Couple of weeks ago, I presented a paper in USENIX Security conference. The paper was about HTTP/2-to-HTTP/1 conversion anomalies and their security implications. When we started the project, the idea was to fuzz and confuse HTTP/2 reverse proxies, in order to have them make abnormal conversions. For the mutation part, we did not want to constrain ourselves to string mutations on the frame contents and had the idea of stream-level mutations in the mind all along. To develop an approach for stream-level mutations, we took inspiration from living cells.
To give some context here, when a cell decides to synthesize a protein, the relevant fragment is cut from the DNA of the cell. The fragment is brought to a ribosome to have it turned into a chain of amino acids. For example, when a ribosome receives a nucleotide sequence of GAGGAGGAG (A is adenine, G is guanine), it reads and converts three nucleotides at a time (e.g., GAG to glutamate) and produces three glutamates.
However, if the source DNA sequence has a nucleotide inserted by a mutation, this changes the reading frame. For example, an extra G after the first GAG would cause a different set of amino acids to be produced.
Biologists call this kind of mutation a "frameshift mutation" and it is known to be at the root of various disorders.
The frameshift mutations inspired us in three ways: 1) using healthy (i.e., syntactically and semantically valid) frame sequences as the base, 2) adding only healthy (i.e., syntactically valid) frames in mutations 3) inserting all available types of frames in sequences including terminating frames (e.g., GOAWAY, RST_STREAM), similar to how some amino acid insertions terminate reading earlier. These biologically inspired principles laid the foundation of our mutation strategy and we named our fuzzing tool in honor of frameshift mutations: Frameshifter. It is available on Github.
When we used Frameshifter to test popular reverse proxies including popular CDN servers, we found that many of them are affected by abnormal conversions and attacks. We reported all the findings to the affected vendors and helped them reproduce the attacks. Some of the vendors assigned CVEs, such as Golang team at Google (for the Query-of-Death attack) and Apache Traffic Server team (for the Request Blackholing attack). Some other vendors confirmed the findings and shared their plan for action.