Static Detection of DoS Vulnerabilities in Programs that Use Regular Expressions

Wüstholz, Valentin; Olivo, Oswaldo; Heule, Marijn J. H.; Dillig, Işıl

doi:10.1007/978-3-662-54580-5_1

Cited by 39 publications

(34 citation statements)

References 31 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Prior work for detecting AC vulnerabilities in Java programs includes static analysis on popular libraries [32], [38], [62], object-graph engineering on Java's serialization facilities [21], and exploiting worst-case runtime of algorithms found in commercial grade networking equipment [20]. On the Android platform, Huang et al [29] use a combination of static and dynamic analysis to detect AC vulnerabilities within Android's System Server.…”

Section: A Ac Vulnerability Analysismentioning

confidence: 99%

“…In fact, prior research has started to explore program analysis techniques for finding AC vulnerabilities in software. Most of this work is based on manual or static analysis that scales to real world code bases, but focuses on detecting known sources of AC vulnerabilities, such as triggering worst case performance of commonly used data structures [19], regular expression engines [32], [57], [62], or serialization APIs [21]. Fuzz testing, where a fuzzer feeds random input to a program under test until the program either crashes or times out, has historically revealed serious bugs that permit Remote Code-Execution (RCE) exploits in widely used software such as operating system kernels, mobile devices, and web browsers.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Guided Micro-Fuzzing

Blair¹,

Mambretti²,

Arshad³

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Fifteen billion devices run Java and many of them are connected to the Internet. As this ecosystem continues to grow, it remains an important task to discover any unknown security threats these devices face. Fuzz testing repeatedly runs software on random inputs in order to trigger unexpected program behaviors, such as crashes or timeouts, and has historically revealed serious security vulnerabilities. Contemporary fuzz testing techniques focus on identifying memory corruption vulnerabilities that allow adversaries to achieve either remote code execution or information disclosure. Meanwhile, Algorithmic Complexity (AC) vulnerabilities, which are a common attack vector for denial-ofservice attacks, remain an understudied threat.In this paper, we present HotFuzz, a framework for automatically discovering AC vulnerabilities in Java libraries. HotFuzz uses micro-fuzzing, a genetic algorithm that evolves arbitrary Java objects in order to trigger the worst-case performance for a method under test. We define Small Recursive Instantiation (SRI) as a technique to derive seed inputs represented as Java objects to micro-fuzzing. After micro-fuzzing, HotFuzz synthesizes test cases that triggered AC vulnerabilities into Java programs and monitors their execution in order to reproduce vulnerabilities outside the fuzzing framework. HotFuzz outputs those programs that exhibit high CPU utilization as witnesses for AC vulnerabilities in a Java library.We evaluate HotFuzz over the Java Runtime Environment (JRE), the 100 most popular Java libraries on Maven, and challenges contained in the DARPA Space and Time Analysis for Cybersecurity (STAC) program. We evaluate SRI's effectiveness by comparing the performance of micro-fuzzing with SRI, measured by the number of AC vulnerabilities detected, to simply using empty values as seed inputs. In this evaluation, we verified known AC vulnerabilities, discovered previously unknown AC vulnerabilities that we responsibly reported to vendors, and received confirmation from both IBM and Oracle. Our results demonstrate that micro-fuzzing finds AC vulnerabilities in realworld software, and that micro-fuzzing with SRI-derived seed inputs outperforms using empty values.

show abstract

Section: A Ac Vulnerability Analysismentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Guided Micro-Fuzzing

Blair¹,

Mambretti²,

Arshad³

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…In order to answer our remaining research questions we needed a polyglot regex corpus: a set of regexes extracted from a large sample of software projects written in many programming languages. The existing regex corpuses are small-scale [20,107] or include only two programming languages [26]. Our corpus is neither, covering about 200,000 projects in 8 programming languages Ð see Table 1.…”

Section: Polyglot Regex Corpusmentioning

confidence: 99%

Why aren’t regular expressions a lingua franca? an empirical study on the re-use and portability of regular expressions

Davis

Michael

Coghlan

et al. 2019

Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of

View full text Add to dashboard Cite

This paper explores the extent to which regular expressions (regexes) are portable across programming languages. Many languages offer similar regex syntaxes, and it would be natural to assume that regexes can be ported across language boundaries. But can regexes be copy/pasted across language boundaries while retaining their semantic and performance characteristics? In our survey of 158 professional software developers, most indicated that they re-use regexes across language boundaries and about half reported that they believe regexes are a universal language. We experimentally evaluated the riskiness of this practice using a novel regex corpus Ð 537,806 regexes from 193,524 projects written in JavaScript, Java, PHP, Python, Ruby, Go, Perl, and Rust. Using our polyglot regex corpus, we explored the hitherto-unstudied regex portability problems: logic errors due to semantic differences, and security vulnerabilities due to performance differences. We report that developers' belief in a regex lingua franca is understandable but unfounded. Though most regexes compile across language boundaries, 15% exhibit semantic differences across languages and 10% exhibit performance differences across languages. We explained these differences using regex documentation, and further illuminate our findings by investigating regex engine implementations. Along the way we found bugs in the regex engines of JavaScript-V8, Python, Ruby, and Rust, and potential semantic and performance regex bugs in thousands of modules. CCS CONCEPTS • Software and its engineering → Reusability; • Social and professional topics → Software selection and adaptation.

show abstract

“…The increasing use of regular expressions has led many researchers to consider them as the domain of their work. Wüstholz V [2] proposed a tool called "Exploiter" to secure applications that use regular expressions. Cochran RA [3] offered a tool called "CROWDBOOST" to help developers find the most appropriate regular expression.…”

Section: Introductionmentioning

confidence: 99%

“…Spishak E proposed an annotation-based API to help the developer find the errors of regular expressions during the compilation phase of a program [10]. Other works aimed at helping the developer to simplify, validate or automatically generate regular expressions [2][3][4]. All features built into our Regex Criteria API will be illustrated by examples implemented using the Java language syntax.…”

Section: Introductionmentioning

confidence: 99%

A regexcriteria API to complete the power of regular expressions engine

Hassan¹,

Amina²,

Amine³

et al. 2019

IJECE

View full text Add to dashboard Cite

Regular expressions are heavily used in the field of computer programming. They are known by their strength to search or replace parts of strings according to a given structure (mails, phone, numbers, etc.). Currently regular expressions are only used to search for some patterns or to make some substitutions in strings. However, the need may be wider than that when it comes to order the results of a regular expression or to group them according to some criteria. Developers are always called to analyze the results of a regular expression by doing some restrictions such as (equal, not equal, between) or some projections like (maximum, average, grouping by ..) or sorts. Unfortunately, to do these treatments, the developer must implement his own algorithms which cost him a remarkable effort and a waste of time. We propose in this paper an API called RegexCriteria inspired from Hibernate Criteria to support developer while analysing the results of a regular expression.

show abstract

Static Detection of DoS Vulnerabilities in Programs that Use Regular Expressions

Cited by 39 publications

References 31 publications

HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Guided Micro-Fuzzing

HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Guided Micro-Fuzzing

Why aren’t regular expressions a lingua franca? an empirical study on the re-use and portability of regular expressions

A regexcriteria API to complete the power of regular expressions engine

Contact Info

Product

Resources

About