Education
June 05, 2020

Will gRPC Be the Next Protocol to Slip by Your Defenses?

Longstanding security challenges such as input validation, data exposure, and rate limits are affecting modern gRPC-based applications.

gRPC (gRPC Remote Procedure Call) is a protocol that is gaining a lot of traction in the microservices world and is becoming a popular alternative for developers to use instead of REST (representational state transfer). Many organizations are trying to adopt gRPC, and technology blog sites are abuzz with chatter about choosing between REST and gRPC APIs.

Recently, F5 Labs learned that a large organization had challenges with gRPC-enabled applications aligning to the Zero Trust security model, as many conventional security tools do not cover gRPC as a protocol. So, we at F5 Labs decided to write a demo gRPC application to boost understanding and to test some of the security controls. This article briefly introduces gRPC and shares details on setting up a vulnerable demo application.

What is gRPC?

A remote procedure call (RPC) is used by a program to call a subroutine that is available on another computer as though it were available locally. To support different kinds of clients, RPCs use an interface description language (IDL).1 gRPC is the latest iteration of RPC. It uses HTTP/2 for transport and Protocol Buffers (protobufs) (alternate data formats like JSON can be used) as the IDL. Protocol Buffers is a mechanism for serializing structured data useful for transmitting or storing. It produces compact binary messages.

The website grpc.io defines gRPC as a modern, open source remote procedure call framework that can run anywhere.2 It enables client–server applications to communicate transparently and makes it easier to build connected systems. It is a Cloud Native Computing Foundation (CNCF) project and is used by several organizations like Google, Netflix, Docker, and others.

The sample architecture in Figure 1 shows a cluster of gRPC servers communicating with a gRPC client.

Sample architecture for gRPC Client and Server
Figure 1. Sample architecture for gRPC client and server

Design principles of gRPC provide significant advantages compared to RESTful styles of APIs in terms of client libraries and performance. This makes it a suitable choice for inter-service API calls. Advantages come in the form of:

  • Data format: Use of protocol buffers leads to smaller payloads, improving the performance of gRPC
  • Contracts: Service definitions are mandatory, unlike Open API specs for RESTful APIs
  • Streaming: Support for client, server, and bi-directional streaming
  • Multi-language support: gRPC supports cross-language invocations; server code can be written in Java whereas the client language can be Python
  • Client code generation: Native support for generating codes in multiple languages such as Python, Go, and Java1
  • Server stub generation: Developers need to focus on business logic, while the process for serialization, parsing, validation, etc. are autogenerated

The Security Concern with gRPC

As the adoption of gRPC rises, security operations teams need to measure the effectiveness of existing security solutions towards the protocol. As an example, gRPC messages are in binary format, which might cause issues in the inspection process with inspection devices that expect to see ASCII-based communications.

gRPC-based APIs need defense against modern-day challenges, and the security checks listed below are needed:

  • Content validation: Weed out malicious payload within the binary messages
  • Protection against accidental disclosures: Mask or block sensitive data leaving the system
  • Application of rate limits: Rate limit a malicious client
  • Authentication: Enforce authentication and authorization prior to granting access to data

The Practice Range

Security practitioners can set up an environment to test the efficacy of their tools for gRPC by either pulling down the containers from docker hub2 or building the code base available on github3 for the Hello Nerd application.

Hello Nerd Application

This is a simple application built in Python. It responds to a user’s gRPC call with a random message.

Hello Nerd sample response from server
Figure 2. Sample response from server

Steps to pull down the containers and set up a test environment

  1. Pull down the image
    docker pull sbacker/hellonerd:v1
Hello Nerd command to pull down image from docker hub
Figure 3. Command to pull down image from docker hub
  1. Create instance for server
    docker run --name hellonerd_s -d sbacker/hellonerd:v1 python server.py
Hello Nerd command to launch gRPC server
Figure 4. Command to launch gRPC server
  1. Get IP address for the hellonerd server
    docker inspect hellonerd_s | grep IPAddress
Hello Nerd command to capture gRPC server IP Address
Figure 5. Command to capture gRPC server IP address
  1. Create a client instance
    docker run --name hellonerd_c --rm sbacker/hellonerd python client.py shaan 172.17.0.2 50055 --normal
Hello Nerd command to launch gRPC client
Figure 6. Command to launch gRPC client

Vulnerabilities Built into the Hello Nerd Application

The application is built with the following three vulnerabilities:

  1. There is no user input validation, however, the response changes when the server detects special characters in user input to show the attack went through.
    docker run --name hellonerd_c --rm sbacker/hellonerd:v1 python client.py “1\’ OR 1=1” 172.17.0.2 50055 –normal
Hello Nerd command to launch exploit on unvalidated input
Figure 7. Command to launch exploit on unvalidated input
  1. Accidental disclosure of credit card numbers.
    docker run --name hellonerd_c --rm sbacker/hellonerd:v1 python client.py shaan 172.17.0.2 50055 --norm
Hello Nerd gRPC server exposes sensitive data
Figure 8. gRPC server exposes sensitive data
  1. No application of rate limits. Usage of –detonate option on clients starts firing the request in a loop.
Hello Nerd gRPC server does not impose any rate limit
Figure 9. gRPC server does not impose any rate limit

Conclusion

gRPC is gaining in popularity as the compact format of messages with protobuf and usage of HTTP/2 bring significant performance improvements. It is critical for security teams to assess their tools’ effectiveness for this protocol. The Hello Nerd application can be a starting point in testing security controls.

Hundreds of apps will be attacked by the time you read this.

So, we get to work. We obsess over effective attack methods. We monitor the growth of IoT and its evolving threats. We dive deep into the latest crypto-mining campaigns. We analyze banking Trojan targets. We dissect exploits. We hunt for the latest malware. And then our team of experts share it all with you. For more than 20 years, F5 has been leading the app delivery space. With our experience, we are passionate about educating the security community-providing the intel you need to stay informed so your apps can stay safe.

Every

9 hrs

a critical vulnerability—with the potential for remote code execution—is released.