AWS Community Day CPH - Three problems of Terraform
Collision vulnerability for hash data structures in web platforms
1. Collision vulnerability for hash data
structures in web platforms
(Denial of Service attack)
Berescu Ionut
2012
2. Overview
• A variety of programming languages suffer
from a vulnerability when storing data as
key/value pairs in hash data structures.
• The condition can be leveraged by exploiting
predictable collisions in the underlying
hashing algorithms and can be used for
constructing a low-bandwidth Denial of
Service attack (DoS)
3. Vulnerable languages/servers
• Java, all versions • Apache Geronimo, all versions
• JRuby <= 1.6.5 • Apache Tomcat <= 5.5.34, <=
6.0.34, <= 7.0.22
• PHP <= 5.3.8, <= 5.4.0RC3
• Oracle Glassfish <= 3.1.1
• Python, all versions
• Jetty, all versions
• Rubinius, all versions
• Plone, all versions
• Ruby <= 1.8.7-p356
• Rack <= 1.3.5, <= 1.2.4, <= 1.1.2
• V8 JavaScript Engine, all versions
4. What is a hash table?
• A hash table or hash map is a data structure that
uses a hash function to map identifying values,
known as keys to their associated values .
• Ideally, the hash function should map each
possible key to a unique slot index, but this ideal
is rarely achievable in practice. Instead, most
hash table designs assume that hash collisions
(different keys that map to the same hash value)
will occur and must be accommodated in some
way.
5. How are the languages vulnerable?
• Most languages do not provide a randomized
hash function or the application server does
not recognize attacks using multi-collisions, so
an attacker can degenerate the hash table by
sending lots of colliding keys.
• The algorithmic complexity of inserting n
elements into the table then goes to
O(n*2), making it possible to exhaust hours of
CPU time using a single HTTP request.
6. Hash tables in PHP
• PHP internally uses hash tables to store arrays.
• Hash tables are very fast for storing and
getting data and that it’s why they are used
heavily in every language.
• Most PHP arrays have in the back a C hash
table. Example: $_GET, $_POST, ARRAY,
$GLOBALS, etc..
7. Constructing a 100% colliding hash
table in PHP
• In PHP if the array key is a integer the hash is the integer
itself, all PHP does is apply a table mask on top of it: hash &
tableMask.
• The underlying C array has always a size which is a power of 2.
• So if we store 10 elements the real size will be 16. If we store
33 it will be 64. If we store 63 it will also be 64. The table mask
is the size minus one. So if the size is 64, i.e. 1000000 in binary
the table mask will be 63, i.e. 0111111 in binary.
• Basically the table mask removes all bits that are greater than
the hashtable size.
8. Constructing a 100% colliding hash
table in PHP
• If we insert a total of 32 elements, the first
one 0, the second one 32, the third one
64, the fourth one 128, etc., all of those
elements will have the same hash and all will
be put into the same linked list, creating a
100% colliding hash table.
9. Constructing a 100% colliding hash
table in PHP
• Code example:
$size = pow(2, 15);
$max = ($size - 1) * $size;
for ($key = 0, $key <= $max; $key += $size) {
$data[$key] = 0;
}
• The above example will require an abnormal
amount of time to run, as all hash values will be
in the same linked list, inserting them taking a lot
longer.
10. DoS attack
• Sending a POST request, or a request that will
be decoded into an Array (JSON for example)
can result in a DoS attack.
• By sending a large number of parameters by
POST with keys that will create a hash table
with 100% collision, it will require the web
platform a very large amount of time and CPU
usage for inserting the elements.
11. DoS attack in PHP
• Sending the 100% collision array in a POST
request (with a size of let’s say 2^16) will
make PHP consume 100% of the systems CPU
for a couple of hours.
12. Impact
• Any website running one of the technologies
mentioned which provides the option to
perform a POST/GET request is vulnerable to
this very effective DoS attack.
• With a very low-bandwith connection we can
keep thousands of targeted systems cores at
100% use.
13. Workarounds
• For languages where no fixes have been
issued, there are a number of workarounds:
• Limiting CPU time (max_input_time in PHP).
• Limiting the maximal number of parameters
(max_input_vars in PHP).
• Using different data structures.