Revisiting QUIC attacks: a comprehensive review on QUIC security and a hands-on study.

Saved in:
Bibliographic Details
Title: Revisiting QUIC attacks: a comprehensive review on QUIC security and a hands-on study.
Authors: Chatzoglou, Efstratios1 (AUTHOR), Kouliaridis, Vasileios1 (AUTHOR), Karopoulos, Georgios2 (AUTHOR), Kambourakis, Georgios1 (AUTHOR) gkamb@aegean.gr
Source: International Journal of Information Security. Apr2023, Vol. 22 Issue 2, p347-365. 19p.
Subjects: Secure Sockets Layer (Computer network protocol), Security management, Computer network security
Abstract: Built on top of UDP, the recently standardized QUIC protocol primarily aims to gradually replace the TCP plus TLS plus HTTP/2 model. For instance, HTTP/3 is designed to exploit QUIC's features, including reduced connection establishment time, multiplexing without head of line blocking, always-encrypted end-to-end security, and others. This work serves two key objectives. Initially, it offers the first to our knowledge full-fledged review on QUIC security as seen through the lens of the relevant literature so far. Second and more importantly, through extensive fuzz testing, we conduct a hands-on security evaluation against the six most popular QUIC-enabled production-grade servers. This assessment identified several effective and practical zero-day vulnerabilities, which, if exploited, can quickly overwhelm the server resources. This finding is a clear indication that the fragmented production-level implementations of this contemporary protocol are not yet mature enough. Overall, the work at hand provides the first wholemeal appraisal of QUIC security from both a literature review and empirical standpoint, and it is therefore foreseen to serve as a reference for future research in this timely area. [ABSTRACT FROM AUTHOR]
Copyright of International Journal of Information Security is the property of Springer Nature and its content may not be copied or emailed to multiple sites without the copyright holder's express written permission. Additionally, content may not be used with any artificial intelligence tools or machine learning technologies. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.)
Database: Engineering Source
Full text is not displayed to guests.
FullText Links:
  – Type: pdflink
Text:
  Availability: 1
Header DbId: egs
DbLabel: Engineering Source
An: 162506637
AccessLevel: 6
PubType: Academic Journal
PubTypeId: academicJournal
PreciseRelevancyScore: 0
IllustrationInfo
Items – Name: Title
  Label: Title
  Group: Ti
  Data: Revisiting QUIC attacks: a comprehensive review on QUIC security and a hands-on study.
– Name: Author
  Label: Authors
  Group: Au
  Data: <searchLink fieldCode="AR" term="%22Chatzoglou%2C+Efstratios%22">Chatzoglou, Efstratios</searchLink><relatesTo>1</relatesTo> (AUTHOR)<br /><searchLink fieldCode="AR" term="%22Kouliaridis%2C+Vasileios%22">Kouliaridis, Vasileios</searchLink><relatesTo>1</relatesTo> (AUTHOR)<br /><searchLink fieldCode="AR" term="%22Karopoulos%2C+Georgios%22">Karopoulos, Georgios</searchLink><relatesTo>2</relatesTo> (AUTHOR)<br /><searchLink fieldCode="AR" term="%22Kambourakis%2C+Georgios%22">Kambourakis, Georgios</searchLink><relatesTo>1</relatesTo> (AUTHOR)<i> gkamb@aegean.gr</i>
– Name: TitleSource
  Label: Source
  Group: Src
  Data: <searchLink fieldCode="JN" term="%22International+Journal+of+Information+Security%22">International Journal of Information Security</searchLink>. Apr2023, Vol. 22 Issue 2, p347-365. 19p.
– Name: Subject
  Label: Subjects
  Group: Su
  Data: <searchLink fieldCode="DE" term="%22Secure+Sockets+Layer+%28Computer+network+protocol%29%22">Secure Sockets Layer (Computer network protocol)</searchLink><br /><searchLink fieldCode="DE" term="%22Security+management%22">Security management</searchLink><br /><searchLink fieldCode="DE" term="%22Computer+network+security%22">Computer network security</searchLink>
– Name: Abstract
  Label: Abstract
  Group: Ab
  Data: Built on top of UDP, the recently standardized QUIC protocol primarily aims to gradually replace the TCP plus TLS plus HTTP/2 model. For instance, HTTP/3 is designed to exploit QUIC's features, including reduced connection establishment time, multiplexing without head of line blocking, always-encrypted end-to-end security, and others. This work serves two key objectives. Initially, it offers the first to our knowledge full-fledged review on QUIC security as seen through the lens of the relevant literature so far. Second and more importantly, through extensive fuzz testing, we conduct a hands-on security evaluation against the six most popular QUIC-enabled production-grade servers. This assessment identified several effective and practical zero-day vulnerabilities, which, if exploited, can quickly overwhelm the server resources. This finding is a clear indication that the fragmented production-level implementations of this contemporary protocol are not yet mature enough. Overall, the work at hand provides the first wholemeal appraisal of QUIC security from both a literature review and empirical standpoint, and it is therefore foreseen to serve as a reference for future research in this timely area. [ABSTRACT FROM AUTHOR]
– Name: AbstractSuppliedCopyright
  Label:
  Group: Ab
  Data: <i>Copyright of International Journal of Information Security is the property of Springer Nature and its content may not be copied or emailed to multiple sites without the copyright holder's express written permission. Additionally, content may not be used with any artificial intelligence tools or machine learning technologies. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract.</i> (Copyright applies to all Abstracts.)
PLink https://search.ebscohost.com/login.aspx?direct=true&site=eds-live&db=egs&AN=162506637
RecordInfo BibRecord:
  BibEntity:
    Identifiers:
      – Type: doi
        Value: 10.1007/s10207-022-00630-6
    Languages:
      – Code: eng
        Text: English
    PhysicalDescription:
      Pagination:
        PageCount: 19
        StartPage: 347
    Subjects:
      – SubjectFull: Secure Sockets Layer (Computer network protocol)
        Type: general
      – SubjectFull: Security management
        Type: general
      – SubjectFull: Computer network security
        Type: general
    Titles:
      – TitleFull: Revisiting QUIC attacks: a comprehensive review on QUIC security and a hands-on study.
        Type: main
  BibRelationships:
    HasContributorRelationships:
      – PersonEntity:
          Name:
            NameFull: Chatzoglou, Efstratios
      – PersonEntity:
          Name:
            NameFull: Kouliaridis, Vasileios
      – PersonEntity:
          Name:
            NameFull: Karopoulos, Georgios
      – PersonEntity:
          Name:
            NameFull: Kambourakis, Georgios
    IsPartOfRelationships:
      – BibEntity:
          Dates:
            – D: 01
              M: 04
              Text: Apr2023
              Type: published
              Y: 2023
          Identifiers:
            – Type: issn-print
              Value: 16155262
          Numbering:
            – Type: volume
              Value: 22
            – Type: issue
              Value: 2
          Titles:
            – TitleFull: International Journal of Information Security
              Type: main
ResultId 1