Cited By
View all- Wang ZBu DTian WCui B(2024)Analyzing and Discovering Spatial Algorithm Complexity Vulnerabilities in RecursionApplied Sciences10.3390/app1405185514:5(1855)Online publication date: 23-Feb-2024
Acquirer: A Hybrid Approach to Detecting Algorithmic Complexity Vulnerabilities
Authors: 
Yinxi Liu, Wei MengAuthors Info & Claims
Yinxi Liu, Wei MengAuthors Info & ClaimsPages 2071 - 2084
Abstract
Algorithmic Complexity (AC) Denial-of-Service attacks have been a threat for over twenty years. Attackers craft particular input vectors to trigger the worst-case logic of some code running on the server side, which leads to high resource consumption and performance degradation. In response, several vulnerability detection tools have been developed to help developers prevent such attacks. Nevertheless, these state-of-the-art tools either focus on a specific type of vulnerability or suffer from state explosion. They are either limited to a small detection scope or unable to run efficiently.
This paper aims to develop a fully automated approach to effectively and efficiently detecting AC vulnerabilities. We present the design and implementation of Acquirer, which detects AC vulnerabilities in Java programs. Acquirer first statically locates potentially vulnerable structures in the target program, then performs efficient selective path exploration to dynamically verify the existence of two different execution paths with a significant computation cost difference. The vulnerable structures it detects can also help the developers analyze and fix the corresponding vulnerabilities.
We evaluated Acquirer with two widely used benchmark datasets and compared it with four state-of-the-art tools. In the evaluation, it detected 22 known AC vulnerabilities, which substantially out performed all the existing tools together. Besides, it discovered 11 previously unknown AC vulnerabilities in popular real-world applications. Our evaluation demonstrates that Acquirer is highly effective and efficient in automatically detecting AC vulnerabilities.
References
[1]
2017. Tool for algorithmic complexity analysis based on symbolic execution. https://github.com/isstac/spf-wca.
[2]
2018. Badger: complexity analysis with fuzzing and symbolic execution. https: //github.com/isstac/badger.
[3]
2018. Pattern Fuzzing for Worst-Case Algorithmic Complexity. https://github. com/MrVPlusOne/Singularity
[4]
Christian Altmeier, Christian Mainka, Juraj Somorovsky, and Jörg Schwenk. 2015. Adidos--adaptive and intelligent fully-automatic detection of denial-of-service weaknesses in web services. In Data Privacy Management, and Security Assurance. Springer, 65--80.
[5]
Thanassis Avgerinos, Alexandre Rebert, Sang Kil Cha, and David Brumley. 2014. Enhancing symbolic execution with veritesting. In Proceedings of the 36th International Conference on Software Engineering (ICSE). Hyderabad, India.
[6]
Payas Awadhutkar, Ganesh Ram Santhanam, Benjamin Holland, and Suresh Kothari. 2017. Intelligence amplifying loop characterizations for detecting algorithmic complexity vulnerabilities. In 2017 24th Asia-Pacific Software Engineering Conference (APSEC). IEEE, 249--258.
[7]
Payas Awadhutkar, Ganesh Ram Santhanam, Benjamin Holland, and Suresh Kothari. 2019. DISCOVER: Detecting Algorithmic Complexity Vulnerabilities. In Proceedings of the 27th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE). Tallinn, Estonia.
[8]
William Blair, Andrea Mambretti, Sajjad Arshad, Michael Weissbacher, William Robertson, Engin Kirda, and Manuel Egele. 2020. HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Guided Micro-Fuzzing. In Proceedings of the 2020 Annual Network and Distributed System Security Symposium (NDSS). San Diego, CA.
[9]
Suhabe Bugrara and Dawson Engler. 2013. Redundant state detection for dynamic symbolic execution. In Proceedings of the 2013 USENIX Annual Technical Conference (ATC). San Jose, CA.
[10]
Jacob Burnim, Sudeep Juvekar, and Koushik Sen. 2009. WISE: Automated test generation for worst-case complexity. In Proceedings of the 31st International Conference on Software Engineering (ICSE). Vancouver, Canada, 463--473.
[11]
Cristian Cadar, Vijay Ganesh, Peter M Pawlowski, David L Dill, and Dawson R Engler. 2008. EXE: Automatically generating inputs of death. ACM Transactions on Information and System Security (TISSEC), Vol. 12, 2 (2008), 1--38.
[12]
Richard Chang, Guofei Jiang, Franjo Ivancic, Sriram Sankaranarayanan, and Vitaly Shmatikov. 2009. Inputs of coma: Static detection of denial-of-service vulnerabilities. In 22nd IEEE Computer Security Foundations Symposium.
[13]
Maria Christakis, Peter Müller, and Valentin Wüstholz. 2016. Guiding dynamic symbolic execution toward unverified program executions. In Proceedings of the 38th International Conference on Software Engineering (ICSE). Austin, TX.
[14]
Scott A Crosby and Dan S Wallach. 2003. Denial of Service via Algorithmic Complexity Attacks. In Proceedings of the 12th USENIX Security Symposium (Security). Washington, DC.
[15]
Adam Czubak and Marcin Szymanek. 2017. Algorithmic complexity vulnerability analysis of a stateful firewall. In Information Systems Architecture and Technology: Proceedings of 37th International Conference on Information Systems Architecture and Technology--ISAT 2016-Part II. Springer, 77--97.
[16]
James C Davis, Christy A Coghlan, Francisco Servant, and Dongyoon Lee. 2018. The impact of regular expression denial of service (ReDoS) in practice: an empirical study at the ecosystem scale. In Proceedings of the 26th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE). Lake Buena Vista, FL.
[17]
Jens Dietrich, Kamil Jezek, Shawn Rasheed, Amjed Tahir, and Alex Potanin. 2017. Evil pickles: DoS attacks based on object-graph engineering. In 31st European Conference on Object-Oriented Programming (ECOOP 2017). Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik.
[18]
David Fifield. 2019. A better zip bomb. In 13th USENIX Workshop on Offensive Technologies (WOOT 19).
[19]
Andreas Gal, Christian W Probst, and Michael Franz. 2005. Complexity-based denial-of-service attacks on mobile code systems. INSTITUT FUR INFORMATIK UND PRAKTISCHE MATHEMATIK (2005), 1--10.
[20]
Patrice Godefroid, Nils Klarlund, and Koushik Sen. 2005. DART: Directed automated random testing. In Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI). Chicago, IL.
[21]
Simon F Goldsmith, Alex S Aiken, and Daniel S Wilkerson. 2007. Measuring empirical computational complexity. In Proceedings of the 12th European Software Engineering Conference (ESEC) / 15th ACM SIGSOFT Symposium on the Foundations of Software Engineering (FSE). Dubrovnik, Croatia.
[22]
Xue Han, Tingting Yu, and David Lo. 2018. PerfLearner: learning from bug reports to understand and generate performance test frames. In Proceedings of the 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE). Montpellier, France, 17--28.
[23]
Benjamin Holland, Payas Awadhutkar, Suresh Kothari, Ahmed Tamrawi, and Jon Mathews. 2018. COMB: Computing relevant program behaviors. In Proceedings of the 40th International Conference on Software Engineering (ICSE). Gothenburg, Sweden.
[24]
Benjamin Holland, Ganesh Ram Santhanam, Payas Awadhutkar, and Suresh Kothari. 2016. Statically-informed dynamic analysis tools to detect algorithmic complexity vulnerabilities. In 2016 IEEE 16th International Working Conference on Source Code Analysis and Manipulation (SCAM). IEEE, 79--84.
[25]
Suraiya Khan and Issa Traore. 2005. A prevention model for algorithmic complexity attacks. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 160--173.
[26]
Caroline Lemieux, Rohan Padhye, Koushik Sen, and Dawn Song. 2018. PerfFuzz: automatically generating pathological inputs. In Proceedings of the 27th International Symposium on Software Testing and Analysis (ISSTA). Amsterdam, Netherlands.
[27]
Yinxi Liu, Mingxue Zhang, and Wei Meng. 2021. Revealer: Detecting and Exploiting Regular Expression Denial-of-Service Vulnerabilities. In Proceedings of the 42nd IEEE Symposium on Security and Privacy (Oakland). San Francisco, CA.
[28]
Kasper Luckow, Marko Dimjavs ević, Dimitra Giannakopoulou, Falk Howar, Malte Isberner, Temesghen Kahsai, Zvonimir Rakamarić, and Vishwanath Raman. 2016. JDart: A Dynamic Symbolic Analysis Framework. In Proceedings of the 22nd International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS). Eindhoven, The Netherlands.
[29]
Kasper Luckow, Rody Kersten, and Corina Pua sua reanu. 2017. Symbolic complexity analysis using context-preserving histories. In 2017 IEEE International Conference on Software Testing, Verification and Validation (ICST). IEEE, 58--68.
[30]
Yannic Noller, Rody Kersten, and Corina S. Pua sua reanu. 2018. Badger: complexity analysis with fuzzing and symbolic execution. In Proceedings of the 27th International Symposium on Software Testing and Analysis (ISSTA). Amsterdam, Netherlands.
[31]
Rohan Padhye and Koushik Sen. 2017. Travioli: A dynamic analysis for detecting data-structure traversals. In Proceedings of the 39th International Conference on Software Engineering (ICSE). Buenos Aires, Argentina, 473--483.
[32]
Giancarlo Pellegrino, Davide Balzarotti, Stefan Winter, and Neeraj Suri. 2015. In the compression hornet's nest: A security study of data compression in network services. In Proceedings of the 24th USENIX Security Symposium (Security). Washington, DC.
[33]
Theofilos Petsios, Jason Zhao, Angelos D. Keromytis, and Suman Jana. 2017. SlowFuzz: Automated Domain-Independent Detection of Algorithmic Complexity Vulnerabilities. In Proceedings of the 24th ACM Conference on Computer and Communications Security (CCS). Dallas, TX.
[34]
Koushik Sen, Darko Marinov, and Gul Agha. 2005. CUTE: A concolic unit testing engine for C. ACM SIGSOFT Software Engineering Notes, Vol. 30, 5 (2005), 263--272.
[35]
Randy Smith, Cristian Estan, and Somesh Jha. 2006. Backtracking algorithmic complexity attacks against a NIDS. In 2006 22nd Annual Computer Security Applications Conference (ACSAC'06). IEEE, 89--98.
[36]
Linhai Song and Shan Lu. 2017. Performance diagnosis for inefficient loops. In Proceedings of the 39th International Conference on Software Engineering (ICSE). Buenos Aires, Argentina, 370--380.
[37]
Cristian-Alexandru Staicu and Michael Pradel. 2018. Freezing the web: A study of redos vulnerabilities in javascript-based web servers. In Proceedings of the 27th USENIX Security Symposium (Security). Baltimore, MD.
[38]
Saeid Tizpaz-Niari, Pavol Cerný, Bor-Yuh Evan Chang, Sriram Sankaranarayanan, and Ashutosh Trivedi. 2017. Discriminating Traces with Time. In Proceedings of the 23rd International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS). Uppsala, Sweden.
[39]
Luca Della Toffola, Michael Pradel, and Thomas R. Gross. 2018. Synthesizing programs that expose performance bottlenecks. In Proceedings of the 2018 International Symposium on Code Generation and Optimization (CGO). Vienna, Austria.
[40]
Jiayi Wei, Jia Chen, Yu Feng, Kostas Ferles, and Isil Dillig. 2018. Singularity: pattern fuzzing for worst case complexity. In Proceedings of the 26th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE). Lake Buena Vista, FL.
[41]
Nicky Williams, Bruno Marre, and Patricia Mouy. 2004. On-the-fly generation of k-path tests for C functions. In Proceedings of the 19th IEEE/ACM International Conference on Automated Software Engineering (ASE). Linz, Austria.
[42]
Nicky Williams, Bruno Marre, Patricia Mouy, and Muriel Roger. 2005. Pathcrawler: Automatic generation of path tests by combining static and dynamic analysis. In European Dependable Computing Conference. Springer, 281--292.
[43]
Tao Xie, Nikolai Tillmann, Jonathan De Halleux, and Wolfram Schulte. 2009. Fitness-guided path exploration in dynamic symbolic execution. In 2009 IEEE/IFIP International Conference on Dependable Systems & Networks. 359--368.
[44]
Xiaofei Xie, Bihuan Chen, Yang Liu, Wei Le, and Xiaohong Li. 2016. Proteus: computing disjunctive loop summary via path dependency analysis. In Proceedings of the 24th ACM SIGSOFT Symposium on the Foundations of Software Engineering (FSE). Seattle, WA.
[45]
Yufeng Zhang, Zhenbang Chen, Ji Wang, Wei Dong, and Zhiming Liu. 2015. Regular property guided dynamic symbolic execution. In Proceedings of the 37th International Conference on Software Engineering (ICSE). Florence, Italy.
Index Terms
- Acquirer: A Hybrid Approach to Detecting Algorithmic Complexity Vulnerabilities
Recommendations
Detecting Blind Cross-Site Scripting Attacks Using Machine Learning
SPML '18: Proceedings of the 2018 International Conference on Signal Processing and Machine LearningCross-site scripting (XSS) is a scripting attack targeting web applications by injecting malicious scripts into web pages. Blind XSS is a subset of stored XSS, where an attacker blindly deploys malicious payloads in web pages that are stored in a ...
Dynamic Binary User-Splits to Protect Cloud Servers from DDoS Attacks
ICCC '13: Proceedings of the Second International Conference on Innovative Computing and Cloud ComputingSeveral overlay-based solutions have been proposed to protect network servers from DoS/DDoS attacks. The common objective in the existing solutions is to prevent the attacking traffic from reaching the servers by hiding the location of target server ...
COIN Attacks: On Insecurity of Enclave Untrusted Interfaces in SGX
ASPLOS '20: Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating SystemsIntel SGX is a hardware-based trusted execution environment (TEE), which enables an application to compute on confidential data in a secure enclave. SGX assumes a powerful threat model, in which only the CPU itself is trusted; anything else is untrusted,...
Comments
Information & Contributors
Information
Published In
November 2022
3598 pages
ISBN:9781450394505
DOI:10.1145/3548606
- General Chairs:
- Heng Yin,
- Angelos Stavrou,
- Program Chairs:
- Cas Cremers,
- Elaine Shi
Copyright © 2022 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 07 November 2022
Check for updates
Author Tags
Qualifiers
- Research-article
Conference
CCS '22
Sponsor:
CCS '22: 2022 ACM SIGSAC Conference on Computer and Communications Security
November 7 - 11, 2022
CA, Los Angeles, USA
Acceptance Rates
Overall Acceptance Rate 1,261 of 6,999 submissions, 18%
Upcoming Conference
CCS '24
- Sponsor:
- sigsac
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 384Total Downloads
- Downloads (Last 12 months)126
- Downloads (Last 6 weeks)5
Reflects downloads up to 11 Sep 2024
Other Metrics
Citations
Cited By
View all- Wang ZBu DTian WCui B(2024)Analyzing and Discovering Spatial Algorithm Complexity Vulnerabilities in RecursionApplied Sciences10.3390/app1405185514:5(1855)Online publication date: 23-Feb-2024
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in