compression bombs strike back
play

Compression Bombs Strike Back Giancarlo Pellegrino - PowerPoint PPT Presentation

May 06, 2023 •291 likes •861 views

Compression Bombs Strike Back Giancarlo Pellegrino gpellegrino@mmci.uni-saarland.de BeNeLux OWASP Day 2016 November 25 th , Leuven, Belgium About Me Post doctoral researcher of the System Security group at CISPA, Saarland University,

  1. Compression Bombs Strike Back Giancarlo Pellegrino gpellegrino@mmci.uni-saarland.de BeNeLux OWASP Day 2016 November 25 th , Leuven, Belgium

  2. About Me  Post doctoral researcher of the System Security group at CISPA, Saarland University, Germany  Research focus: ● Web application security / security protocols ● Vulnerability detection (logic vulns, Server-Side Requests Abuses, CSRF)  Former member of S3 group at EURECOM, Sophia-Antipolis, France  Former research associate in the Security & Trust research group at SAP SE November 28, 2016 2

  3. Introduction HTTP, json, XML, SOAP IMAP, POP3, SMTP XMPP  Modern applications rely on (core) network services, e.g., W eb, email, and IM services November 28, 2016 3

  4. Introduction  Modern applications rely on (core) network services, e.g., W eb, email, and IM services  Amount of exchanged data continues to increase steadily More data → more transfer time → unresponsiveness → user unhappiness ● November 28, 2016 4

  5. Introduction  Modern applications rely on (core) network services, e.g., W eb, email, and IM services  Amount of exchanged data continues to increase steadily More data → more transfer time → unresponsiveness → user unhappiness ● Avg web page size as Doom ~2.3MB [1] ● [1] HTTP Archive: http://www.httparchive.org/interesting.php?a=All&l=Apr%201%202016 November 28, 2016 5

  6. Introduction  Modern applications rely on (core) network services, e.g., W eb, email, and IM services  Amount of exchanged data continues to increase steadily More data → more transfer time → unresponsiveness → user unhappiness ●  Solution 1: buy more bandwidth! November 28, 2016 6

  7. Introduction  Modern applications rely on (core) network services, e.g., W eb, email, and IM services  Amount of exchanged data continues to increase steadily More data → more transfer time → unresponsiveness → user unhappiness ●  Solution 1: buy more bandwidth! ➔ Bandwidth costs November 28, 2016 7

  8. Introduction  Modern applications rely on (core) network services, e.g., W eb, email, and IM services  Amount of exchanged data continues to increase steadily More data → more transfer time → unresponsiveness → user unhappiness ●  Solution 1: buy more bandwidth! ➔ Bandwidth costs  Another solution is ... November 28, 2016 8

  9. Introduction Data compression! Data compression!  Modern applications rely on (core) network services, e.g., w eb, email, and IM services  Amount of exchanged data continues to increase steadily More data → more transfer time → unresponsiveness → user unhappiness ●  Solution 1: buy more bandwidth! ➔ Bandwidth costs  Another solution is ... November 28, 2016 9

  10. Data Compression 100KB 15KB  Reduces # of bits of a string by removing redundancy ● lossless if decompr(compr( d )) = d or lossy if decompr(compr( d )) ~= d  Lots of algorithms (See [1])  Among the most popular: Deflate [RFC 1951] ● Implemented in libraries, e.g., zlib, or as a tool, e.g., gzip, and zip archive tool ● Available in most of the programming languages [1] SALOMON, D. Data Compression: The Complete Reference. Springer-Verlang, 2007. November 28, 2016 10

  11. Compression in Protocols IMAP Compression [RFC 4978] HTTP Compression [RFC 7230] XMPP Compression [XEP-0138]  Compression used by network protocols to reduce message size  Mandated by protocol specifications ● e.g., HTTP (response!) compression, IMAP, XMPP, SSH, PPP, and others  Or implemented as custom feature ● e.g., HTTP request compression November 28, 2016 11

  12. Compression in HTTP (RFC 7230) HTTP Request GET / HTTP/1.1 Host: wikipedia.org [...] November 28, 2016 12

  13. Compression in HTTP (RFC 7230) HTTP Request GET / HTTP/1.1 Host: wikipedia.org [...] Retrieve default HTML page HTTP Response HTTP/1.1 200 OK ~80Kb of page [...] Content-Length: 82170 Content-Type: text/html; charset=UTF-8 <!DOCTYPE html><html [...] November 28, 2016 13

  14. Compression in HTTP (RFC 7230) HTTP Request GET / HTTP/1.1 Host: wikipedia.org Accept-Encoding: gzip, deflate [...] November 28, 2016 14

