Skip to main content

Caught in the Web: DoS Vulnerabilities in Parsers for Structured Data

  • 1962 Accesses

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12972)

Abstract

We study a class of denial-of-service (DoS) vulnerabilities that occur in parsing structured data. These vulnerabilities enable low bandwidth DoS attacks with input that causes algorithms to execute in disproportionately large time and/or space. We generalise the characteristics of these vulnerabilities, and frame them in terms of three aspects, TTT: (1) the Topology of composite data structures formed by the internal representation of parsed data, (2) the presence of recursive functions for the Traversal of the data structures and (3) the presence of a Trigger that enables an attacker to activate the traversal.

An analysis based on this abstraction was implemented for one target platform (Java), and in our study, we found that the impact of the results obtained with this method goes beyond Java. The inputs from our investigation revealed several similar vulnerabilities in programs written in other languages such as Rust and PHP. As a result we have reported 11 issues (of which seven have been accepted as issues), and obtained four CVEs for some of those issues in PDF, SVG and YAML libraries across different languages.

Keywords

  • DoS
  • Security
  • Vulnerabilities
  • Analysis

The work of the second author was supported by Oracle Labs, Australia.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-88418-5_4
  • Chapter length: 19 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   89.00
Price excludes VAT (USA)
  • ISBN: 978-3-030-88418-5
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   119.99
Price excludes VAT (USA)
Fig. 1.

Notes

  1. 1.

    https://blog.cloudflare.com/cloudflare-outage/ [Accessed 08-October-2020].

  2. 2.

    Java serialisation, https://docs.oracle.com/javase/tutorial/jndi/objects/serial.html [Accessed 08-October-2020].

  3. 3.

    https://bitbucket.org/unshorn/ciwstudy/.

  4. 4.

    Many-to-many relationships, in the database community, describe one type of cardinality of relationships between two entities.

  5. 5.

    For instance, in java.io.File, state is used to determine whether an element is a container (a directory) or a child (a file). This can be considered a case of a composite that uses structural instead of nominal typing.

  6. 6.

    A good example for this is how the parent reference is maintained in the java.awt.Container.add* methods which add a child component to the visual component hierarchy.

  7. 7.

    Sometimes, the reverse points-to edges are inferred.

  8. 8.

    The cont role corresponds to the Container role in the design pattern, whereas the comp roles corresponds to the Component role. We do not consider a particular leaf type.

  9. 9.

    Maven usage statistics (obtained on 12 Feb. 2020).

  10. 10.

    https://www.gnome.org.

  11. 11.

    https://cairosvg.org/.

  12. 12.

    https://inkscape.org/.

  13. 13.

    https://mvnrepository.com/.

  14. 14.

    https://www.pdflabs.com/tools/pdftk-the-pdf-toolkit/ [Accessed 08-October-2020].

  15. 15.

    https://wiki.gnome.org/action/show/Projects/LibRsvg [Accessed 08-October-2020].

  16. 16.

    https://stackoverflow.com.

  17. 17.

    https://gitlab.com.

  18. 18.

    https://github.com.

  19. 19.

    https://github.com/darylldoyle/svg-sanitizer [Accessed 08-October-2020].

References

  1. Bravenboer, M., Smaragdakis, Y.: Strictly declarative specification of sophisticated points-to analyses. In: Proceedings of the 24th ACM SIGPLAN Conference on Object Oriented Programming Systems Languages and Applications, OOPSLA 2009, Association for Computing Machinery, New York, NY, USA, pp. 243–262 (2009). https://doi.org/10.1145/1640089.1640108

  2. Breen, S.: What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability (2015). https://goo.gl/cx7X4D. Accessed on 08 Oct 2020

  3. Burnim, J., Juvekar, S., Sen, K.: WISE: automated test generation for worst-case complexity. In: Proceedings of the ICSE 2009. IEEE (2009)

    Google Scholar 

  4. Ceri, S., Gottlob, G., Tanca, L.: What you always wanted to know about Datalog (and never dared to ask). IEEE TKDE 1(1), 146–166 (1989)

    Google Scholar 

  5. Coekaerts, W.: SerialDOS (2015). https://gist.github.com/coekie/a27cc406fc9f3dc7a70d. Accessed on 08 Oct 2020

  6. CVE-2003-1564 (Billion Laughs) (2003). https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1564. Accessed on 14 Jan 2020

  7. Crosby, S.A., Wallach, D.S.: Denial of service via algorithmic complexity attacks. In: Proceedings of the USENIX Security 2003. USENIX Association (2003)

    Google Scholar 

  8. Dietrich, J., Hollingum, N., Scholz, B.: Giga-scale exhaustive points-to analysis for Java in under a minute. In: Proceedings of the OOPSLA 2015. ACM (2015)

    Google Scholar 

  9. Dietrich, J., Jezek, K., Rasheed, S., Tahir, A., Potanin, A.: Evil Pickles: DoS attacks based on object-graph engineering. In: Proceedings of the ECOOP 2017 (2017)

    Google Scholar 

  10. Frohoff, C., Lawrence, G.: Marshalling Pickles (2015). http://frohoff.github.io/appseccali-marshalling-pickles/. Accessed on 08 Oct 2020

  11. Gamma, E., Vlissides, J., Johnson, R., Helm, R.: Design Patterns: Elements of Reusable Object-oriented Software. Addison-Wesley (1994)

    Google Scholar 

  12. GhostScript: An interpreter for the PostScript language and for PDF (2019). https://www.ghostscript.com/. Accessed on 14 Jan 2020

