Server-side software is the backbone of the Internet. Despite the omnipresence of this type of software systems and the huge impact of their potential compromise, modern vulnerability research in this area is scarce. The industry of web servers specifically is highly consolidated, with just three software systems running nearly all of the internet: Apache httpd, nginx, and Microsoft IIS. Even an N-day security vulnerability in just one of these systems can potentially execute arbitrary code on millions of internet servers at a privileged level.
All web server engines share a large common attack surface, based on several widely adopted internet protocols, common third party software, and architectural primitives. The first part of this presentation will have a recap of the dominant internet technologies and protocols, with an abstraction of the common attack surface of various web server engines, and their common vulnerability classes.
nginx web server powers around 1/3 of all servers on the Internet. It is the preferred web server engine of top ranking sites and is steadily growing, due to being compact, robust, fast, with a solid security record. The second part of this presentation will briefly discuss nginx architecture, certain interesting low-level properties, and known bugs.
Alisa Esage (Alisa Shevchenko) is a security vulnerability researcher and hacker, reverse engineer, and a business woman. As a researcher, she is specialized on target-invariant zero-day vulnerability discovery and exploit development, and low-level system internals.
Alisa has discovered numerous zero-day security bugs in a wide variety of modern software systems; was awarded with Security Bounties from major software vendors (Microsoft, Google, Mozilla, Oracle, Schneider Electric); won an international hacking competition "Critical Infrastructure Attack" ("Hack the smart city"); presented at several international security conferences; and wrote a Phrack article dedicated to exploitation of a remote code execution vulnerability and undocumented internals of a Microsoft software component. Currently her research interests lie in the space of hypervisors, firmware, low-level hacking, and novel hardware architectures.
As an entrepreneur, Alisa has been playing with various business and non-profit ventures since 2009, and created the first hackerspace in Russia. She was featured in Forbes Russia as a young self-made entrepreneur in December 2015, and appeared in the Grazia UK magazine in January 2017.
Alisa publishes some of her technical Research Notes at: re.alisa.sh.