HDiff: A Semi-automatic Framework for Discovering Semantic Gap Attack in HTTP Implementations

摘要

The Internet has become a complex distributed network with numerous middle-boxes, where an end-to-end HTTP request is often processed by multiple intermediate servers before it reaches its destination. However, a general problem in this distributed network is the extit{semantic gap attack}, which is defined as inconsistent semantic interpretations in the processing chain. While some studies have found individual semantic gap attacks, most of them are based on ad-hoc manual analysis, which is inadequate for fundamentally enhancing the security assurance of a system as complex as the HTTP network. In this work, we propose HDiff, a novel semi-automatic detecting framework, systematically exploring semantic gap attacks in HTTP implementations. We designed a documentation analyzer that employs natural language processing techniques to extract rules from specifications, and utilized differential testing to discover semantic gap attacks. We implemented and evaluated it to find three kinds of semantic gap attacks in 10 popular HTTP implementations. In total, HDiff found 14 vulnerabilities and 29 affected server pairs covering all three types of attacks. In particular, HDiff also discovered three new types of attack vectors. We have already duly reported all identified vulnerabilities to the involved HTTP software vendors and obtained 7 new CVEs from well-known HTTP software, including Apache, Tomcat, Weblogic, and Microsoft IIS Server.

出版物
In the 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Network, 2022

互联网已经成为一个复杂的大型分布式异构网络,其中部署着无数的Web中间盒子,如缓存代理、防火墙、CDN等等。一个端到端的HTTP请求需要经过多个中间盒子才能到达真正的目的服务器。在该场景下,一个典型的安全问题便是语义差异安全问题。它被定义为网络协议数据包在链路传递过程中,多方协议实例对数据包产生不一致的语义解析结果,进而造成不一致的程序处理行为,最终导致严重的安全漏洞,例如缓存污染、请求走私、安全策略绕过与拒绝服务攻击等等。

该论文提出了一种基于协议标准的语义差异安全问题人机协同分析框架—HDiff。它使用自然语言分析技术从RFC文档中自动提取规范约束,并利用差异测试技术自动化发现HTTP软件实现间的语义差异问题。HDiff在10个主流的HTTP软件中发现了14个语义差异漏洞,其中包括三个新发现的攻击载荷。该研究还从知名的HTTP软件供应商中获得了7个新CVE,包括Apache、Tomcat、Weblogic和微软IIS服务器。研究成果设计了一套可迁移的语义差异人机协同分析框架,对进一步自动化、智能化分析协议语义差异问题有着良好的借鉴作用。

该论文获第52届国际可靠系统与网络学术年会最佳论文亚军奖。


comments powered by Disqus
下一页
上一页

相关