37 After log(n) checks, we find:! y bytes of reflected content = 1 TCP window!! y+1 bytes of reflected content = 2 TCP windows resource size = initcwnd - y bytes initcwnd second TCP window Resource size:?? bytes Reflected content: y bytes 28

38 HEIST Step 1: find out if response fits in a single TCP window! Step 2: discover exact response size! Step 3: do the same for large responses ( > initcwnd) 29

39 Determine size of large responses Large response = bigger than initial TCP window initcwnd is typically set to 10 TCP packets! ~14kB! TCP windows grow as packets are acknowledged! We can arbitrarily increase window size 30

40 = 19 TCP data packets GET /foo CWND = TCP packets 10 ACKs CWND = 20 GET /vault 19 TCP packets 19 ACKs sent in single TCP window 31

41 HEIST Step 1: find out if response fits in a single TCP window! Step 2: discover exact response size! Step 3: do the same for large responses ( > initcwnd)! Step 4: if available, leverage HTTP/2 32

42 Leveraging HTTP/2 HTTP/2 is the new HTTP version! Preserves the semantics of HTTP! Main changes are on the network level! Only a single TCP connection is used for parallel requests 33

43 Leveraging HTTP/2 Determine exact response size without reflected content in the same response! Use (reflected) content in other responses on the same server! Note that BREACH still requires (a few bytes of) reflective content in the same resource 34

44 = 6 TCP packets /reflect?x=... = 3 TCP packets GET /reflect?x=... CWND = 10 GET /vault Promise 9 TCP packets resolves responseend 9 ACKs contains both /reflect and /vault 35

45 = 6 TCP packets /reflect?x=... = 5 TCP packets GET /reflect?x=... CWND = 10 GET /vault Promise 10 TCP packets resolves 10 ACKs 1 TCP packet CWND = 20 responseend 1 ACK contains both /reflect and part of /vault 36

47 DEMO 38

48 Other targets Compression-based attacks! gzip compression is used by virtually every website! Size-exposing attacks! Uncover victim's demographics from popular social networks! Reveal victim's health conditions from online health websites!...! Hard to find sites that are not vulnerable 39

49 Countermeasures Browser layer! Prevent side-channel leak (infeasible)! Disable third-party cookies (complete)! HTTP layer! Block illicit requests (inadequate)! Disable compression (incomplete)! Network layer! Randomize TCP congestion window (inadequate)! Apply random padding (inadequate) 40

50 Conclusion Collection of techniques to discover network response size in the browser, for all authenticated cross-origin resources! Side-channel originates from subtle interplay between multiple layers! Allows for compression-based and size-exposing attacks! HTTP/2 makes exploitation easier! Many countermeasures, few that actually work 41

51 Questions? Mathy Tom Van

A Perfect CRIME? TIME Will Tell. Tal Be ery, Imperva

A Perfect CRIME? TIME Will Tell Tal Be ery, Imperva Presenter: Tal Be ery, CISSP Web Security Research Team Leader at Imperva Holds MSc & BSc degree in CS/EE from TAU 10+ years of experience in IS domain