| dc.description.abstract | Race conditions are a well-known problem in environments where there are several concurrent execution flows, such as threads or processes. Web applications often run in such a multithreaded environment, in which client requests are handled by worker threads that may execute the same code concurrently. Exploiting race conditions usually requires sending several exactly timed parallel requests to prompt the server to process them in parallel, potentially invoking the race condition.
There are published methods on how to accomplish sending exactly timed concurrent requests in HTTP/1.x but previously no HTTP/2-specific methods were known. In this thesis, we propose two novel techniques for exploiting race conditions on applications that serve their content over HTTP/2. Both techniques exploit new features introduced in HTTP/2 for synchronising the timing of concurrent requests.
These techniques are implemented using a new low-level HTTP/2 client library called h2tinker that was developed as part of this thesis. This Python library enables researchers to experiment with HTTP/2 and different implementations, providing fast prototyping capabilities and extensibility. Several previous attacks are implemented with h2tinker as examples.
We provide an overview of all state-of-the-art methods for request synchronisation, including the two proposed novel methods and one previously unpublished method for HTTP/1.1 that exploits the head-of-line blocking problem in TCP. These methods are analysed and compared. In addition to exploiting race conditions, request synchronisation methods could be useful for improving other attacks, such as remote timing attacks. Therefore, these methods could be of independent interest in the future. | |
