IETF Logo Mail Archive

Re: [hybi] Masking only Payload/Extension Data

Ian Fette (イアンフェッティ) <ifette@google.com> Thu, 10 March 2011 12:00 UTC

Return-Path: <ifette@google.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2DDB73A6A4E for <hybi@core3.amsl.com>; Thu, 10 Mar 2011 04:00:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.697
X-Spam-Level:
X-Spam-Status: No, score=-105.697 tagged_above=-999 required=5 tests=[AWL=-0.021, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sra8SXiUJRSo for <hybi@core3.amsl.com>; Thu, 10 Mar 2011 04:00:54 -0800 (PST)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.44.51]) by core3.amsl.com (Postfix) with ESMTP id 14BB03A6A1E for <hybi@ietf.org>; Thu, 10 Mar 2011 04:00:53 -0800 (PST)
Received: from wpaz21.hot.corp.google.com (wpaz21.hot.corp.google.com [172.24.198.85]) by smtp-out.google.com with ESMTP id p2AC2BOS032126 for <hybi@ietf.org>; Thu, 10 Mar 2011 04:02:11 -0800
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1299758531; bh=CXV8ipKF+s2xqkO13FZPcrZ3/DY=; h=MIME-Version:Reply-To:In-Reply-To:References:Date:Message-ID: Subject:From:To:Cc:Content-Type; b=kwVnX97RCcKXBKXzgB2tUmR0JF0Za/WpkmkuFd4tyALmDZm4S7q4L+bHms5ekdcem pb4YFwf12QMwvoUYEtRpA==
Received: from iwn3 (iwn3.prod.google.com [10.241.68.67]) by wpaz21.hot.corp.google.com with ESMTP id p2AC29Xg005096 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT) for <hybi@ietf.org>; Thu, 10 Mar 2011 04:02:10 -0800
Received: by iwn3 with SMTP id 3so2970586iwn.1 for <hybi@ietf.org>; Thu, 10 Mar 2011 04:02:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=domainkey-signature:mime-version:reply-to:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=UVAg/K2cezQeuTrKDuyZmmRwgkGeDWXroLikO5Rt3pM=; b=ynJwFvM5a8T9o0OVvzQ3Efz+wyswa7XBSUJSfSRJJbom1B3i5Uc3N/dI1J5/EM9bX+ Rxqd4AS/akfbKFtLlQdQ==
DomainKey-Signature: a=rsa-sha1; c=nofws; d=google.com; s=beta; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; b=kwU5HIr6uRNRONNJLAPrC5suQoeONzxBo2fK3Ukrzy1TT2xz5qW+iLDSLbiWoYLjoV jbDdSFua0buFLkRZnCDA==
MIME-Version: 1.0
Received: by 10.231.165.141 with SMTP id i13mr5787093iby.135.1299758529547; Thu, 10 Mar 2011 04:02:09 -0800 (PST)
Received: by 10.231.34.131 with HTTP; Thu, 10 Mar 2011 04:02:09 -0800 (PST)
In-Reply-To: <AANLkTi=AszpuEaZg0GjzRvPBomvdDogGFqK9F1PqX2Ct@mail.gmail.com>
References: <4D77B885.5050109@callenish.com> <OF36FEDDC6.06951577-ON8825784E.0062343E-8825784E.0066AC27@playstation.sony.com> <AANLkTinau4g1pB_ccJ31u7WRi5npYtHvXE5YRn5uTbeV@mail.gmail.com> <AANLkTikB4YeaYiF_NVGn61c1YxpNWbmEWQZu1WcN+=Jf@mail.gmail.com> <1299704939.2606.238.camel@ds9.ducksong.com> <20110309214212.GA29190@1wt.eu> <AANLkTi=i=8aWg=6+T7=Kn5dWeKkW6MYVCH_CuNkt_ZMM@mail.gmail.com> <AANLkTimip9o0RoZaBfONCmg5nuJVWXjOKDKgAt8zrNVV@mail.gmail.com> <AANLkTikbFBeM6+hiURSBqxFyjc2Wc-yh8UJnZiO+U0JX@mail.gmail.com> <20110310103914.GA32389@1wt.eu> <AANLkTik-TNXCMygBu3WqBHyhJWaG-XUTjCdXud9zHOgX@mail.gmail.com> <AANLkTima5VM+CUq1eN4tWYAkpHENt5wKDwtvyWO6ZQbs@mail.gmail.com> <AANLkTi=AszpuEaZg0GjzRvPBomvdDogGFqK9F1PqX2Ct@mail.gmail.com>
Date: Thu, 10 Mar 2011 04:02:09 -0800
Message-ID: <AANLkTimjuvkskvr+_iZyftAzigWN+4=gOXNxDtxHp=rY@mail.gmail.com>
From: "Ian Fette (イアンフェッティ)" <ifette@google.com>
To: Adam Barth <ietf@adambarth.com>
Content-Type: multipart/alternative; boundary="0003255736e6728f49049e1f9d26"
X-System-Of-Record: true
Cc: Hybi <hybi@ietf.org>
Subject: Re: [hybi] Masking only Payload/Extension Data
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: ifette@google.com
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Mar 2011 12:00:56 -0000

