Agenda Technical background ! Same-Origin Policy ! - - PowerPoint PPT Presentation

agenda
SMART_READER_LITE
LIVE PREVIEW

Agenda Technical background ! Same-Origin Policy ! - - PowerPoint PPT Presentation

Sep 18, 2022 290 likes •805 views

H TTP ! E ncrypted ! I nformation can be ! S tolen through ! T CP-windows by ! Mathy Vanhoef & Tom Van Goethem Agenda Technical background ! Same-Origin Policy ! Compression-based attacks ! SSL/TLS & TCP ! Nitty gritty

slide-1
SLIDE 1

HTTP! Encrypted! Information can be! Stolen through! TCP-windows

by! Mathy Vanhoef & Tom Van Goethem

slide-2
SLIDE 2

H E I S T

Agenda

  • Technical background!
  • Same-Origin Policy!
  • Compression-based attacks!
  • SSL/TLS & TCP!
  • Nitty gritty HEIST details!
  • Demo!
  • Countermeasures

2

slide-3
SLIDE 3

H E I S T

Same-Origin Policy

3

  • Mr. Sniffles

https://bunnehbank.com

GET /vault

slide-4
SLIDE 4

H E I S T

Same-Origin Policy

3

  • Mr. Sniffles

https://bunnehbank.com

GET /vault

slide-5
SLIDE 5

H E I S T

4

the World Wide Web

  • Mr. Sniffles

https://bunnehbank.com

slide-6
SLIDE 6

H E I S T

4

the World Wide Web

  • Mr. Sniffles

https://bunnehbank.com

slide-7
SLIDE 7

H E I S T

4

the World Wide Web

  • Mr. Sniffles

https://bunnehbank.com

GET /vault

slide-8
SLIDE 8

H E I S T

4

the World Wide Web

  • Mr. Sniffles

https://bunnehbank.com

GET /vault

slide-9
SLIDE 9

H E I S T

4

the World Wide Web

  • Mr. Sniffles

https://bunnehbank.com

GET /vault

slide-10
SLIDE 10

H E I S T

4

the World Wide Web

  • Mr. Sniffles

https://bunnehbank.com

GET /vault

slide-11
SLIDE 11

H E I S T the World Wide Web

  • Mr. Sniffles

https://bunnehbank.com

GET /vault

5

slide-12
SLIDE 12

H E I S T

6

the World Wide Web

  • Mr. Sniffles

https://bunnehbank.com

GET /vault

slide-13
SLIDE 13

H E I S T

Agenda

  • Technical background!
  • Same-Origin Policy!
  • Compression-based attacks!
  • SSL/TLS & TCP!
  • Nitty gritty HEIST details!
  • Demo!
  • Countermeasures

7

slide-14
SLIDE 14

H E I S T You requested: 
 /vault
 _secret=carrots4life

8

/vault

Uncompressed Compressed You requested: 
 /vault
 vault_secret=carrots4life → 51 bytes → 47 bytes

slide-15
SLIDE 15

H E I S T You requested: 
 /vault?secret=c
 _ arrots4life

9

/vault?secret=a

→ 49 bytes You requested: 
 /vault?secret=a
 _ carrots4life → 50 bytes

/vault?secret=c

slide-16
SLIDE 16

H E I S T You requested: 
 /vault?secret=c
 _ arrots4life

10

/vault?secret=a

→ 49 bytes You requested: 
 /vault?secret=a
 _ carrots4life → 50 bytes

/vault?secret=c

49 bytes < 50 bytes → 'c' is a correct guess

slide-17
SLIDE 17

H E I S T You requested: 
 /vault?secret=cb
 _ arrots4life

11

/vault?secret=ca

→ 50 bytes You requested: 
 /vault?secret=ca
 _ rrots4life → 49 bytes

/vault?secret=cb

slide-18
SLIDE 18

H E I S T You requested: 
 /vault?secret=cb
 _ arrots4life

12

/vault?secret=ca

→ 50 bytes You requested: 
 /vault?secret=ca
 _ rrots4life → 49 bytes

/vault?secret=cb

49 bytes < 50 bytes → 'ca' is a correct guess

slide-19
SLIDE 19

H E I S T

Compression-based Attacks

  • Compression and Information Leakage of Plaintext [FSE'02]!
  • Chosen plaintext + compression = plaintext leakage!
  • CRIME [ekoparty'12]!
  • Exploits SSL compression!
  • BREACH [Black Hat USA'13]!
  • Exploits HTTP compression

