compression bombs strike back
play

Compression Bombs Strike Back Giancarlo Pellegrino - PowerPoint PPT Presentation

May 06, 2023 •291 likes •861 views

Compression Bombs Strike Back Giancarlo Pellegrino gpellegrino@mmci.uni-saarland.de BeNeLux OWASP Day 2016 November 25 th , Leuven, Belgium About Me Post doctoral researcher of the System Security group at CISPA, Saarland University,

  1. Compression Bombs Strike Back Giancarlo Pellegrino gpellegrino@mmci.uni-saarland.de BeNeLux OWASP Day 2016 November 25 th , Leuven, Belgium

  2. About Me  Post doctoral researcher of the System Security group at CISPA, Saarland University, Germany  Research focus: ● Web application security / security protocols ● Vulnerability detection (logic vulns, Server-Side Requests Abuses, CSRF)  Former member of S3 group at EURECOM, Sophia-Antipolis, France  Former research associate in the Security & Trust research group at SAP SE November 28, 2016 2

  3. Introduction HTTP, json, XML, SOAP IMAP, POP3, SMTP XMPP  Modern applications rely on (core) network services, e.g., W eb, email, and IM services November 28, 2016 3

  4. Introduction  Modern applications rely on (core) network services, e.g., W eb, email, and IM services  Amount of exchanged data continues to increase steadily More data → more transfer time → unresponsiveness → user unhappiness ● November 28, 2016 4

  5. Introduction  Modern applications rely on (core) network services, e.g., W eb, email, and IM services  Amount of exchanged data continues to increase steadily More data → more transfer time → unresponsiveness → user unhappiness ● Avg web page size as Doom ~2.3MB [1] ● [1] HTTP Archive: http://www.httparchive.org/interesting.php?a=All&l=Apr%201%202016 November 28, 2016 5

  6. Introduction  Modern applications rely on (core) network services, e.g., W eb, email, and IM services  Amount of exchanged data continues to increase steadily More data → more transfer time → unresponsiveness → user unhappiness ●  Solution 1: buy more bandwidth! November 28, 2016 6

  7. Introduction  Modern applications rely on (core) network services, e.g., W eb, email, and IM services  Amount of exchanged data continues to increase steadily More data → more transfer time → unresponsiveness → user unhappiness ●  Solution 1: buy more bandwidth! ➔ Bandwidth costs November 28, 2016 7

  8. Introduction  Modern applications rely on (core) network services, e.g., W eb, email, and IM services  Amount of exchanged data continues to increase steadily More data → more transfer time → unresponsiveness → user unhappiness ●  Solution 1: buy more bandwidth! ➔ Bandwidth costs  Another solution is ... November 28, 2016 8

  9. Introduction Data compression! Data compression!  Modern applications rely on (core) network services, e.g., w eb, email, and IM services  Amount of exchanged data continues to increase steadily More data → more transfer time → unresponsiveness → user unhappiness ●  Solution 1: buy more bandwidth! ➔ Bandwidth costs  Another solution is ... November 28, 2016 9

  10. Data Compression 100KB 15KB  Reduces # of bits of a string by removing redundancy ● lossless if decompr(compr( d )) = d or lossy if decompr(compr( d )) ~= d  Lots of algorithms (See [1])  Among the most popular: Deflate [RFC 1951] ● Implemented in libraries, e.g., zlib, or as a tool, e.g., gzip, and zip archive tool ● Available in most of the programming languages [1] SALOMON, D. Data Compression: The Complete Reference. Springer-Verlang, 2007. November 28, 2016 10

  11. Compression in Protocols IMAP Compression [RFC 4978] HTTP Compression [RFC 7230] XMPP Compression [XEP-0138]  Compression used by network protocols to reduce message size  Mandated by protocol specifications ● e.g., HTTP (response!) compression, IMAP, XMPP, SSH, PPP, and others  Or implemented as custom feature ● e.g., HTTP request compression November 28, 2016 11

  12. Compression in HTTP (RFC 7230) HTTP Request GET / HTTP/1.1 Host: wikipedia.org [...] November 28, 2016 12

  13. Compression in HTTP (RFC 7230) HTTP Request GET / HTTP/1.1 Host: wikipedia.org [...] Retrieve default HTML page HTTP Response HTTP/1.1 200 OK ~80Kb of page [...] Content-Length: 82170 Content-Type: text/html; charset=UTF-8 <!DOCTYPE html><html [...] November 28, 2016 13

  14. Compression in HTTP (RFC 7230) HTTP Request GET / HTTP/1.1 Host: wikipedia.org Accept-Encoding: gzip, deflate [...] November 28, 2016 14

  15. Compression in HTTP (RFC 7230) HTTP Request GET / HTTP/1.1 Host: wikipedia.org Accept-Encoding: gzip, deflate [...] Select algorithm HTTP Response HTTP/1.1 200 OK Response size -70% [...] Content-Length: 18879 Content-Type: text/html; charset=UTF-8 Content-Encoding: gzip � %O �� � ��� � Ԟ 5 * # Compressed response body [...] Decompress November 28, 2016 15

  16. The Problem of Data Compression  If not properly implemented, it can make application vulnerable to DoS  Risks: 1)Intensive task ● Computationally intensive ● If abused, it can stall an application 2)Data Amplification ● Decompression increases the data to be processed ( compression rate of zlib ~1:1024 ) ● Internal components may not be designed to handle high volume of data 3)Unbalanced Client-Server Scenario ● One party pre-compute compressed messages ● The other one decompresses messages each time  Popular examples from the past... November 28, 2016 16

  17. The Past: Zip Bombs (1996) 42.zip  42 KB zip file → 4.5 PB uncompressed data lib0.zip lib1.zip lib15.zip ... book0.zip book1.zip book15.zip ...  5 layers of nested zip files in blocks of 16, last layer with text files of 4.3 GB each chapter0.zip chapter1.zip ... chapter15.zip doc0.zip doc1.zip doc15.zip ...  Cause Disk/Memory exhaustion page0.zip page1.zip page15.zip ...  Sent as attachment to crash anti-virus 0.dll 1.dll ... 15.dll 0.dll 1.dll 15.dll ... software AAAAAAAAAA ... A 4.3GB 4.5 PB November 28, 2016 17

  18. The Past: Billion Laughs (2003)  Resource exhaustion in libxml2 when processing nested XML entity definitions <?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ELEMENT lolz (#PCDATA)> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz>  810 bytes of XML document expanded to 3GB November 28, 2016 18

  19. The Past: Zip Bombs and Billion Laughs 42.zip lib0.zip lib1.zip ... lib16.zip <?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ELEMENT lolz (#PCDATA)> This was 1996-2003! book0.zip book2.zip book16.zip ... This was 1996-2003! <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> chapter0.zip chapter2.zip ... chapter16.zip Now we know better, right? Now we know better, right? <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> doc0.zip doc1.zip doc16.zip ... <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz> page0.zip page1.zip ... page16.zip 0.dll 1.dll ... 16.dll 0.dll 1.dll 16.dll ... AAAAAAAAAA ... A 4.3GB November 28, 2016 19

  20. The Present  Reviewed protocol specs, design patterns, and coding rules Unawareness of the risks, guidelines on handling data compression are missing or misleading November 28, 2016 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Co-Pay Accumulator Adjustors Strike Back: What You Need to Know for Your Care Presented by:

Co-Pay Accumulator Adjustors Strike Back: What You Need to Know for Your Care Presented by:

HCCs 2019 Webinar series is sponsored Hemophilia Council of California by: Health Access, Advocacy , and Policy Webinar Co-Pay Accumulator Adjustors Strike Back: What You Need to Know for Your Care Presented by: Kollet Koulianos

417 views • 23 slides
KALMAN FILTERS STRIKE BACK KALMAN FILTERS STRIKE BACK MATTHIEU BLOCH April 16, 2020 1 / 14

KALMAN FILTERS STRIKE BACK KALMAN FILTERS STRIKE BACK MATTHIEU BLOCH April 16, 2020 1 / 14

KALMAN FILTERS STRIKE BACK KALMAN FILTERS STRIKE BACK MATTHIEU BLOCH April 16, 2020 1 / 14 RECAP: GAUSS-MARKOV MODEL RECAP: GAUSS-MARKOV MODEL Definition. (Gauss-Markov model) A Gauss-Markov model is a Gaussian driven linear model where

338 views • 14 slides
Antibiotic Resistant Bacteria The Bugs Strike Back David Gregory Gamble MDCM, MSc(Phm), MBA,

Antibiotic Resistant Bacteria The Bugs Strike Back David Gregory Gamble MDCM, MSc(Phm), MBA,

Antibiotic Resistant Bacteria The Bugs Strike Back David Gregory Gamble MDCM, MSc(Phm), MBA, FRCP(C) Conflict of Interest Declaration Presenter: David Gregory Gamble MDCM Antibiotic Resistant Bacteria The Bugs Strike Back I have no

906 views • 44 slides
Compression with Flows via Local Bits-Back Coding Jonathan Ho, Evan Lohn, Pieter Abbeel

Compression with Flows via Local Bits-Back Coding Jonathan Ho, Evan Lohn, Pieter Abbeel

