Abstract
We study a class of denial-of-service (DoS) vulnerabilities that occur in parsing structured data. These vulnerabilities enable low bandwidth DoS attacks with input that causes algorithms to execute in disproportionately large time and/or space. We generalise the characteristics of these vulnerabilities, and frame them in terms of three aspects, TTT: (1) the Topology of composite data structures formed by the internal representation of parsed data, (2) the presence of recursive functions for the Traversal of the data structures and (3) the presence of a Trigger that enables an attacker to activate the traversal.
An analysis based on this abstraction was implemented for one target platform (Java), and in our study, we found that the impact of the results obtained with this method goes beyond Java. The inputs from our investigation revealed several similar vulnerabilities in programs written in other languages such as Rust and PHP. As a result we have reported 11 issues (of which seven have been accepted as issues), and obtained four CVEs for some of those issues in PDF, SVG and YAML libraries across different languages.
The work of the second author was supported by Oracle Labs, Australia.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
https://blog.cloudflare.com/cloudflare-outage/ [Accessed 08-October-2020].
- 2.
Java serialisation, https://docs.oracle.com/javase/tutorial/jndi/objects/serial.html [Accessed 08-October-2020].
- 3.
- 4.
Many-to-many relationships, in the database community, describe one type of cardinality of relationships between two entities.
- 5.
For instance, in java.io.File, state is used to determine whether an element is a container (a directory) or a child (a file). This can be considered a case of a composite that uses structural instead of nominal typing.
- 6.
A good example for this is how the parent reference is maintained in the java.awt.Container.add* methods which add a child component to the visual component hierarchy.
- 7.
Sometimes, the reverse points-to edges are inferred.
- 8.
The cont role corresponds to the Container role in the design pattern, whereas the comp roles corresponds to the Component role. We do not consider a particular leaf type.
- 9.
Maven usage statistics (obtained on 12 Feb. 2020).
- 10.
- 11.
- 12.
- 13.
- 14.
https://www.pdflabs.com/tools/pdftk-the-pdf-toolkit/ [Accessed 08-October-2020].
- 15.
https://wiki.gnome.org/action/show/Projects/LibRsvg [Accessed 08-October-2020].
- 16.
- 17.
- 18.
- 19.
https://github.com/darylldoyle/svg-sanitizer [Accessed 08-October-2020].
References
Bravenboer, M., Smaragdakis, Y.: Strictly declarative specification of sophisticated points-to analyses. In: Proceedings of the 24th ACM SIGPLAN Conference on Object Oriented Programming Systems Languages and Applications, OOPSLA 2009, Association for Computing Machinery, New York, NY, USA, pp. 243–262 (2009). https://doi.org/10.1145/1640089.1640108
Breen, S.: What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability (2015). https://goo.gl/cx7X4D. Accessed on 08 Oct 2020
Burnim, J., Juvekar, S., Sen, K.: WISE: automated test generation for worst-case complexity. In: Proceedings of the ICSE 2009. IEEE (2009)
Ceri, S., Gottlob, G., Tanca, L.: What you always wanted to know about Datalog (and never dared to ask). IEEE TKDE 1(1), 146–166 (1989)
Coekaerts, W.: SerialDOS (2015). https://gist.github.com/coekie/a27cc406fc9f3dc7a70d. Accessed on 08 Oct 2020
CVE-2003-1564 (Billion Laughs) (2003). https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1564. Accessed on 14 Jan 2020
Crosby, S.A., Wallach, D.S.: Denial of service via algorithmic complexity attacks. In: Proceedings of the USENIX Security 2003. USENIX Association (2003)
Dietrich, J., Hollingum, N., Scholz, B.: Giga-scale exhaustive points-to analysis for Java in under a minute. In: Proceedings of the OOPSLA 2015. ACM (2015)
Dietrich, J., Jezek, K., Rasheed, S., Tahir, A., Potanin, A.: Evil Pickles: DoS attacks based on object-graph engineering. In: Proceedings of the ECOOP 2017 (2017)
Frohoff, C., Lawrence, G.: Marshalling Pickles (2015). http://frohoff.github.io/appseccali-marshalling-pickles/. Accessed on 08 Oct 2020
Gamma, E., Vlissides, J., Johnson, R., Helm, R.: Design Patterns: Elements of Reusable Object-oriented Software. Addison-Wesley (1994)
GhostScript: An interpreter for the PostScript language and for PDF (2019). https://www.ghostscript.com/. Accessed on 14 Jan 2020
Gosling, J., Joy, B., Steele, G., Brache, G., Buckley, A.: The Java® Language Specification Java SE 8 Edition (2015). https://docs.oracle.com/javase/specs/jls/se8/jls8.pdf. Accessed on 08 Oct 2020
Grech, N., Smaragdakis, Y.: P/Taint: unified points-to and taint analysis. In: Proceedings of the OOPSLA 2017. ACM (2017)
Holland, B., Santhanam, G.R., Awadhutkar, P., Kothari, S.: Statically-informed dynamic analysis tools to detect algorithmic complexity vulnerabilities. In: Proceedings of the SCAM 2016. IEEE (2016)
Klees, G., Ruef, A., Cooper, B., Wei, S., Hicks, M.: Evaluating fuzz testing. In: Proceedings of the CCS 2018. ACM (2018)
Lemieux, C., Padhye, R., Sen, K., Song, D.: PerfFuzz: automatically generating pathological inputs. In: Proceedings of the ISSTA 2018. ACM (2018)
Livshits, V.B., Lam, M.S.: Finding security vulnerabilities in Java applications with static analysis. In: Proceedings of the USENIX Security 2014. USENIX Association (2005)
Nistor, A., Song, L., Marinov, D., Lu, S.: Toddler: detecting performance problems via similar memory-access patterns. In: Proceedings of the ICSE 2013. IEEE (2013)
Noller, Y., Kersten, R., Păsăreanu, C.S.: Badger: complexity analysis with fuzzing and symbolic execution. In: Proceedings of the ISSTA 2018. ACM (2018)
Olivo, O., Dillig, I., Lin, C.: Static detection of asymptotic performance bugs in collection traversals. In: Proceedings of the PLDI 2015. ACM (2015)
Padhye, R., Sen, K.: Travioli: a dynamic analysis for detecting data-structure traversals. In: Proceedings of the ICSE 2017. IEEE (2017)
Păsăreanu, C.S., Kersten, R., Luckow, K., Phan, Q.S.: Symbolic execution and recent applications to worst-case execution, load testing, and security analysis. Adv. Comput. 113, 289–314 (2019). https://doi.org/10.1016/bs.adcom.2018.10.004
PDF Reference 6th edition (2006). https://www.adobe.com/content/dam/acom/en/devnet/-pdf/pdf_reference_archive/pdf_reference_1-7.pdf. Accessed on 14 Jan 2020
Petsios, T., Zhao, J., Keromytis, A.D., Jana, S.: SlowFuzz: automated domain-independent detection of algorithmic complexity vulnerabilities. In: Proceedings of the CCS 2017. ACM (2017)
Rasheed, S., Dietrich, J., Tahir, A.: Laughter in the wild: a study into DoS vulnerabilities in YAML libraries. In: Proceedings of the TrustCom 2019. IEEE (2019)
Scholz, B., Jordan, H., Subotić, P., Westmann, T.: On fast large-scale program analysis in datalog. In: Proceedings of the 25th International Conference on Compiler Construction, CC 2016, Barcelona, Spain, March 12–18, 2016. ACM (2016)
Sridharan, M., Gopan, D., Shan, L., Bodík, R.: Demand-driven points-to analysis for Java. In: Proceedings of the OOPSLA 2005. ACM (2005)
Staicu, C.A., Pradel, M.: Freezing the web: a study of ReDoS vulnerabilities in Javascript-based web servers. In: Proceedings of the USENIX Security 2018. USENIX Association (2018)
Sundaresan, V., et al.: Practical virtual method call resolution for Java. In: Proceedings of the OOPSLA 2000. ACM (2000)
Scalable Vector Graphics (SVG) 1.1, 2nd edn. (2011). https://www.w3.org/TR/SVG11/REC-SVG11-20110816.pdf. Accessed on 14 Jan 2020
Wei, J., Chen, J., Feng, Y., Ferles, K., Dillig, I.: Singularity: pattern fuzzing for worst case complexity. In: Proceedings of the ESEC/FSE 2018. ACM (2018)
Wüstholz, V., Olivo, O., Heule, M.J.H., Dillig, I.: Static detection of DoS vulnerabilities in programs that use regular expressions. In: Legay, A., Margaria, T. (eds.) TACAS 2017. LNCS, vol. 10206, pp. 3–20. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54580-5_1
YAML Ain’t Markup Language (YAML) Version 1.2 (2019). https://yaml.org/spec/1.2/spec.html. Accessed on 08 Oct 2020
Yannakakis, M.: Graph-theoretic methods in database theory. In: Proceedings of the PODS 1990. ACM (1990)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Rasheed, S., Dietrich, J., Tahir, A. (2021). Caught in the Web: DoS Vulnerabilities in Parsers for Structured Data. In: Bertino, E., Shulman, H., Waidner, M. (eds) Computer Security – ESORICS 2021. ESORICS 2021. Lecture Notes in Computer Science(), vol 12972. Springer, Cham. https://doi.org/10.1007/978-3-030-88418-5_4
Download citation
DOI: https://doi.org/10.1007/978-3-030-88418-5_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-88417-8
Online ISBN: 978-3-030-88418-5
eBook Packages: Computer ScienceComputer Science (R0)