13

slide-20
SLIDE 20

H E I S T

Agenda

  • Technical background!
  • Same-Origin Policy!
  • Compression-based attacks!
  • SSL/TLS & TCP!
  • Nitty gritty HEIST details!
  • Demo!
  • Countermeasures

14

slide-21
SLIDE 21

H E I S T

15

GET /vault S Y N SYN, ACK ACK Client Hello Server Hello P r e

  • M

a s t e r S e c r e t

TCP handshake SSL handshake

slide-22
SLIDE 22

H E I S T

16

GET /vault

encrypt(
 GET /vault HTTP/1.1
 Cookie: user=mr.sniffles! Host: bunnehbank.com! ....
 )

1 TCP data packet

slide-23
SLIDE 23

H E I S T

17

encrypt( ) = 29 TCP data packets

slide-24
SLIDE 24

H E I S T

18

encrypt( ) = 29 TCP data packets

TCP packet 1 TCP packet 2 TCP packet 10 ... initcwnd = 10

slide-25
SLIDE 25

H E I S T

18

encrypt( ) = 29 TCP data packets

TCP packet 1 TCP packet 2 TCP packet 10 ... 10 ACKs initcwnd = 10

slide-26
SLIDE 26

H E I S T

18

encrypt( ) = 29 TCP data packets

TCP packet 1 TCP packet 2 TCP packet 10 ... 10 ACKs initcwnd = 10 cwnd = 20

slide-27
SLIDE 27

H E I S T

18

encrypt( ) = 29 TCP data packets

TCP packet 1 TCP packet 2 TCP packet 10 ... TCP packet 11 ... TCP packet 29 10 ACKs initcwnd = 10 cwnd = 20

slide-28
SLIDE 28

H E I S T

HEIST

  • A set of techniques that allow attacker to determine the

exact size of a network response!

  • ... purely in the browser!
  • Can be used to perform compression-based attacks, such

as CRIME and BREACH, in the browser

19

slide-29
SLIDE 29

H E I S T

Browser Side-channels

  • Returns a Promise, which resolves as soon as browser

receives the first byte of the response

20

  • Returns time when response was completely downloaded

fetch('https://bunnehbank.com/vault', {mode: "no-cors", credentials:"include"}) performance.getEntries()[-1].responseEnd

  • Send authenticated request to /vault resource!
slide-30
SLIDE 30

H E I S T

HEIST

  • Step 1: find out if response fits in a single TCP window

21

slide-31
SLIDE 31

H E I S T

22

time

fetch('...')

TCP handshake
 complete SSL handshake
 complete GET /vault initial TCP
 window sent first byte
 received Promise
 resolves initial TCP
 window received responseEnd T1 T2 Fetching small resource: T2 - T1 is very small

slide-32
SLIDE 32

H E I S T

23

time

fetch('...')

TCP handshake
 complete SSL handshake
 complete GET /vault initial TCP
 window sent first byte
 received Promise
 resolves initial TCP
 window received ACK sent second TCP
 window sent second TCP
 window received responseEnd T1 T2 Fetching large resource: T2 - T1 is round-trip time

slide-33
SLIDE 33

H E I S T

HEIST

  • Step 1: find out if response fits in a single TCP window!
  • Step 2: discover exact response size

24

slide-34
SLIDE 34

H E I S T

Discover Exact Response Size

25

initcwnd second TCP window Resource size: ?? bytes Reflected content: x bytes

slide-35
SLIDE 35

H E I S T

Discover Exact Response Size

26

initcwnd second TCP window Resource size: ?? bytes Reflected content: x/2 bytes

slide-36
SLIDE 36

H E I S T

Discover Exact Response Size

27

initcwnd second TCP window Resource size: ?? bytes Reflected content: x/2+x/4 bytes

slide-37
SLIDE 37

H E I S T

28

initcwnd second TCP window Resource size: ?? bytes Reflected content: y bytes After log(n) checks, we find:
 ! y bytes of reflected content = 1 TCP window! ! y+1 bytes of reflected content = 2 TCP windows
 → resource size = initcwnd - y bytes

slide-38
SLIDE 38

H E I S T

HEIST

  • Step 1: find out if response fits in a single TCP window!
  • Step 2: discover exact response size!
  • Step 3: do the same for large responses ( > initcwnd)

29

slide-39
SLIDE 39

H E I S T

Determine size of large responses

  • Large response = bigger than initial TCP window
  • initcwnd is typically set to 10 TCP packets!
  • ~14kB!
  • TCP windows grow as packets are acknowledged!
  • We can arbitrarily increase window size

30

slide-40
SLIDE 40

H E I S T

31

CWND = 10

GET /foo 10 TCP packets 10 ACKs

CWND = 20

GET /vault

= 19 TCP data packets

19 TCP packets 19 ACKs

sent in single 
 TCP window

slide-41
SLIDE 41

H E I S T

HEIST

  • Step 1: find out if response fits in a single TCP window!
  • Step 2: discover exact response size!
  • Step 3: do the same for large responses ( > initcwnd)!
  • Step 4: if available, leverage HTTP/2

32

slide-42
SLIDE 42

H E I S T

Leveraging HTTP/2

  • HTTP/2 is the new HTTP version!
  • Preserves the semantics of HTTP!
  • Main changes are on the network level!
  • Only a single TCP connection is used for parallel requests

33

slide-43
SLIDE 43

H E I S T

Leveraging HTTP/2

  • Determine exact response size without reflected content

in the same response!

  • Use (reflected) content in other responses on the same

server!

  • Note that BREACH still requires (a few bytes of) reflective content

in the same resource

34

slide-44
SLIDE 44

H E I S T

35

CWND = 10

GET /reflect?x=... GET /vault = 6 TCP packets /reflect?x=... = 3 TCP packets

contains both
 /reflect
 and /vault

9 TCP packets 9 ACKs

responseEnd Promise
 resolves

slide-45
SLIDE 45

H E I S T

36

CWND = 10

GET /reflect?x=... 1 TCP packet GET /vault = 6 TCP packets 1 ACK /reflect?x=... = 5 TCP packets

contains both
 /reflect and
 part of /vault CWND = 20

10 TCP packets 10 ACKs

responseEnd Promise
 resolves

slide-46
SLIDE 46
slide-47
SLIDE 47

H E I S T

DEMO

38

slide-48
SLIDE 48

H E I S T

Other targets

  • Compression-based attacks!
  • gzip compression is used by virtually every website!
  • Size-exposing attacks!
  • Uncover victim's demographics from popular social networks!
  • Reveal victim's health conditions from online health websites!
  • ....!
  • Hard to find sites that are not vulnerable

39

slide-49
SLIDE 49

H E I S T

Countermeasures

  • Browser layer!
  • Prevent side-channel leak (infeasible)!
  • Disable third-party cookies (complete)!
  • HTTP layer!
  • Block illicit requests (inadequate)!
  • Disable compression (incomplete)!
  • Network layer!
  • Randomize TCP congestion window (inadequate)!
  • Apply random padding (inadequate)

40

slide-50
SLIDE 50

H E I S T

Conclusion

  • Collection of techniques to discover network response size in

the browser, for all authenticated cross-origin resources!

  • Side-channel originates from subtle interplay between

multiple layers!

  • Allows for compression-based and size-exposing attacks!
  • HTTP/2 makes exploitation easier!
  • Many countermeasures, few that actually work

41

slide-51
SLIDE 51

Questions?

Mathy Vanhoef! @vanhoefm! mathy.vanhoef@cs.kuleuven.be Tom Van Goethem! @tomvangoethem! tom.vangoethem@cs.kuleuven.be

H E I S T