Description
In attempts to replace the dated Transmission Control Protocol (TCP) as the backbone
of modern networking, a protocol called QUIC has been introduced relatively recently.
Promising improved speed, throughput, and a broader feature set, QUIC has seen rapid
adoption in certain areas, particularly on large websites and in mobile applications.
Thanks to built-in encryption being an integral part of the standard, QUIC also aims to
enhance the security of communication over the internet. Simultaneously to increasing
deployment of the protocol, many independent teams of developers have created
their own implementations of the standard. While this heterogeneity does promote
interoperability and standard compliance, it also raises questions about the real-world
security of QUIC deployments.
This thesis investigates whether popular QUIC libraries abide by the so-called “Security
Consideration” found in the protocol’s main standardization document—RFC
9000. Over the course of our research, we have developed a dynamic black-box testing
framework for QUIC servers to determine the presence of security measures falling under
five categories—“Handshake Denial of Service”, “Amplification Attack”, “Slowloris
Attack”, “Peer Denial of Service”, and “Traffic Analysis”. Meant to complement other
software testing approaches, our framework is best suited as an early warning system
in Continuous Integration and Continuous Deployment (CI/CD) pipelines of QUIC
libraries.
To realize this goal, a systematic analysis of the QUIC specification was performed,
translating the chosen Security Considerations into theoretical attack vectors. By utilizing
containerization of the server executables, the drafted test cases were implemented and
executed in isolated environments, ensuring reproducibility and on-demand testing.
The recorded test outcomes were compared and reasoned about, in order to find likely
root causes of vulnerabilities found in real-world QUIC implementations, as well as
recommend mitigation strategies.
The results of our test suite paint a mixed picture of the maturity of the currently
available QUIC implementations. Whilst some servers displayed impressive resilience
against certain attack vectors, none of the twelve tested implementations were found
to cover all the Security Considerations outlined in RFC 9000. In many cases, security
still appears to be an afterthought, highlighting the importance of continued security
assessment and further strengthening of the practical QUIC implementation landscape.
|
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching