In the Compression Hornet's Nest::A Security Study of Data Compression in Network Services

Pellegrino, Giancarlo and Balzarotti, Davide and Winter, Stefan and Suri, Neeraj (2015) In the Compression Hornet's Nest::A Security Study of Data Compression in Network Services. In: 24th USENIX Security Symposium, 2012-08-102012-08-12.

Full text not available from this repository.

Abstract

In this paper, we investigate the current use of data compression in network services that are at the core of modern web-based applications. While compression reduces network traffic, if not properly implemented it may make an application vulnerable to DoS attacks. Despite the popularity of similar attacks in the past, such as zip bombs or XML bombs, current protocol specifications and design patterns indicate that developers are still mostly unaware of the proper way to handle compressed streams in protocols and web applications. In this paper, we show that denial of services due to improper handling of data compression is a persistent and widespread threat. In our experiments, we review three popular communication protocols and test 19 implementations against highly-compressed protocol messages. Based on the results of our analysis, we list 12 common pitfalls that we observed at the implementation, specification, and configuration levels. Additionally, we discuss a number of previously unknown resource exhaustion vulnerabilities that can be exploited to mount DoS attacks against popular network service implementations.

Item Type:
Contribution to Conference (Paper)
Journal or Publication Title:
24th USENIX Security Symposium
ID Code:
137948
Deposited By:
Deposited On:
15 Oct 2019 13:40
Refereed?:
Yes
Published?:
Published
Last Modified:
31 Jul 2020 05:52