Compression with Flows via Local Bits-Back Coding Jonathan Ho, Evan Lohn, Pieter Abbeel Background Lossless compression with likelihood-based generative model p( x ) encode decode 01000101100100110 11101010000101011 Information

300 views • 10 slides
When Routines Strike Back Developing ICT supported mathematics instructional practices Miguel

When Routines Strike Back Developing ICT supported mathematics instructional practices Miguel

When Routines Strike Back Developing ICT supported mathematics instructional practices Miguel Perez Linnaeus University miguel.perez@lnu.se Carl Linnaeus 1707-1778 Systema Naturae miguel.perez@lnu.se Some of my notes during these days in

638 views • 32 slides
Distribution A: Approved for Public Release 20 April 2016 1 &gt; GP BOMBS / Theater Mission

Distribution A: Approved for Public Release 20 April 2016 1 &gt; GP BOMBS / Theater Mission

Distribution A: Approved for Public Release 20 April 2016 1 &gt; GP BOMBS / Theater Mission MQ-25 Harpoon Missile System Planning Center PRACTI CE TTVS (TMPC) - Harpoon I I + BOMBS SDB I I DATA LI NK POD JMPS-E WASP SLAM ER MALD-N

688 views • 30 slides
Our Story About Us IMW Industries roots (now Clean Energy Compression Corp.), go back over

Our Story About Us IMW Industries roots (now Clean Energy Compression Corp.), go back over

Fueling Innovation for 100 years Our Story About Us IMW Industries roots (now Clean Energy Compression Corp.), go back over 100 years to a Blacksmiths shop in Chilliwack, BC Canada where Ironsides Machining &amp; Welding was established

921 views • 61 slides
Lecture 9: Compression 1 / 52 Compression Recap Bu ff er Management Recap 2 / 52 Compression

Lecture 9: Compression 1 / 52 Compression Recap Bu ff er Management Recap 2 / 52 Compression

Compression Lecture 9: Compression 1 / 52 Compression Recap Bu ff er Management Recap 2 / 52 Compression Recap Bu ff er Management Thread Safety A piece of code is thread-safe if it functions correctly during simultaneous execution

784 views • 52 slides
From Sorting to Heaps to Compression Data Compression video on demand/set top box jpeg

From Sorting to Heaps to Compression Data Compression video on demand/set top box jpeg

From Sorting to Heaps to Compression Data Compression video on demand/set top box jpeg in browsers gzip, pkzip, compress, zip, ... for files (stacker?) Lossy compression, Lossless compression Huffman coding possible to

275 views • 6 slides
Scientific Data Compression: From Stone-Age to Renaissance Factor 10,100 compression

Scientific Data Compression: From Stone-Age to Renaissance Factor 10,100 compression

Scientific Data Compression: From Stone-Age to Renaissance Factor 10,100 compression Background Focus on spatial compression Best in class lossy compressor Point wise max error bound: 10 -5 Open questions Random noise

564 views • 19 slides
Strike-off Companies Income-tax Deemed Gifts Share Issue &amp; Transfer Strike Off Companies

Strike-off Companies Income-tax Deemed Gifts Share Issue &amp; Transfer Strike Off Companies

Company Law Shell Companies Directors Disqualification CODS 2018 Strike-off Companies Income-tax Deemed Gifts Share Issue &amp; Transfer Strike Off Companies

961 views • 83 slides
Lossless compression in lossy compression systems Almost every lossy compression system

Lossless compression in lossy compression systems Almost every lossy compression system

Lossless compression in lossy compression systems Almost every lossy compression system contains a lossless compression system Lossy compression system Dequantizer Transform Lossless Lossless Inverse Quantizer Encoder Decoder

771 views • 29 slides
LAX to IND redeye (Boeing 727) photo bombs M33 A Survey of Luminous Stars in M31 and M33

LAX to IND redeye (Boeing 727) photo bombs M33 A Survey of Luminous Stars in M31 and M33

LAX to IND redeye (Boeing 727) photo bombs M33 A Survey of Luminous Stars in M31 and M33 John C. Martin &amp; Logan Kimball University of Illinois Springfield Check Out Bill Reas Paper Cookbook for Mira Spectroscopy with a filter wheel

551 views • 34 slides
Compression Strategies &amp; Alternate Summarization Systems and Applications Ling 573 May 23,

Compression Strategies &amp; Alternate Summarization Systems and Applications Ling 573 May 23,

Compression Strategies &amp; Alternate Summarization Systems and Applications Ling 573 May 23, 3017 Roadmap Content Realization: Compression Deep, Heuristic Approaches Compression Integration Compression Learning

317 views • 31 slides
The question for Healthcare Delivery is no longer What If, but When Disaster will strike. Gary M.

The question for Healthcare Delivery is no longer What If, but When Disaster will strike. Gary M.