  13. Gosling, J., Joy, B., Steele, G., Brache, G., Buckley, A.: The Java® Language Specification Java SE 8 Edition (2015). https://docs.oracle.com/javase/specs/jls/se8/jls8.pdf. Accessed on 08 Oct 2020

  14. Grech, N., Smaragdakis, Y.: P/Taint: unified points-to and taint analysis. In: Proceedings of the OOPSLA 2017. ACM (2017)

    Google Scholar 

  15. Holland, B., Santhanam, G.R., Awadhutkar, P., Kothari, S.: Statically-informed dynamic analysis tools to detect algorithmic complexity vulnerabilities. In: Proceedings of the SCAM 2016. IEEE (2016)

    Google Scholar 

  16. Klees, G., Ruef, A., Cooper, B., Wei, S., Hicks, M.: Evaluating fuzz testing. In: Proceedings of the CCS 2018. ACM (2018)

    Google Scholar 

  17. Lemieux, C., Padhye, R., Sen, K., Song, D.: PerfFuzz: automatically generating pathological inputs. In: Proceedings of the ISSTA 2018. ACM (2018)

    Google Scholar 

  18. Livshits, V.B., Lam, M.S.: Finding security vulnerabilities in Java applications with static analysis. In: Proceedings of the USENIX Security 2014. USENIX Association (2005)

    Google Scholar 

  19. Nistor, A., Song, L., Marinov, D., Lu, S.: Toddler: detecting performance problems via similar memory-access patterns. In: Proceedings of the ICSE 2013. IEEE (2013)

    Google Scholar 

  20. Noller, Y., Kersten, R., Păsăreanu, C.S.: Badger: complexity analysis with fuzzing and symbolic execution. In: Proceedings of the ISSTA 2018. ACM (2018)

    Google Scholar 

  21. Olivo, O., Dillig, I., Lin, C.: Static detection of asymptotic performance bugs in collection traversals. In: Proceedings of the PLDI 2015. ACM (2015)

    Google Scholar 

  22. Padhye, R., Sen, K.: Travioli: a dynamic analysis for detecting data-structure traversals. In: Proceedings of the ICSE 2017. IEEE (2017)

    Google Scholar 

  23. Păsăreanu, C.S., Kersten, R., Luckow, K., Phan, Q.S.: Symbolic execution and recent applications to worst-case execution, load testing, and security analysis. Adv. Comput. 113, 289–314 (2019). https://doi.org/10.1016/bs.adcom.2018.10.004

    CrossRef  Google Scholar 

  24. PDF Reference 6th edition (2006). https://www.adobe.com/content/dam/acom/en/devnet/-pdf/pdf_reference_archive/pdf_reference_1-7.pdf. Accessed on 14 Jan 2020

  25. Petsios, T., Zhao, J., Keromytis, A.D., Jana, S.: SlowFuzz: automated domain-independent detection of algorithmic complexity vulnerabilities. In: Proceedings of the CCS 2017. ACM (2017)

    Google Scholar 

  26. Rasheed, S., Dietrich, J., Tahir, A.: Laughter in the wild: a study into DoS vulnerabilities in YAML libraries. In: Proceedings of the TrustCom 2019. IEEE (2019)

    Google Scholar 

  27. Scholz, B., Jordan, H., Subotić, P., Westmann, T.: On fast large-scale program analysis in datalog. In: Proceedings of the 25th International Conference on Compiler Construction, CC 2016, Barcelona, Spain, March 12–18, 2016. ACM (2016)

    Google Scholar 

  28. Sridharan, M., Gopan, D., Shan, L., Bodík, R.: Demand-driven points-to analysis for Java. In: Proceedings of the OOPSLA 2005. ACM (2005)

    Google Scholar 

  29. Staicu, C.A., Pradel, M.: Freezing the web: a study of ReDoS vulnerabilities in Javascript-based web servers. In: Proceedings of the USENIX Security 2018. USENIX Association (2018)

    Google Scholar 

  30. Sundaresan, V., et al.: Practical virtual method call resolution for Java. In: Proceedings of the OOPSLA 2000. ACM (2000)

    Google Scholar 

  31. Scalable Vector Graphics (SVG) 1.1, 2nd edn. (2011). https://www.w3.org/TR/SVG11/REC-SVG11-20110816.pdf. Accessed on 14 Jan 2020

  32. Wei, J., Chen, J., Feng, Y., Ferles, K., Dillig, I.: Singularity: pattern fuzzing for worst case complexity. In: Proceedings of the ESEC/FSE 2018. ACM (2018)

    Google Scholar 

  33. Wüstholz, V., Olivo, O., Heule, M.J.H., Dillig, I.: Static detection of DoS vulnerabilities in programs that use regular expressions. In: Legay, A., Margaria, T. (eds.) TACAS 2017. LNCS, vol. 10206, pp. 3–20. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54580-5_1

    CrossRef  MATH  Google Scholar 

  34. YAML Ain’t Markup Language (YAML) Version 1.2 (2019). https://yaml.org/spec/1.2/spec.html. Accessed on 08 Oct 2020

  35. Yannakakis, M.: Graph-theoretic methods in database theory. In: Proceedings of the PODS 1990. ACM (1990)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Shawn Rasheed .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Rasheed, S., Dietrich, J., Tahir, A. (2021). Caught in the Web: DoS Vulnerabilities in Parsers for Structured Data. In: Bertino, E., Shulman, H., Waidner, M. (eds) Computer Security – ESORICS 2021. ESORICS 2021. Lecture Notes in Computer Science(), vol 12972. Springer, Cham. https://doi.org/10.1007/978-3-030-88418-5_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-88418-5_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-88417-8

  • Online ISBN: 978-3-030-88418-5

  • eBook Packages: Computer ScienceComputer Science (R0)