  15. Compression in HTTP (RFC 7230) HTTP Request GET / HTTP/1.1 Host: wikipedia.org Accept-Encoding: gzip, deflate [...] Select algorithm HTTP Response HTTP/1.1 200 OK Response size -70% [...] Content-Length: 18879 Content-Type: text/html; charset=UTF-8 Content-Encoding: gzip � %O �� � ��� � Ԟ 5 * # Compressed response body [...] Decompress November 28, 2016 15

  16. The Problem of Data Compression  If not properly implemented, it can make application vulnerable to DoS  Risks: 1)Intensive task ● Computationally intensive ● If abused, it can stall an application 2)Data Amplification ● Decompression increases the data to be processed ( compression rate of zlib ~1:1024 ) ● Internal components may not be designed to handle high volume of data 3)Unbalanced Client-Server Scenario ● One party pre-compute compressed messages ● The other one decompresses messages each time  Popular examples from the past... November 28, 2016 16

  17. The Past: Zip Bombs (1996) 42.zip  42 KB zip file → 4.5 PB uncompressed data lib0.zip lib1.zip lib15.zip ... book0.zip book1.zip book15.zip ...  5 layers of nested zip files in blocks of 16, last layer with text files of 4.3 GB each chapter0.zip chapter1.zip ... chapter15.zip doc0.zip doc1.zip doc15.zip ...  Cause Disk/Memory exhaustion page0.zip page1.zip page15.zip ...  Sent as attachment to crash anti-virus 0.dll 1.dll ... 15.dll 0.dll 1.dll 15.dll ... software AAAAAAAAAA ... A 4.3GB 4.5 PB November 28, 2016 17

  18. The Past: Billion Laughs (2003)  Resource exhaustion in libxml2 when processing nested XML entity definitions <?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ELEMENT lolz (#PCDATA)> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz>  810 bytes of XML document expanded to 3GB November 28, 2016 18

  19. The Past: Zip Bombs and Billion Laughs 42.zip lib0.zip lib1.zip ... lib16.zip <?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ELEMENT lolz (#PCDATA)> This was 1996-2003! book0.zip book2.zip book16.zip ... This was 1996-2003! <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> chapter0.zip chapter2.zip ... chapter16.zip Now we know better, right? Now we know better, right? <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> doc0.zip doc1.zip doc16.zip ... <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz> page0.zip page1.zip ... page16.zip 0.dll 1.dll ... 16.dll 0.dll 1.dll 16.dll ... AAAAAAAAAA ... A 4.3GB November 28, 2016 19

  20. The Present  Reviewed protocol specs, design patterns, and coding rules Unawareness of the risks, guidelines on handling data compression are missing or misleading November 28, 2016 20

Recommend

Co-Pay Accumulator Adjustors Strike Back: What You Need to Know for Your Care Presented by:

Co-Pay Accumulator Adjustors Strike Back: What You Need to Know for Your Care Presented by:

HCCs 2019 Webinar series is sponsored Hemophilia Council of California by: Health Access, Advocacy , and Policy Webinar Co-Pay Accumulator Adjustors Strike Back: What You Need to Know for Your Care Presented by: Kollet Koulianos

417 views • 23 slides
KALMAN FILTERS STRIKE BACK KALMAN FILTERS STRIKE BACK MATTHIEU BLOCH April 16, 2020 1 / 14

KALMAN FILTERS STRIKE BACK KALMAN FILTERS STRIKE BACK MATTHIEU BLOCH April 16, 2020 1 / 14

KALMAN FILTERS STRIKE BACK KALMAN FILTERS STRIKE BACK MATTHIEU BLOCH April 16, 2020 1 / 14 RECAP: GAUSS-MARKOV MODEL RECAP: GAUSS-MARKOV MODEL Definition. (Gauss-Markov model) A Gauss-Markov model is a Gaussian driven linear model where

338 views • 14 slides
Antibiotic Resistant Bacteria The Bugs Strike Back David Gregory Gamble MDCM, MSc(Phm), MBA,

Antibiotic Resistant Bacteria The Bugs Strike Back David Gregory Gamble MDCM, MSc(Phm), MBA,

Antibiotic Resistant Bacteria The Bugs Strike Back David Gregory Gamble MDCM, MSc(Phm), MBA, FRCP(C) Conflict of Interest Declaration Presenter: David Gregory Gamble MDCM Antibiotic Resistant Bacteria The Bugs Strike Back I have no

906 views • 44 slides
Compression with Flows via Local Bits-Back Coding Jonathan Ho, Evan Lohn, Pieter Abbeel

Compression with Flows via Local Bits-Back Coding Jonathan Ho, Evan Lohn, Pieter Abbeel

