-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathKeepingTheServerSecure.html
More file actions
153 lines (151 loc) · 10.4 KB
/
KeepingTheServerSecure.html
File metadata and controls
153 lines (151 loc) · 10.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
<!-- HTML header for doxygen 1.9.6-->
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="$langISO">
<head>
<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
<meta http-equiv="X-UA-Compatible" content="IE=11"/>
<meta name="generator" content="Doxygen 1.9.4"/>
<meta name="viewport" content="width=device-width, initial-scale=1"/>
<title>Kourier: Keeping The Server Secure</title>
<link href="tabs.css" rel="stylesheet" type="text/css"/>
<link rel="stylesheet" type="text/css" href="https://fonts.googleapis.com/css?family=Ubuntu:ital,wght@0,300;0,400;0,500;0,700;1,300;1,400;1,500;1,700|Ubuntu+Mono:ital,wght@0,400;0,700;1,400;1,700|Ubuntu+Condensed|Material+Symbols+Outlined:opsz,wght,FILL,GRAD@48,400,0,0|Source+Code+Pro:ital,wght@0,200;0,300;0,400;0,500;0,600;0,700;0,800;0,900;1,200;1,300;1,400;1,500;1,600;1,700;1,800;1,900|Noto+Sans:ital,wght@0,100;0,200;0,300;0,400;0,500;0,600;0,700;0,800;0,900;1,100;1,200;1,300;1,400;1,500;1,600;1,700;1,800;1,900|Source+Sans+Pro:ital,wght@0,200;0,300;0,400;0,600;0,700;0,900;1,200;1,300;1,400;1,600;1,700;1,900" />
<link href="https://fonts.cdnfonts.com/css/bitstream-vera-sans-mono" rel="stylesheet">
<script type="text/javascript" src="jquery.js"></script>
<script type="text/javascript" src="dynsections.js"></script>
<script type="text/javascript" src="doxygen-awesome-darkmode-toggle.js"></script>
<script type="text/javascript">
DoxygenAwesomeDarkModeToggle.init()
</script>
<link href="navtree.css" rel="stylesheet" type="text/css"/>
<script type="text/javascript" src="resize.js"></script>
<script type="text/javascript" src="navtreedata.js"></script>
<script type="text/javascript" src="navtree.js"></script>
<link href="search/search.css" rel="stylesheet" type="text/css"/>
<script type="text/javascript" src="search/searchdata.js"></script>
<script type="text/javascript" src="search/search.js"></script>
$darkmode
<link href="doxygen.css" rel="stylesheet" type="text/css" />
<link href="doxygen-awesome.css" rel="stylesheet" type="text/css"/>
<link href="doxygen-awesome-sidebar-only.css" rel="stylesheet" type="text/css"/>
<link href="doxygen-awesome-sidebar-only-darkmode-toggle.css" rel="stylesheet" type="text/css"/>
</head>
<body>
<div id="top"><!-- do not remove this div, it is closed by doxygen! -->
<div id="titlearea">
<table cellspacing="0" cellpadding="0">
<tbody>
<tr id="projectrow">
<td id="projectalign">
<div id="projectname">Kourier<span id="projectnumber"> 1.0.0</span>
</div>
</td>
</tr>
</tbody>
</table>
</div>
<!-- end header part -->
<!-- Generated by Doxygen 1.9.4 -->
<script type="text/javascript">
/* @license magnet:?xt=urn:btih:d3d9a9a6595521f9666a5e94cc830dab83b65699&dn=expat.txt MIT */
var searchBox = new SearchBox("searchBox", "search",'Search','.html');
/* @license-end */
</script>
<script type="text/javascript" src="menudata.js"></script>
<script type="text/javascript" src="menu.js"></script>
<script type="text/javascript">
/* @license magnet:?xt=urn:btih:d3d9a9a6595521f9666a5e94cc830dab83b65699&dn=expat.txt MIT */
$(function() {
initMenu('',true,false,'search.php','Search');
$(document).ready(function() { init_search(); });
});
/* @license-end */
</script>
<div id="main-nav"></div>
</div><!-- top -->
<div id="side-nav" class="ui-resizable side-nav-resizable">
<div id="nav-tree">
<div id="nav-tree-contents">
<div id="nav-sync" class="sync"></div>
</div>
</div>
<div id="splitbar" style="-moz-user-select:none;"
class="ui-resizable-handle">
</div>
</div>
<script type="text/javascript">
/* @license magnet:?xt=urn:btih:d3d9a9a6595521f9666a5e94cc830dab83b65699&dn=expat.txt MIT */
$(document).ready(function(){initNavTree('KeepingTheServerSecure.html',''); initResizable(); });
/* @license-end */
</script>
<div id="doc-content">
<!-- window showing the filter options -->
<div id="MSearchSelectWindow"
onmouseover="return searchBox.OnSearchSelectShow()"
onmouseout="return searchBox.OnSearchSelectHide()"
onkeydown="return searchBox.OnSearchSelectKey(event)">
</div>
<!-- iframe showing the search results (closed by default) -->
<div id="MSearchResultsWindow">
<iframe src="javascript:void(0)" frameborder="0"
name="MSearchResults" id="MSearchResults">
</iframe>
</div>
<div><div class="header">
<div class="headertitle"><div class="title">Keeping The Server Secure </div></div>
</div><!--header-->
<div class="contents">
<div class="textblock"><p ><a class="anchor" id="md_KeepingTheServerSecure_KeepingTheServerSecure"></a> Cute provides a safe and highly efficient Linux-based server that can handle millions of connections and requests per second even on modest hardware, and, although Cute shines as the backbone of microservices-based solutions running behind enterprise firewalls, security-wise, the Cute server was designed to run as an internet-facing server. To this end, Cute gives developers a fine-grained view and control over the connection and the data it carries.</p>
<h1><a class="anchor" id="autotoc_md75"></a>
Dealing With Rogue Data</h1>
