Browse Prior Art Database

OPTIMIZED HANDLING OF BASE64 ENCODED STRINGS PRESENTING ATTACK VECTORS SPANNING MULTIPLE PACKETS

IP.com Disclosure Number: IPCOM000229353D
Publication Date: 2013-Jul-23
Document File: 5 page(s) / 201K

Publishing Venue

The IP.com Prior Art Database

Related People

Anant Mathur: AUTHOR [+2]

Abstract

Presented herein are techniques to optimize handling of base64 encoded strings spanning multiple data packets. These techniques are applied to intrusion prevention systems, which see a single stream of data comprising multiple packets.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 54% of the total text.

Page 01 of 5

OPTIMIZED HANDLING OF BASE64 ENCODED STRINGS PRESENTING ATTACK VECTORS SPANNING MULTIPLE PACKETS

AUTHORS:

Anant Mathur

Rahul Burman

CISCO SYSTEMS, INC.

ABSTRACT

    Presented herein are techniques to optimize handling of base64 encoded strings spanning multiple data packets. These techniques are applied to intrusion prevention systems, which see a single stream of data comprising multiple packets.

DETAILED DESCRIPTION

    Hypertext Transfer Protocol (HTTP) traffic includes Hypertext Markup Language (HTML) documents that may contain objects such as images or links used for cross site scripting (XSS) and other attacks. For example, in the HTML shown in Figure 1 below, the IMGSRSC element may be used by a web client to download an image from a non- trusted host.

Figure 1

    Intrusion prevention systems (IPSs) and firewalls defend against such attacks by parsing the HTML code, scanning the content, and raising alerts or dropping packets in response to detected threats. In particular, IPSs may inspect the stream of packet payloads by passing content to regular expression (regex) software (and/or hardware) that to look for matches to patterns indicative of malicious content or other security threats. Generally, the regex software is capable of matching patterns across multiple packets.

Copyright 2013 Cisco Systems, Inc.

1


Page 02 of 5

    An attacker may attempt to evade these defenses by obscuring content using base64 encryption. For example, the HTML code shown in Figure 1 above may be encoded as shown in Figure 2 below.

Figure 2

    The IPS must decode the encoded string before passing it to the regex software. However, the string may be distributed across multiple packets, as illustrated in Figure 3 below, and decoding segments of an encoded string is simple only if the string was segmented into multiples of four characters. This is not guaranteed when the string is divided into packets. In general, the string may be partitioned at arbitrary locations.

Figure 3

    One solution is for the IPS to accumulate the whole HTTP response before decoding the base64 string, as illustrated in Figure 4 below. However, this approach is inefficient, since it requires buffering an unknown and possibly large number of packets. Allocating and accessing heap memory may incur a high performance cost. In addition, buffering the response until it completes introduces a time lag.

    Accordingly, techniques are presented herein to optimize handling of base64 encoded strings spanning multiple data packets. Packet content is decoded and sent to the regex software on an approximately per packet basis, as shown in Figure 5 below.

Copyright 2013 Cisco Systems, Inc.

2


Page 03 of 5

Figure 4

Figure 5

    In particular, for each packet containing part of a base64 encoded string, the encoded string is deco...