Compression with Flows via Local Bits-Back Coding Jonathan Ho, Evan Lohn, Pieter Abbeel Background Lossless compression with likelihood-based generative model p( x ) encode decode 01000101100100110 11101010000101011 Information

300 views • 10 slides
When Routines Strike Back Developing ICT supported mathematics instructional practices Miguel

When Routines Strike Back Developing ICT supported mathematics instructional practices Miguel

When Routines Strike Back Developing ICT supported mathematics instructional practices Miguel Perez Linnaeus University miguel.perez@lnu.se Carl Linnaeus 1707-1778 Systema Naturae miguel.perez@lnu.se Some of my notes during these days in

638 views • 32 slides
Distribution A: Approved for Public Release 20 April 2016 1 &gt; GP BOMBS / Theater Mission

Distribution A: Approved for Public Release 20 April 2016 1 &gt; GP BOMBS / Theater Mission

Distribution A: Approved for Public Release 20 April 2016 1 &gt; GP BOMBS / Theater Mission MQ-25 Harpoon Missile System Planning Center PRACTI CE TTVS (TMPC) - Harpoon I I + BOMBS SDB I I DATA LI NK POD JMPS-E WASP SLAM ER MALD-N

688 views • 30 slides
Our Story About Us IMW Industries roots (now Clean Energy Compression Corp.), go back over

Our Story About Us IMW Industries roots (now Clean Energy Compression Corp.), go back over

Fueling Innovation for 100 years Our Story About Us IMW Industries roots (now Clean Energy Compression Corp.), go back over 100 years to a Blacksmiths shop in Chilliwack, BC Canada where Ironsides Machining &amp; Welding was established

921 views • 61 slides
Lecture 9: Compression 1 / 52 Compression Recap Bu ff er Management Recap 2 / 52 Compression

Lecture 9: Compression 1 / 52 Compression Recap Bu ff er Management Recap 2 / 52 Compression

Compression Lecture 9: Compression 1 / 52 Compression Recap Bu ff er Management Recap 2 / 52 Compression Recap Bu ff er Management Thread Safety A piece of code is thread-safe if it functions correctly during simultaneous execution

784 views • 52 slides
From Sorting to Heaps to Compression Data Compression video on demand/set top box jpeg

From Sorting to Heaps to Compression Data Compression video on demand/set top box jpeg

From Sorting to Heaps to Compression Data Compression video on demand/set top box jpeg in browsers gzip, pkzip, compress, zip, ... for files (stacker?) Lossy compression, Lossless compression Huffman coding possible to

275 views • 6 slides
Scientific Data Compression: From Stone-Age to Renaissance Factor 10,100 compression

Scientific Data Compression: From Stone-Age to Renaissance Factor 10,100 compression

Scientific Data Compression: From Stone-Age to Renaissance Factor 10,100 compression Background Focus on spatial compression Best in class lossy compressor Point wise max error bound: 10 -5 Open questions Random noise

564 views • 19 slides
Strike-off Companies Income-tax Deemed Gifts Share Issue &amp; Transfer Strike Off Companies

Strike-off Companies Income-tax Deemed Gifts Share Issue &amp; Transfer Strike Off Companies

Company Law Shell Companies Directors Disqualification CODS 2018 Strike-off Companies Income-tax Deemed Gifts Share Issue &amp; Transfer Strike Off Companies

961 views • 83 slides
Lossless compression in lossy compression systems Almost every lossy compression system

Lossless compression in lossy compression systems Almost every lossy compression system

Lossless compression in lossy compression systems Almost every lossy compression system contains a lossless compression system Lossy compression system Dequantizer Transform Lossless Lossless Inverse Quantizer Encoder Decoder

771 views • 29 slides
LAX to IND redeye (Boeing 727) photo bombs M33 A Survey of Luminous Stars in M31 and M33

LAX to IND redeye (Boeing 727) photo bombs M33 A Survey of Luminous Stars in M31 and M33

LAX to IND redeye (Boeing 727) photo bombs M33 A Survey of Luminous Stars in M31 and M33 John C. Martin &amp; Logan Kimball University of Illinois Springfield Check Out Bill Reas Paper Cookbook for Mira Spectroscopy with a filter wheel

551 views • 34 slides
Compression Strategies &amp; Alternate Summarization Systems and Applications Ling 573 May 23,

Compression Strategies &amp; Alternate Summarization Systems and Applications Ling 573 May 23,

Compression Strategies &amp; Alternate Summarization Systems and Applications Ling 573 May 23, 3017 Roadmap Content Realization: Compression Deep, Heuristic Approaches Compression Integration Compression Learning

317 views • 31 slides
The question for Healthcare Delivery is no longer What If, but When Disaster will strike. Gary M.

The question for Healthcare Delivery is no longer What If, but When Disaster will strike. Gary M.

