Abstract
AbstractBuilt on top of UDP, the recently standardized QUIC protocol primarily aims to gradually replace the TCP plus TLS plus HTTP/2 model. For instance, HTTP/3 is designed to exploit QUIC’s features, including reduced connection establishment time, multiplexing without head of line blocking, always-encrypted end-to-end security, and others. This work serves two key objectives. Initially, it offers the first to our knowledge full-fledged review on QUIC security as seen through the lens of the relevant literature so far. Second and more importantly, through extensive fuzz testing, we conduct a hands-on security evaluation against the six most popular QUIC-enabled production-grade servers. This assessment identified several effective and practical zero-day vulnerabilities, which, if exploited, can quickly overwhelm the server resources. This finding is a clear indication that the fragmented production-level implementations of this contemporary protocol are not yet mature enough. Overall, the work at hand provides the first wholemeal appraisal of QUIC security from both a literature review and empirical standpoint, and it is therefore foreseen to serve as a reference for future research in this timely area.
Publisher
Springer Science and Business Media LLC
Subject
Computer Networks and Communications,Safety, Risk, Reliability and Quality,Information Systems,Software
Reference79 articles.
1. Belshe, M., Peon, R., Thomson, M.: Hypertext Transfer Protocol Version 2 (HTTP/2). RFC 7540. (2015). https://doi.org/10.17487/RFC7540. https://www.rfc-editor.org/info/rfc7540
2. Langley, A., et al.: The QUIC transport protocol: design and internet-scale deployment. In: Proceedings of the Conference of the ACM Special Interest Group on Data Communication. SIGCOMM’17. Association for Computing Machinery, Los Angeles, pp. 183–196 (2017). https://doi.org/10.1145/3098822.3098842
3. Iyengar, J., Thomson, M.: QUIC: a UDP-based multiplexed and secure transport. RFC 9000. (2021). https://doi.org/10.17487/RFC9000. https://www.rfc-editor.org/info/rfc9000
4. Thomson, M., Turner, S.: Using TLS to secure QUIC. RFC 9001. (2021). https://doi.org/10.17487/RFC9001. https://www.rfc-editor.org/info/rfc9001
5. Bishop, M.: Hypertext transfer protocol Version 3 (HTTP/3). Internet-Draft draft-ietf-quichttp- 34. Work in Progress. Internet Engineering Task Force, p. 75 (2021). https://datatracker.ietf.org/doc/html/draft-ietf-quic-http-34
Cited by
10 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献
1. Privacy Performance Trade-off in Web Services;2024 IEEE 49th Conference on Local Computer Networks (LCN);2024-10-08
2. QUICPro: Integrating Deep Reinforcement Learning to Defend against QUIC Handshake Flooding Attacks;Proceedings of the Applied Networking Research Workshop on zzz;2024-07-20
3. Performance of security options for message protocols: A comparative analysis;International Journal of Network Management;2024-05-13
4. QUICwand: A Machine Learning Optimization-Based Hybrid Defense Approach Against QUIC Flooding Attacks;2024 20th International Conference on the Design of Reliable Communication Networks (DRCN);2024-05-06
5. Security and Service Vulnerabilities with HTTP/3;2024 16th International Conference on COMmunication Systems & NETworkS (COMSNETS);2024-01-03