Developments in the BREACH Attack

wopot

asia-16-Karakostas-Practical-New-Developments-In-The-BREACH-Attack

• Click to edit Master text styles

— Second level

• Third level

— Fourth level

» Fifth level

Practical New

Developments

in the

BREACH Attack

Dimitris Karakostas

Dionysis Zindros


HTTPS is broken

• Click to edit Master text styles

BREACH — Second broke level HTTPS + RC4 in 2013

• People upgraded to AES – thought they were safe

• Third level

Today...

— Fourth level

» Fifth level

• We show TLS + AES is still broken

• HTTPS can be decrypted - quick and easy

• We launch open source tool to do it here in Singapore


Overview

• Click to edit Master text styles

BREACH — Second reviewlevel

• Our contributions

• Third level

• Statistical attacks

— Fourth level

Attacking block ciphers

» Fifth level

Attacking noise

• Optimization techniques

• Our tool: Rupture

• Mitigation recommendations


• Click to edit Master text styles

— Second level

• Third level

Original BREACH research

Introduced in Black Hat USA 2013

— Fourth level

» Fifth level

Angelo Prado

Neal Harris

Yoel Gluck


• Click to edit Master text styles

— Second level

• Third level

BREACH attack anatomy

— Fourth level

» Fifth level


• Click to edit Master text styles

— Second level

• Third level

— Fourth level

» Fifth level


Original BREACH assumptions

• Click to edit Master text styles

Target website:

— Second level

• Third level

• Uses HTTPS

— Fourth level

• Compresses response using gzip

» Fifth level

• Uses stream cipher

• Response has zero noise

• Contains end-point that reflects URL parameter


Original BREACH target

• Click to edit Master text styles

1. Steal — Second secret in level HTTPS response (CSRF tokens)

2. Use CSRF to impersonate victim client to victim server

• Third level

— Fourth level

» Fifth level


• Click to edit Master text styles

— Second level

• Third level

— Fourth level

» Fifth level

Length leaks

|E(A)| < |E(B)| ⇔ |A| < |B|


Let’s attack Gmail

• Click to edit Master text styles

• m.gmail.com — Second mobile level Gmail view

• Mobile search functionality uses HTTP POST

• Third level

– but HTTP GET still works :)

— Fourth level

• CSRF token included in response – valid for all of Gmail

» Fifth level


• Click to edit Master text styles

— Second level

• Third level

— Fourth level

» Fifth level

Noise

Reflection

Secret


Attacker guesses part of secret

• Click • to Uses edit in reflection Master text styles

• Compressed/encrypted response is shorter if right!

— Second level

• Third level

— Fourth level

» Fifth level


Original BREACH methodology

• Click to edit Master text styles

• Guess — Second part of secret level and insert into reflection

• Match? → Shorter length due to compression

• Third level

• No match? → Longer length

— Fourth level

• Bootstrap by guessing 3-byte sequence

» Fifth level

• Extend one character at a time

• O(n|Σ|) complexity

• n: length of secret

• Σ: alphabet of secret


Can we really attack Gmail?

• Click to edit Master text styles

• Uses — AES Second level

• Has random bytes in response

• Third level

— Fourth level

» Fifth level


• Click to edit Master text styles

— Second level

• Third level

— Fourth level

Our contributions

» Fifth level


Our contributions

• Click to edit Master text styles

We extend the BREACH attack

— Second level

• Third level

1. Attack noisy end-points

— Fourth level

2. Attack block cipher end-points

» Fifth level

3. Optimize attack

4. Propose novel mitigation techniques

The whole web is vulnerable


• Click to edit Master text styles

— Second level

• Third level

Statistical methods

— Fourth level

» Fifth level


Statistical methods

• Click to edit Master text styles

• We — can Second attack noisy level end-points

• Multiple requests per alphabet symbol

• Third level

• Take mean response length

— Fourth level

• m-sized noise → attack works in O(n|Σ|√m)

» Fifth level

• m = (max response size) - (min response size)

• Length converges to correct results (LLN)


Statistical methods against block ciphers

• Click to edit Master text styles

• Everyone — Second uses block level ciphers

• Statistical methods break them

• Third level

• We introduce artificial noise

— Fourth level

• Block ciphers round length to 128-bits

» Fifth level

• In practice 16x more requests

• Blocks aligned → Length difference measurable


Experimental results

• Click to edit Master text styles

• AES_128 — Second is vulnerable level

• Popular web services are vulnerable:

• Third level

• Gmail

— Fourth level

• Facebook

» Fifth level

• etc.