13 FEB 2020 The question for Healthcare Delivery is no longer What If, but When Disaster will strike. Gary M. Schindele, FF/EMT, FHFI Recent years have proven that disaster can strike anywhere at any time. The Center for Medicare/Medicaid

43 views • 3 slides
Compression Programs File Compression: Gzip, Bzip Archivers :Arc, Pkzip, Winrar,

Compression Programs File Compression: Gzip, Bzip Archivers :Arc, Pkzip, Winrar,

Compression Programs File Compression: Gzip, Bzip Archivers :Arc, Pkzip, Winrar, File Systems: NTFS Analysis of Algorithms Piyush Kumar (Lecture e 5: Compression) on) Welcome to 4531 Source: Guy E. Blelloch, Emad, Tseng

297 views • 12 slides
Percona Xtrabackup Best Practices Marcelo Altmann Senior Support Engineer - Percona Agenda

Percona Xtrabackup Best Practices Marcelo Altmann Senior Support Engineer - Percona Agenda

Percona Xtrabackup Best Practices Marcelo Altmann Senior Support Engineer - Percona Agenda Agenda Intro The basics Compression Encryption Incremental Backup Performance Streaming Examples 3 Who is

806 views • 36 slides
Reducing Code Size with Run-time Decompression Charles Lefurgy, Eva Piccininni, and Trevor Mudge

Reducing Code Size with Run-time Decompression Charles Lefurgy, Eva Piccininni, and Trevor Mudge

Reducing Code Size with Run-time Decompression Charles Lefurgy, Eva Piccininni, and Trevor Mudge Advanced Computer Architecture Laboratory Electrical Engineering and Computer Science Dept. The University of Michigan, Ann Arbor

387 views • 15 slides
Parents Seminar Springdale Primary School 1 Overview 1. Primary Science Education 2. Science

Parents Seminar Springdale Primary School 1 Overview 1. Primary Science Education 2. Science

Parents Seminar Springdale Primary School 1 Overview 1. Primary Science Education 2. Science Curriculum &amp; Syllabus 3. Components of Science Curriculum 4. Process skills in Science &amp; SMART SDPS 1. Comparing in P3 2. Writing aim

939 views • 46 slides
5: Religious Prose 26 November 2015 Figure: West Saxon Gospels, BL Royal 1 A XIV f. 83 (detail;

5: Religious Prose 26 November 2015 Figure: West Saxon Gospels, BL Royal 1 A XIV f. 83 (detail;

5: Religious Prose 26 November 2015 Figure: West Saxon Gospels, BL Royal 1 A XIV f. 83 (detail; PD British Library) Key Questions transmitted? translations? Deira? What sorts of religious prose writings survive? What place did the

1.09k views • 60 slides
DIANA Contributions Update Brian Bockelman Including work from Jim Pivarski, Oksana Shadura, and

DIANA Contributions Update Brian Bockelman Including work from Jim Pivarski, Oksana Shadura, and

DIANA Contributions Update Brian Bockelman Including work from Jim Pivarski, Oksana Shadura, and Zhe Zhang DIANA Contributions (Since July) Since the F2F meeting, DIANA contributions have focused on the following areas: Parallelism :

342 views • 16 slides
ROHC Implementation Experience mark.a.west@roke.co.uk Mark West 1 s s Roke Manor Overview

ROHC Implementation Experience mark.a.west@roke.co.uk Mark West 1 s s Roke Manor Overview

Research Manor Roke ROHC Implementation Experience mark.a.west@roke.co.uk Mark West 1 s s Roke Manor Overview Research ! First steps towards a full ROHC implementation ! Initial feel for memory and processor load ! Updating original

409 views • 10 slides
Data Processing on Modern Hardware Jens Teubner, TU Dortmund, DBIS Group

Data Processing on Modern Hardware Jens Teubner, TU Dortmund, DBIS Group

Data Processing on Modern Hardware Jens Teubner, TU Dortmund, DBIS Group jens.teubner@cs.tu-dortmund.de Summer 2015 Jens Teubner Data Processing on Modern Hardware Summer 2015 c 1 Part V Vectorization Jens Teubner Data

619 views • 35 slides
Backdooring your server through its BMC : the HPE iLO4 case Fabien Prigaud, Alexandre Gazet

Backdooring your server through its BMC : the HPE iLO4 case Fabien Prigaud, Alexandre Gazet

Backdooring your server through its BMC : the HPE iLO4 case Fabien Prigaud, Alexandre Gazet &amp; Jofgrey Czarny Rennes, June 13-15 , 2018 Outline Introduction Previous works Firmware security A fjrmware backdoor Conclusion 1 HP

658 views • 43 slides

More recommend