chunkloris: uvicorn
on this page
part of the chunkloris per-chunk amplification survey. this page is the per-server record for uvicorn under http/1.1 chunked transfer encoding.
at a glance
- server: uvicorn
0.32.1 - runtime: python-3.12
- ecosystem: python
- concurrency model: event-loop
- parser: h11 0.16.0 (pure Python)
- delivery granularity:
per-chunk - chunk-limit helper: exposed-stdlib
- verdict: per-chunk β the parser/dispatcher boundary delivers one event per wire chunk. cpu cost under paced mode b is measurable per chunk.
- scaling exponent (mode a): 0.96 (wall time vs N, log-log slope across common cells)
- scaling exponent (mode b): 1.00
measurements
all cells run on a 1-vcpu docker container. cpu cost is derived from the target containerβs cgroup v2 cpu.stat usage_usec delta around each cell.
| mode | N | wall (s) | server cpu % | Β΅s / chunk | basis | ok |
|---|---|---|---|---|---|---|
A-bridge-coalesced | 50,000 | 0.210 | 115.2 | 4.830 | server-cpu-cgroup | β |
A-bridge-coalesced | 100,000 | 0.383 | 107.8 | 4.134 | server-cpu-cgroup | β |
A-bridge-coalesced | 250,000 | 0.975 | 103.2 | 4.026 | server-cpu-cgroup | β |
A-bridge-coalesced | 500,000 | 2.480 | β | 4.960 | wall | β |
A-bridge-coalesced | 1,000,000 | 4.980 | β | 4.980 | wall | β |
B-paced-100us | 50,000 | 5.124 | 16.2 | 16.624 | server-cpu-cgroup | β |
B-paced-100us | 100,000 | 10.278 | 13.9 | 14.256 | server-cpu-cgroup | β |
B-paced-100us | 250,000 | 25.574 | 13.7 | 13.987 | server-cpu-cgroup | β |
parser path β source citations
- decoder β
h11/_connection.py:438β source - handler-delivery β
uvicorn/protocols/http/h11_impl.py:257-261β source
what this means
the parser/dispatcher path on this server delivers one event per chunked-transfer-encoding chunk, so an attacker who sends a body as N one-byte chunks consumes roughly N Γ (mode-b Β΅s/chunk) of server cpu on a single core. amplification scales linearly with N until the frameworkβs max_request_body_size (or equivalent) is hit.
what to do today
- if this server runs as an origin behind nginx with the default
proxy_request_buffering on, the per-chunk attack shape does not reach this server β nginx delivers one content-length-framed body to the upstream in a singlerecv(). - if deployed direct-exposed, behind haproxy with default streaming, or behind any reverse proxy with
proxy_request_buffering off, the per-chunk cost reaches this server. - there is no framework-level chunk-count limit in the default config; use a frontend buffer, transport-layer rate limiting, or a wrapping middleware that imposes a chunk-count cap before draining the body.
reproducer
the full reproducer for this server is in the paper repo. the docker container pins uvicorn 0.32.1 and constrains the test container to a single cpu (--cpus=1). the prober script implements mode a (bridge-coalesced) and mode b (paced 100 Β΅s) per the methodology section.
see the draft pdf for the full per-framework discussion.