Discovering HTTP/2 DoS Vulnerabilities using Protocol Reverse Engineering

Event Start
Event End
Building 9, Level 2, Room 2325


To improve the data transmission speed of HTTP, HTTP/2 has extended  features based on HTTP/1.1 such as stream multiplexing. Along with its  wide deployment in popular web servers, numerous vulnerabilities are exposed. Denial of service, one of the most popular HTTP/2 vulnerabilities is attributed to the inappropriate implementations of flow control for stream multiplexing. To examine the potential flaws of stream multiplexing in various HTTP/2 implementations, modern HTTP/2 security analysis has heavily depended on manual analysis. However, each implementation may have different behaviors, which makes the manual analysis difficult. 

In this talk, we present PRETT/2, a stateful fuzzing framework for discovering denial-of-service (DoS) flaws, which uses a Protocol Reverse Engineering technique with the help of network Traces and message Tokens. Based on the flow control process of a particular implementation inferred by protocol reverse engineering, PRETT/2 performs stateful fuzzing to detect security flaws that may exhaust system resources. The experimental results on a variety of HTTP/2 implementations show that  PRETT/2 successfully inferred multiple state machines and discovered security flaws that fall in the DoS domain.

Brief Biography

Professor Dietrich joined the faculty in the Computer Science Department at Hunter College (CUNY) as Professor in August 2020. Prior to joining Hunter College, he was in the Mathematics and Computer Science department at CUNY John Jay as Associate Professor from 2014 to 2020, and in the Computer Science Department at the Stevens Institute of Technology as Assistant Professor from 2007 to 2014. He previously worked at CERT, located at Carnegie Mellon University, as a Senior Member of the Technical Staff from 2001 to 2007. He was also adjunct faculty at Carnegie Mellon's CyLab (2003-2007) and briefly in the Mathematics and Computer Science Department at Duquesne University in Spring 2007. He was also member of the CMU CyLab Usable Privacy & Security Laboratory (2006-2007). Prior to that, I was a Senior Security Architect at the NASA Goddard Space Flight Center (1997-2001).

Contact Person