The Evil Alt-Ego: (ab)using HTTP Alternative Services

Presented at Black Hat Asia 2020 Virtual, Oct. 1, 2020, 10:20 a.m. (40 minutes).

The HTTP Alternative Services header (Alt-Svc, RFC 7838) was introduced in 2013 by seasoned developers with "good intentions" in a bid to streamline load balancing, protocol optimizations, and client segmentation. It has been subsequently implemented in almost all mobile and desktop browsers. Unfortunately, the seemingly simple functionality of Alt-Svc has an evil alt(er) ego, which facilitates stealthy abuse by nefarious actors. <br /> <br /> In this talk, we will begin by exploring the history of the Alt-Svc HTTP header, its original purpose, and the substantial risk it had inadvertently produced for end users. As such, we will discuss how Alternative Services can be leveraged to scan ports blacklisted by browsers, probe firewalled hosts, and mount Distributed Denial of Service attacks. We will further highlight how these services can be abused to bypass popular phishing and malware protection services like Safe Browsing, and online site checkers like VirusTotal, URLVoid, Sucuri and IPVoid. In the privacy realm, the Alt-Svc header can be commandeered in order to track users: at the network layer by Internet Service Providers (ISPs) and at the application layer by first or third party websites (where we bypass third-party tracking protections on Firefox, Chrome and Brave). In a similar manner, the header can be used surreptitiously by various access points on a victim's daily itinerary (say, a coffee shop) to exfiltrate parts of a victim's browser history. <br /> <br /> Our attacks are different from standard JavaScript attacks in that they operate at a lower layer of abstraction, and are thus not visible to the user through the browser's interface or JS based detection techniques. Indeed, our attacks require no user interaction and can be mounted from third-party web content, to varying extents, on Firefox, Tor, Chrome, and Brave browser. It is thus essential that these vulnerabilities be fixed in the browser source code, and have been disclosed them accordingly. We will conclude with a discussion of vendor responses and practical mitigations, some of which are currently being addressed by browser developers. To date, one of our vulnerabilities been patched by Mozilla as CVE-2019-11728, and another has been fixed under Brave's bug bounty program. <br /> <br /> In summary, this talk will highlight how one simple protocol update, suggested by experienced developers, can spawn a multitude of unintended alt(er) egos ripe for exploitation.

Presenters:

  • Trishita Tiwari - PhD Student, Cornell University
    Trishita Tiwari is PhD student at Cornell University working on micro-architechtural security with Prof. Edward Suh. She just received her bachelors from Boston University where she was a Trustee Scholar, and graduated Summa Cum Laude in May 2019. There, she was a part of NISLab, where she worked with Prof. Ari Trachtenberg on various aspects of Cyber Security. Her recent research involved cache-based side-channel attacks, finding malicious uses of the Alt-Svc HTTP header (undergraduate thesis), and attacks on the Network Time Protocol (NTP). Her previous work included exploiting network side-channels on Android, creating a distributed web miner for Ethereum, and detecting anomalies to identify compromised VMs in the cloud. Till now, she has had her undergraduate work, including various first author publications, at conferences and workshops at IEEE Big Data 17, CSCML 18, ACM CCS'18, IEEE CNS 19, USENIX WOOT'19, and ACM CCS'19.
  • Ari Trachtenberg - Professor, Boston University
    Ari Trachtenberg is a Professional Hacker of Education At Boston university, with appointments in the departments of Electrical and Computer Engineering and Computer Science. Instead of sleeping, he conducts research in cybersecurity (side-channels, "smart" phones, offensive and defensive) and distributed algorithms (data reconciliation).
  • David Starobinski - Professor, Boston University
    David Starobinski is a Professor at Boston University with research interests in cybersecurity, wireless networking (including software-defined radios), and network economics (including blockchains).

Links:

Similar Presentations: