
Attacking HTTP/2 Implementations - _jomo
http://yahoo-security.tumblr.com/post/134549767190/attacking-http2-implementations
======
Filligree
Also in this article:

    
    
      - 2 remotely-exploitable bugs in an unsafe-language implementation.
      - 2 probably-inexploitable bugs in a JS-based server.
    

How many times will we have to repeat this exercise before people realize
that, maybe, it's worth even a 50% performance hit if you can avoid exposing
binaries like that to the internet?

~~~
mappu
I was about to comment along the lines of "it's possible to write safe, modern
C or C++!" but it seems like the issue was actually unsigned integer underflow
- which doesn't have the kind of obvious "get with the times!" answer that you
would normally expect (e.g. replace char[] with std::vector, use
RAII/std::shared_ptr<>/references instead of the chance to use a raw pointer
after free, and all that). Javascript avoids this issue by not really
supporting unsigned integers.

I always found it interesting how libcurl used float instead of int64 to
represent (obviously integral) file sizes. I assume it's for guaranteeing
53-bit integer precision on platforms without int64, but as a corollary
there's no such (common) thing as an unsigned float, i'm sure this seemingly-
strange decision eliminated a large class of bugs.

------
ImJasonH
http2fuzz
([https://github.com/c0nrad/http2fuzz](https://github.com/c0nrad/http2fuzz))
sounds really useful, but it says "(No longer under development)" :(

------
andridk
I'm curious if someone has tried attacking Go(lang)'s HTTP2 implementation
yet?

The tool is written in Go, so I'm curious why it's not on the list.