13 FEB 2020 The question for Healthcare Delivery is no longer What If, but When Disaster will strike. Gary M. Schindele, FF/EMT, FHFI Recent years have proven that disaster can strike anywhere at any time. The Center for Medicare/Medicaid

43 views • 3 slides
Compression Programs File Compression: Gzip, Bzip Archivers :Arc, Pkzip, Winrar,

Compression Programs File Compression: Gzip, Bzip Archivers :Arc, Pkzip, Winrar,

Compression Programs File Compression: Gzip, Bzip Archivers :Arc, Pkzip, Winrar, File Systems: NTFS Analysis of Algorithms Piyush Kumar (Lecture e 5: Compression) on) Welcome to 4531 Source: Guy E. Blelloch, Emad, Tseng

297 views • 12 slides
14.9.2 JPEG2000 compression DCT compression basis for JPEG wavelet compression

14.9.2 JPEG2000 compression DCT compression basis for JPEG wavelet compression

14.9 JPEG and MPEG image compression 31 14.9.2 JPEG2000 compression DCT compression basis for JPEG wavelet compression basis for JPEG2000 JPEG2000 new international standard for still image compression

492 views • 12 slides
Tradeoffs in XML Database Compression James Cheney University of Edinburgh Data Compression

Tradeoffs in XML Database Compression James Cheney University of Edinburgh Data Compression

Tradeoffs in XML Database Compression James Cheney University of Edinburgh Data Compression Conference March 30, 2006 Tradeoffs in XML Database Compression p.1/22 XML Compression XML: a format for tree-structured data Increasingly used

382 views • 22 slides
JPEG Compression Ian Snyder December 11, 2009 Ian Snyder JPEG Compression Outline

JPEG Compression Ian Snyder December 11, 2009 Ian Snyder JPEG Compression Outline

Outline Introduction Images and Compression Walkthrough of JPEG Compression Steps Complete Compression Process Results and Conclusion JPEG Compression Ian Snyder December 11, 2009 Ian Snyder JPEG Compression Outline Introduction Images

594 views • 45 slides
Video Compression Lecture # 5 6 Shahab Baqai LUMS Outline Image compression

Video Compression Lecture # 5 6 Shahab Baqai LUMS Outline Image compression

CS 584 / CMPE 584 Multimedia Communication Video Compression Lecture # 5 6 Shahab Baqai LUMS Outline Image compression Transform, uniform quantization, Huffman coding Video compression Exploit temporal dimension of video

571 views • 25 slides
Strike, deterrence, and the RAAF Wing Commander Jo Brick 1 Williams Foundation Air Power Seminar,

Strike, deterrence, and the RAAF Wing Commander Jo Brick 1 Williams Foundation Air Power Seminar,

Strike, deterrence, and the RAAF Wing Commander Jo Brick 1 Williams Foundation Air Power Seminar, 23 August 2018 National Convention Centre, Canberra Strike: The ability to attack with the intention of damaging, neutralising or destroying a

233 views • 9 slides
THE BUILDERS ASSOCIATION TRAINING: HOW TO HANDLE UNION JOBSITE/STRIKE TACTICS Jeffrey M.

THE BUILDERS ASSOCIATION TRAINING: HOW TO HANDLE UNION JOBSITE/STRIKE TACTICS Jeffrey M.

THE BUILDERS ASSOCIATION TRAINING: HOW TO HANDLE UNION JOBSITE/STRIKE TACTICS Jeffrey M. Place. Littler Mendelson, PC Kansas City jplace@littler.com TODAYS AGENDA Potential Tactics Legal Limitations Dual Gates Strike

778 views • 26 slides
STRIKE AUTHORIZATION VOTE SEIU 503 OUS NEGOTIATIONS September 2013 WHAT ARE WE VOTING ABOUT?

STRIKE AUTHORIZATION VOTE SEIU 503 OUS NEGOTIATIONS September 2013 WHAT ARE WE VOTING ABOUT?

STRIKE AUTHORIZATION VOTE SEIU 503 OUS NEGOTIATIONS September 2013 WHAT ARE WE VOTING ABOUT? Whether or not to authorize our SEIU Bargaining Team to call for a strike WHY IS THIS VOTE NEEDED? Because OUS has failed to offer us

235 views • 23 slides
A Model to Address Salary Compression for Faculty (an anti-compression model) Presented to

A Model to Address Salary Compression for Faculty (an anti-compression model) Presented to

3/13/12 A Model to Address Salary Compression for Faculty (an anti-compression model) Presented to President Joe Shepard and the Faculty Salary and Benefits Committee 13 March 2012 The Problem: Salary Compression Characteristics include:

223 views • 11 slides

More recommend