Security Risks in Asynchronous Web Servers: When Performance Optimizations Amplify the Impact of Data-Oriented Attacks

Over the past decade, many innovations have been achieved with respect to improving the responsiveness of highly-trafficked servers. These innovations are fueled by a desire to support complex and data-rich web applications while consuming minimal resources. One of the chief advancements has been the emergence of the asynchronous web server architecture, which is built from the ground up for scalability. While this architecture can offer a significant boost in performance over classic forking servers, it does so at the cost of abandoning memory space isolation between client interactions. This shift in design, that delegates the handling of many unrelated requests within the same process, enables powerful and covert data-oriented attacks that rival complete web server takeover - without ever hijacking the control flow of the server application. To demonstrate the severity of this threat, we present a technique for identifying security-critical web server data by tracing memory accesses committed by the program in generating responses to client requests. We further develop a framework for performing live memory analysis of a running server in order to understand how low-level memory structures can be corrupted for malicious intent. A fundamental goal of our work is to assess the realism of such data-oriented attacks in terms of the types of memory errors that can be leveraged to perform them, and to understand the prominence of these errors in real-world web servers. Our case study on a leading asynchronous architecture, namely Nginx, shows how dataoriented attacks allow an adversary to re-configure an Nginx instance on the fly in order to degrade or disable services (e.g., error reporting, security headers like HSTS, access control), steal sensitive information, as well as distribute arbitrary web content to unsuspecting clients - all by manipulating only a few bytes in memory. Our empirical findings on the susceptibility of modern asynchronous web servers to two wellknown CVEs show that the damage could be severe. To address this threat, we also discuss several potential mitigations. Taken as a whole, our work tells a cautionary tale regarding the risks of blindly pushing forward with performance optimizations.