• Click to edit Master text styles

— Second level

• Third level

— Fourth level

» Fifth level

Optimizations


Optimizations overview

• Click to edit Master text styles

Block ciphers cause 16x slowdown. We need to optimize.

— Second level

• Third level

• Divide and conquer: 6x speed-up

— Fourth level

• Request soup: 16x speed-up

» Fifth level

• Browser parallelization: 6x speed-up

Total ~ 500x speed-up!


Optimization: Divide & Conquer

• Click to edit Master text styles

• Each — request Second tries level multiple candidates from alphabet

• Partition alphabet using divide-and-conquer

• Third level

• Binary search on alphabet partitions

— Fourth level

• Reduces attack complexity from O(n|Σ|) to O(n lg|Σ|)

» Fifth level

• Practically this gives 6x speed-up


Binary search in alphabet space

• Click to edit Master text styles

— Second level

• Third level

— Fourth level

» Fifth level


Optimization: Request soup

• Click to edit Master text styles

Problem:

— Second level

• Third level

• Need 16x samples for block ciphers

• But we only — need Fourth the level length mean

Solution:

» Fifth level

• Responses come pipelined, can’t tell them apart

• We don’t care! Measure total length

• Divide by amount, extract mean


Optimization: Browser parallelization

• Click to edit Master text styles

• Do — 6x Second parallel requests; level browsers support it

• Each parallel request cannot adapt based on previous

• Third level

• But we need many samples of same candidates anyway

— Fourth level

• No need to adapt before we collect enough

» Fifth level


• Click to edit Master text styles

— Second level

• Third level

— Fourth level

» Fifth level

RUPTURE


Today, we make BREACH easy

• Click to edit Master text styles

• Over — the Second past months, level we’ve developed rupture

• Today in Black Hat Asia 2016, we make it open source

• Third level

— Fourth level

» Fifth level

https://github.com/dionyziz/rupture

ruptureit.com


Rupture

• Click to edit Master text styles

• Extensible — Second level

• Modular analysis / optimizations / strategies

• Third level

• Experiment with your own

— Fourth level

• General web attack framework

» Fifth level

• Can be adapted to work for CRIME, POODLE, …

• Persistent command & control channel

• Scalable architecture: Multiple attacks simultaneously

• Come help us make it better


• Click to edit Master text styles

— Second level

• Third level

— Fourth level

» Fifth level


Robust, persistent command & control

• Click to edit Master text styles

• Automatically — Second inject level JS to HTTP

• All plaintext connections infected

• Third level

• One tab at a time gets work from C&C server

— Fourth level

• User closes tab? Different tab starts attacking

» Fifth level

• User switches browsers? Works on different browser

• Data collection failed for a sample? Sample recollected

• User reboots computer? Attack continues


Persistent attack data storage

• Click to edit Master text styles

• Collected — Second data processed level by Django middleware

Attack historical data stored permanently in MySQL db

• Third level

• Future analysis with new techniques possible

— Fourth level

» Fifth level


• Click to edit Master text styles

— Second level

• Third level

— Fourth level

» Fifth level

Rupture demo


• Click to edit Master text styles

— Second level

• Third level

— Fourth level

» Fifth level

Mitigation


First-party cookies

• Click to edit Master text styles

• Don’t — send Second authlevel

cookies cross-origin

• Backwards compatibility: Web server opts-in

• Third level

• Mike West implemented it in Chrome 51

— Fourth level

• Coming April 8th

» Fifth level

Set-Cookie: SID=31d4d96e407aad42; First-Party


Key takeaways

• Click to edit Master text styles

1. HTTPS — Second + gzip = level broken

2. Rupture framework is live – attacks are easy

• Third level

3. Enable first-party cookies on your web app

— Fourth level

» Fifth level


• Click to edit Master text styles

Thank you! Questions?

— Second level

• Third level

— Fourth level

» Fifth level

twitter.com/dionyziz

45DC 00AE FDDF 5D5C B988 EC86 2DA4 50F3 AFB0 46C7

github.com/dimkarakostas

DF46 7AFF 3398 BB31 CEA7 1E77 F896 1969 A339 D2E9

More magazines by this user
Similar magazines