That said, looking at the wiki again, I am not really sure I understand the
benefits that intermediaries would get from this. Either way it looks like
they need to be able to pick out frame boundaries, and to do that reliably I
think they have to read frame header 1, see how long that frame is, and
basically skip that many bytes to get to frame 2. I don't understand how
they could do it without parsing the frame header for frame 1. The masking
doesn't make it that difficult to get to the frame header, you have to xor
on the order of 10 bytes. A lot of the complexity savings seem predicated on
the thought that we may choose a different, stream-based masking algorithm,
which I thought we already decided against because of some of those exact
issues?

Again, I'm not against it, but I don't really see enough benefit to say I'm
for it either.

-Ian

2011/3/10 Ian Fette (イアンフェッティ) <ifette@google.com>

> The attacker is relatively free to select the length of the message, but
> that may or may not translate into the length of a given frame. For
> instance, a browser may decide to fragment a large message. Looking at the
> base framing, the attacker can also choose between a text and binary frame.
> In practice, I would be surprised if the attacker had control over more than
> seventeen bits coming from a browser. We (the browser at its discretion)
> could also choose to e.g. fragment a message if it saw a length equal to
> "GET\n" or "POST" or any number of such keywords, though I admit that it is
> no sure fire defense against potential attacks.
>
> At the end of the day, I think you are right in saying that it does open up
> additional attack surface and potential. The question is how plausible do we
> believe such an attack to be, what is the potential damage, and what do we
> gain in exchange? The handshake in theory means that we're looking at
> attacks against ill-formed proxies as the primary attack target/vector. We
> can argue about whether these are likely to grow in number or shrink in
> number, but at the end of the day it is a relatively small number of
> endpoints that are already exploitable via other means as you demonstrated.
> I am willing to live with masking, but at some point I do think we need to
> look at it as a cost benefit analysis, and not be willing to afford infinite
> cost to the "proxies may get exploited" line of reasoning. I don't mean to
> dismiss the issue by any means, but merely to say that there is a limit to
> how much we should accomodate these things.
>
> -Ian (hopefully that's a sufficiently cryptic response to maintain my
> previously stated neutral stance)
>
> On Thu, Mar 10, 2011 at 3:30 AM, Adam Barth <ietf@adambarth.com> wrote:
>
>> Thanks for having an open mind Joel.  Let's start with some basic
>> assumptions:
>>
>> 1) Attacks only get better over time.  Over the (hopefully) many years
>> folks will be using this protocol, the attacks we know about today
>> will continue to exist, and security researchers will continue to
>> learn more techniques and improve their attacks.  That means we should
>> design protocols with a margin of safety rather than pushing up
>> against the razor edge of what we can reliably exploit today.
>> Admitted, this aspect of security is somewhat of an art, and at some
>> point we'll need to defer to the judgement of security experts as to
>> how much of a margin we need for safety.
>>
>> 2) If an attacker can choose a moderately long sequence of bytes of
>> the wire, we lose.  More specifically, we can construct attacks today
>> that abuse certain configurations of proxies using a moderate length
>> of chosen bytes.  Because of (1), we should expect the length of these
>> sequences and the amount of damage attacker can cause with them to
>> increase over time.  The story would be different if we had some solid
>> reasoning about lower bounds on length or upper bounds on damage, but
>> we don't.
>>
>> For simplicity, let's consider the base framing protocol:
>>
>>
>> http://tools.ietf.org/html/draft-ietf-hybi-thewebsocketprotocol-06#section-4.3
>>
>> Let's assume we're only going to mask the extension data and the
>> application data.  That leds approximately 10 bytes at the beginning
>> of the frame that's unmasked.  Are these bytes under the control of
>> the attacker?  In large part, they are.  For example, the attacker is
>> relatively free to select the payload length.  The attacker is also
>> likely to have a large amount of control over the opcode (recall that
>> the attacker can drive the protocol state machine into relatively
>> arbitrary states).  As for the various reserved bits, we don't know
>> very much about how these bits will be used, but if they're likely to
>> be at least partially under the influence of the attacker.
>>
>> Worse, consider the case where the attacker sends a sequence of very
>> short (e.g., zero or one byte) messages.  Now the attacker can control
>> (or can strongly influence) an appreciable fraction of the bytes on
>> the wire.  Additionally, the attacker gets feedback (i.e., by seeing
>> the bytes that arrive at the server) and can dynamically adjust
>> subsequent messages based on this feedback.
>>
>> So, does the above add up to an attack I can demonstrate today?  No.
>> Is there reasonable evidence that attackers will be able to stich
>> together the above weaknesses to construct an attack in the future?
>> Yes.  Given what we know today, my view is that not masking the entire
>> frame is an unacceptable level of risk.
>>
>> Adam
>>
>>
>> On Thu, Mar 10, 2011 at 3:05 AM, Joel Martin <hybi@martintribe.org>
>> wrote:
>> > I've been following this discussion pretty closely and I'm willing to
>> change
>> > my mind if Adam (or somebody else) can clearly lay out a threat model
>> that
>> > isn't easily addressed by minor tweaking. I really am interested in what
>> > real threat may exist and not just being stubborn. Please enlighten me.
>> > As somebody else has proposed, the allowable range of values in the
>> length
>> > field can always be reduced in the future by fragmenting to avoid
>> _specific_
>> > known vulnerable intermediaries (in the implementations without even
>> > changing the protocol). I.e. if "GET\n" is a problem, then client
>> > implementations can just never send that value.
>> > I suspect most would agree that masking of everything is better than
>> > stalling the protocol any longer, but if Adam is the only objector and
>> the
>> > browser folks are okay with masking only payload then perhaps we should
>> move
>> > forward with it.
>> > Joel Martin (kanaka)
>> > On Thu, Mar 10, 2011 at 1:39 PM, Willy Tarreau <w@1wt.eu> wrote:
>> >>
>> >> On Thu, Mar 10, 2011 at 02:25:28AM -0800, Brian wrote:
>> >> > By my count, we have six voices in favor so far, including myself:
>> >> > Andy Green
>> >> > Ytaka Takeda
>> >> > Greg Wilkins
>> >> > Willy Tarreau
>> >> > Joel Martin
>> >> > Brian McKelvey
>> >> >
>> >> > One on record as not having a strong opinion one way or the other:
>> >> > Ian Fette
>> >> >
>> >> > And one opposed:
>> >> > Adam Barth
>> >> >
>> >> >
>> >> > Adam's curt and patronizing reply is once again unenlightening as to
>> >> > any viable reason why we need to mask the frame header as well as the
>> >> > payload, beyond just his gut feeling on the matter.  I'd like to
>> >> > re-assert that since the only field under a potential hacker's
>> control
>> >> > is the length (and potentially rsv bits via undefined extensions in
>> >> > the future) that the practical possibility of the frame header being
>> >> > used for an attack that actually accomplishes anything is so remote
>> >> > it's utterly laughable.
>> >>
>> >> I'd like to add that it's important to remember that this controllable
>> >> length is not even at the beginning of the frame, and that there are
>> >> uncontrollable bytes before.
>> >>
>> >> Regards,
>> >> Willy
>> >>
>> >> _______________________________________________
>> >> hybi mailing list
>> >> hybi@ietf.org
>> >> https://www.ietf.org/mailman/listinfo/hybi
>> >
>> >
>> > _______________________________________________
>> > hybi mailing list
>> > hybi@ietf.org
>> > https://www.ietf.org/mailman/listinfo/hybi
>> >
>> >
>> _______________________________________________
>> hybi mailing list
>> hybi@ietf.org
>> https://www.ietf.org/mailman/listinfo/hybi
>>
>
>

v2.23.0 | Report a Bug | By Email