<p >Cute serializes data before sending it to the connected peer. Thus, rogue clients can send specially-crafted data to attack the server while it unmarshals received data. The Cute server prevents these attacks by providing a custom-designed data streamer.</p>
<p >The QDataStream provided by Qt reserves container size before processing the data. Thus it assumes that the data can be trusted, which is false for publicly available servers. Below is shown the code that QDataStream uses for reading a QList/QVector:</p>
<div class="fragment"><div class="line"><span class="comment">// Qt Code extracted from https://code.qt.io/cgit/qt/qtbase.git/tree/src/corelib/serialization/qdatastream.h?h=6.5.2</span></div>
<div class="line"><span class="keyword">template</span> <<span class="keyword">typename</span> Container></div>
<div class="line">QDataStream &readArrayBasedContainer(QDataStream &s, Container &c)</div>
<div class="line">{</div>
<div class="line"> StreamStateSaver stateSaver(&s);</div>
<div class="line"> </div>
<div class="line"> c.clear();</div>
<div class="line"> quint32 n;</div>
<div class="line"> s >> n;</div>
<div class="line"> c.reserve(n);</div>
<div class="line"> <span class="keywordflow">for</span> (quint32 i = 0; i < n; ++i) {</div>
<div class="line"> <span class="keyword">typename</span> Container::value_type t;</div>
<div class="line"> s >> t;</div>
<div class="line"> <span class="keywordflow">if</span> (s.status() != QDataStream::Ok) {</div>
<div class="line"> c.clear();</div>
<div class="line"> <span class="keywordflow">break</span>;</div>
<div class="line"> }</div>
<div class="line"> c.append(t);</div>
<div class="line"> }</div>
<div class="line"> </div>
<div class="line"> <span class="keywordflow">return</span> s;</div>
<div class="line">}</div>
</div><!-- fragment --><p >It is a trivial task to attack a server using QDataStream by generating rogue data for a QList/QVector. We only have to stream the maximum possible value for an unsigned 32-bit integer to make the server allocate 4GB. Cute allows developers to configure the server to limit the reservation size that it can use when unmarshaling containers.</p>
<p >Rogue peers can also craft malicious data by abusing the nesting level of QVariants to cause the server to stack overflow. Developers can prevent this type of attack by setting limits on the nesting level of QVariants while configuring the server.</p>
<h1><a class="anchor" id="autotoc_md76"></a>
Resource Control Through Timeouts</h1>
<p >Creating stale connections that do nothing or work slowly is a common technique bad actors use to attack publicly available servers. With Cute, developers can specify a set of timeouts when configuring the server to prevent stale connections from happening.</p>
<h1><a class="anchor" id="autotoc_md77"></a>
Resource Control Through Hard Limits</h1>
<p >The Cute server allows developers to set many hard limits to control the interaction between clients and the server. Developers can set the following hard limits when configuring the server:</p>
<ul>
<li>The maximum number of remote objects per WebSocket connection.</li>
<li>The maximum number of remote signal-slot connections per remote object.</li>
<li>The maximum number of network connections per IP.</li>
<li>The maximum number of network connections per server.</li>
</ul>
<h1><a class="anchor" id="autotoc_md78"></a>
Resource Control Through Rate Limiting</h1>
<p >Malicious or badly configured peers can also exhaust the server by sending too many requests. Cute provides a very fast in-memory local rate limiter that developers can apply to limit the request rate the server can accept. The Cute server uses the token bucket algorithm to limit the request rate. The rate limiter provided by the Cute server enables developers to specify the steady, burst, and long-term remote slot call behaviors that clients can keep when interacting with the server. Developers use the setRateLimiter method to set up rate limiting.</p>
<p >The Cute server takes performance to the next level, from thousands to millions of requests per second, even on modest hardware. With Cute, users need to deploy just a fraction of the instances that the alternatives require to provide the same level of performance as Cute. Thus, the local rate limiter is adequate even for medium-sized businesses. However, large deployments involving many Cute server instances may require a distributed rate limiter. In that case, developers can override the canCallRemoteSlot method to implement such a rate limiter.</p>
<h1><a class="anchor" id="autotoc_md79"></a>
Taking action on malicious clients</h1>
<p >Beyond allowing developers to set limits and timeouts, the Cute server enables developers to act whenever timeouts occur, or set limits get exceeded. When such events occur, Cute calls the registered error handler. The error handler developers register in source files enables them to act like blocking an abuser by IP using a cloud firewall to block their traffic at the cloud provider's network layer and prevent it from even hitting the instances. </p>
</div></div><!-- contents -->
</div><!-- PageDoc -->
</div><!-- doc-content -->
<!-- HTML footer for doxygen 1.9.6-->
<!-- start footer part -->
</body>
</html>