I Came to Drop Bombs: Auditing the Compression Algorithm Weapon Cache

Presented at Black Hat USA 2016, Aug. 3, 2016, 3 p.m. (25 minutes).

A decompression bomb attack is relatively simple to perform --- but can be completely devastating to developers who have not taken the time to properly guard their applications against this type of denial of service. The decompression bomb is not a new attack - it's been around since at least 1996 - but unfortunately they are still horrifyingly common. The stereotypical bomb is the zip bomb, but in reality nearly any compression algorithm can provide fruit for this attack (images, HTTP streams, etc.). What algorithms have the highest compression ratio, the sloppiest parsers, and make for the best bomb candidates? This talk is about an ongoing project to answer that question. In addition to the compression algorithm audit, this research is generating a vast library of tools ("bombs") that can be used by security researchers and developers to test for this vulnerability in a wide variety of applications/protocols. These bombs are being released under an open-source license.


Presenters:

  • Cara Marie - NCC Group
    Cara Marie is a Senior Security Engineer at NCC Group, an information security firm specializing in application, network, and mobile security. Cara specializes in web application/web services security, network security, client/server testing, and mobile application security. She is experienced in C, C++, Java, web technologies, as well as a variety of scripting languages.

Links:

Similar Presentations: