Re: [hybi] Experiment comparing Upgrade and CONNECT handshakes

Zhong Yu <zhong.j.yu@gmail.com> Wed, 01 December 2010 19:43 UTC

Return-Path: <zhong.j.yu@gmail.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 351563A6C9A for <hybi@core3.amsl.com>; Wed, 1 Dec 2010 11:43:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.999
X-Spam-Level:
X-Spam-Status: No, score=-2.999 tagged_above=-999 required=5 tests=[AWL=0.600, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2bHwYgKe+4a2 for <hybi@core3.amsl.com>; Wed, 1 Dec 2010 11:43:49 -0800 (PST)
Received: from mail-qy0-f179.google.com (mail-qy0-f179.google.com [209.85.216.179]) by core3.amsl.com (Postfix) with ESMTP id B25E53A6CF2 for <hybi@ietf.org>; Wed, 1 Dec 2010 11:43:48 -0800 (PST)
Received: by qyk11 with SMTP id 11so7831258qyk.10 for <hybi@ietf.org>; Wed, 01 Dec 2010 11:45:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=wMMunXgEZ2WbYrhV+2jnGvqQwK22vRDB2ZHER1vRz3I=; b=rnApyB0JtTTD/5p0uAhldST1WVD91GOOp/J8WfpqM71NO3fJLyHSzNhUdJsH2JkVHZ 5mCkl8g8/MZ/qWK5m/RARiJRcNfdWSITJdJVhiC5rrLa8WqAPefh7w+PM2W0p9WSyDXh YiI40ielknyZRf6wBpjD3W0oqqtbuSpVJS7H8=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=p0mEkTLPDeGFv9UL7jPTZXFC9vV2QL7CNWUQuDBUeU1QXbElX9exp4J2/096WaXVFJ jPrgTutvkQSdoyMZ+rkMDUFYMxs8/a1DQ6EpoJsQ5NyujrX/IAbfXaM9AaCqFHCwM6uP MQ8mv44dI1w3YkyuI32fdc4aMUBrVsIimIuqA=
MIME-Version: 1.0
Received: by 10.224.20.5 with SMTP id d5mr8188297qab.187.1291232702008; Wed, 01 Dec 2010 11:45:02 -0800 (PST)
Received: by 10.220.189.136 with HTTP; Wed, 1 Dec 2010 11:45:01 -0800 (PST)
In-Reply-To: <AANLkTimwEtKrJm5KxTYZ4wrtONBYDTGjE5LF7__AHBEU@mail.gmail.com>
References: <AANLkTik0wR-Oag5YJJDmdiSy67WW6TMaHmqWEo4o5kGW@mail.gmail.com> <AANLkTimwEtKrJm5KxTYZ4wrtONBYDTGjE5LF7__AHBEU@mail.gmail.com>
Date: Wed, 01 Dec 2010 13:45:01 -0600
Message-ID: <AANLkTik+pmVoyK0fkz6mG0+KDqdvyVxaYtM9w7KDo4Xa@mail.gmail.com>
From: Zhong Yu <zhong.j.yu@gmail.com>
To: Adam Barth <ietf@adambarth.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: Hybi <hybi@ietf.org>
Subject: Re: [hybi] Experiment comparing Upgrade and CONNECT handshakes
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Dec 2010 19:43:50 -0000

On Wed, Dec 1, 2010 at 11:00 AM, Adam Barth <ietf@adambarth.com> wrote:
> On Tue, Nov 30, 2010 at 7:33 PM, Zhong Yu <zhong.j.yu@gmail.com> wrote:

>> In the singular successful case, the transparent proxy ignored these
>> non-http bytes and constructed a http request anyway, at least, it
>> extracted the "Host" header. For this attack to be really useful, it's
>> not enough that the bytes are tunneled to target.com. The proxy must
>> strip non-http bytes and send a compliant http request to target.com.
>> Or, the proxy forwards all bytes to target.com, and target server
>> strips non-http bytes and reconstructs the intended http request. Did
>> one of these two things actually happened in the experiment?
>
> We didn't testing the framing in this experiment, just the handshakes.

The attack occurs after handshake, doesn't it? The attack data must be
framed, otherwise how do you explain that in the POST case, the attack
succeeds 1376 times, while in the Upgrade case, it only succeeds 1
time. What's the difference if it's not due to framing?

>  The target server was a stock Apache server.  That means the proxy
> forwarded the request in such a form that stock Apache was willing to
> respond to it.

Apache will response 400 Bad Request to garbage inputs. That shouldn't
be counted as a successful attack. It is unclear from your paper how
it is counted.

>> I'm voting for CONNECT method with real Host header.
>
> IMHO, we should adopt the CONNECT handshake first and discuss the
> details of what Host header to send second.

How about CONNECT+Upgrade, everybody is happy.

>
>> = Inconsistent data regarding cache poisoning attack =
>>
>> Although the Upgrade handshake reduced firewall circumvention attack
>> to 1/1000, it does not have the same luck with cache poisoning attack,
>> according to the paper. 50% attacks still got though. That is *very*
>> surprising. Caching proxies must demarcate requests precisely, how do
>> they have such a higher tolerance of corrupt stream? How come 99.9%
>> host-based-routing proxies are busted by the stream, yet 50% of
>> ip-based caching proxies are not busted? I must respectfully
>> disbelieve the result for now.
>
> I'm not sure where you got the 50% number from.  You're reading the
> table incorrectly.  Each of the different handshakes (POST, Upgrade,
> and CONNECT) are different experimental conditions (technically
> within-subjects conditions).  To understand the data in Table II, you
> should read the data vertically, not horizontally.

We can still cross examine the data and find something mysterious.

>From POST to Upgrade column, the firewall circumvention attack
successes decrease from 1376 to 1. If I'm mistaken, please correct me
with the right explanation, but I believe the POST experiment sent
clean/compliant HTTP requests, and the Upgrade experiment sent the
attack data framed - the non-http bytes busted 99.9% parsers used by
the transparent proxies.

Yet, the cache poisoning attack success count only drops from 15 to 8.
This attack also depends on proxies' ability to parse http requests.
If the non-http bytes in the Upgrade protocol would bust 99.9%
parsers, we should see the attack success count drop to 15/1000 = 0.

So I must question the validity of the 8 success attacks. (note I also
questioned the 1 success attack in the firewall circumvention case)
More details are needed to analyze the experiments and the results.

This is important because these 9 cases are the only evidence
presented so far that plaintext pay load in simple framing could be
misinterpreted as compliant HTTP requests although it is not. The
evidence is used to argue for stream obfuscation. As the only
evidence, it should be examined carefully.

>
> One way to think about the effectiveness of the cache poisoning attack
> is in exploits per dollar.  We show that (without any targeting) an
> attacker can achieve 8 exploits for $100, which is concerning.
>
> Adam
>