TY - GEN
T1 - Security Risks in Asynchronous Web Servers
T2 - 3rd IEEE European Symposium on Security and Privacy, EURO S and P 2018
AU - Morton, Micah
AU - Werner, Jan
AU - Kintis, Panagiotis
AU - Snow, Kevin
AU - Antonakakis, Manos
AU - Polychronakis, Michalis
AU - Monrose, Fabian
N1 - Publisher Copyright:
© 2018 IEEE.
PY - 2018/7/6
Y1 - 2018/7/6
N2 - Over the past decade, many innovations have been achieved with respect to improving the responsiveness of highly-trafficked servers. These innovations are fueled by a desire to support complex and data-rich web applications while consuming minimal resources. One of the chief advancements has been the emergence of the asynchronous web server architecture, which is built from the ground up for scalability. While this architecture can offer a significant boost in performance over classic forking servers, it does so at the cost of abandoning memory space isolation between client interactions. This shift in design, that delegates the handling of many unrelated requests within the same process, enables powerful and covert data-oriented attacks that rival complete web server takeover - without ever hijacking the control flow of the server application. To demonstrate the severity of this threat, we present a technique for identifying security-critical web server data by tracing memory accesses committed by the program in generating responses to client requests. We further develop a framework for performing live memory analysis of a running server in order to understand how low-level memory structures can be corrupted for malicious intent. A fundamental goal of our work is to assess the realism of such data-oriented attacks in terms of the types of memory errors that can be leveraged to perform them, and to understand the prominence of these errors in real-world web servers. Our case study on a leading asynchronous architecture, namely Nginx, shows how dataoriented attacks allow an adversary to re-configure an Nginx instance on the fly in order to degrade or disable services (e.g., error reporting, security headers like HSTS, access control), steal sensitive information, as well as distribute arbitrary web content to unsuspecting clients - all by manipulating only a few bytes in memory. Our empirical findings on the susceptibility of modern asynchronous web servers to two wellknown CVEs show that the damage could be severe. To address this threat, we also discuss several potential mitigations. Taken as a whole, our work tells a cautionary tale regarding the risks of blindly pushing forward with performance optimizations.
AB - Over the past decade, many innovations have been achieved with respect to improving the responsiveness of highly-trafficked servers. These innovations are fueled by a desire to support complex and data-rich web applications while consuming minimal resources. One of the chief advancements has been the emergence of the asynchronous web server architecture, which is built from the ground up for scalability. While this architecture can offer a significant boost in performance over classic forking servers, it does so at the cost of abandoning memory space isolation between client interactions. This shift in design, that delegates the handling of many unrelated requests within the same process, enables powerful and covert data-oriented attacks that rival complete web server takeover - without ever hijacking the control flow of the server application. To demonstrate the severity of this threat, we present a technique for identifying security-critical web server data by tracing memory accesses committed by the program in generating responses to client requests. We further develop a framework for performing live memory analysis of a running server in order to understand how low-level memory structures can be corrupted for malicious intent. A fundamental goal of our work is to assess the realism of such data-oriented attacks in terms of the types of memory errors that can be leveraged to perform them, and to understand the prominence of these errors in real-world web servers. Our case study on a leading asynchronous architecture, namely Nginx, shows how dataoriented attacks allow an adversary to re-configure an Nginx instance on the fly in order to degrade or disable services (e.g., error reporting, security headers like HSTS, access control), steal sensitive information, as well as distribute arbitrary web content to unsuspecting clients - all by manipulating only a few bytes in memory. Our empirical findings on the susceptibility of modern asynchronous web servers to two wellknown CVEs show that the damage could be severe. To address this threat, we also discuss several potential mitigations. Taken as a whole, our work tells a cautionary tale regarding the risks of blindly pushing forward with performance optimizations.
KW - asynchronous server architecture
KW - data only attacks
KW - security trade off
UR - https://www.scopus.com/pages/publications/85050761793
U2 - 10.1109/EuroSP.2018.00020
DO - 10.1109/EuroSP.2018.00020
M3 - Conference contribution
AN - SCOPUS:85050761793
T3 - Proceedings - 3rd IEEE European Symposium on Security and Privacy, EURO S and P 2018
SP - 167
EP - 182
BT - Proceedings - 3rd IEEE European Symposium on Security and Privacy, EURO S and P 2018
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 24 April 2018 through 26 April 2018
ER -