research-article

Open access

Harm-DoS: Hash Algorithm Replacement for Mitigating Denial-of-Service Vulnerabilities in Binary Executables

Authors:

Nicolaas Weideman,

Spencer Zahabizadeh,

Jelena Mirkovic,

Christophe HauserAuthors Info & Claims

RAID '22: Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses

Pages 276 - 291

https://doi.org/10.1145/3545948.3545967

Published: 26 October 2022 Publication History

All formats PDF

Abstract

Programs and services relying on weak hash algorithms as part of their hash table implementations are vulnerable to hash-collision denial-of-service attacks. In the context of such an attack, the attacker sends a series of program inputs leading to hash collisions. In the best case, this slows down the execution and processing for all requests, and in the worst case it renders the program or service unavailable. We propose a new binary program analysis approach to automatically detect weak hash functions and patch vulnerable binary programs, by replacing the weak hash function with a secure alternative. To verify that our mitigation strategy does not break program functionality, we design and leverage multiple stages of static analysis and symbolic execution, which demonstrate that the patched code performs equivalently to the original code, but does not suffer from the same vulnerability. We analyze 105,831 real-world programs and confirm the use of 796 weak hash functions in the same number of programs. We successfully replace 759 of these in a non-disruptive manner. The entire process is automated. Among the real-world programs analyzed, we discovered, disclosed and mitigated a zero-day hash-collision vulnerability in Reddit.

References

[1]

Jyrki Alakuijala, Bill Cox, and Jan Wassenberg. 2016. Fast keyed hash/pseudo-random function using SIMD multiply and permute. CoRR abs/1612.06257(2016). arxiv:1612.06257http://arxiv.org/abs/1612.06257

[2]

angr. 2016. The Angr binary analysis platform. http://angr.io.

[3]

Jean-Philippe Aumasson and Daniel J. Bernstein. 2012. SipHash: A Fast Short-Input PRF. In Progress in Cryptology - INDOCRYPT 2012, 13th International Conference on Cryptology in India, Kolkata, India, December 9-12, 2012. Proceedings(Lecture Notes in Computer Science, Vol. 7668), Steven D. Galbraith and Mridul Nandi (Eds.). Springer, 489–508. https://doi.org/10.1007/978-3-642-34931-7_28

[4]

Tiffany Bao, Jonathan Burket, Maverick Woo, Rafael Turner, and David Brumley. 2014. BYTEWEIGHT: Learning to Recognize Functions in Binary Code. In Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, August 20-22, 2014, Kevin Fu and Jaeyeon Jung (Eds.). USENIX Association, 845–860. https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/bao

[5]

Erick Bauman, Zhiqiang Lin, and Kevin W. Hamlen. 2018. Superset Disassembly: Statically Rewriting x86 Binaries Without Heuristics. In 25th Annual Network and Distributed System Security Symposium, NDSS 2018, San Diego, California, USA, February 18-21, 2018. The Internet Society. http://wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2018/02/ndss2018_05A-4_Bauman_paper.pdf

[6]

Dan J. Bernstein. 2000. CDB. https://cr.yp.to/cdb.html.

[7]

Dan J. Bernstein. 2001. DJBDNS. https://cr.yp.to/djbdns.html.

[8]

Dan J. Bernstein. 2003. DJB Hash. http://www.cse.yorku.ca/~oz/hash.html.

[9]

William Blair, Andrea Mambretti, Sajjad Arshad, Michael Weissbacher, William Robertson, Engin Kirda, and Manuel Egele. 2020. HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Guided Micro-Fuzzing. In 27th Annual Network and Distributed System Security Symposium, NDSS 2020, San Diego, California, USA, February 23-26, 2020. The Internet Society. https://www.ndss-symposium.org/ndss-paper/hotfuzz-discovering-algorithmic-denial-of-service-vulnerabilities-through-guided-micro-fuzzing/

[10]

Danilo Bruschi, Lorenzo Martignoni, and Mattia Monga. 2006. Detecting Self-mutating Malware Using Control-Flow Graph Matching. In Detection of Intrusions and Malware & Vulnerability Assessment, Third International Conference, DIMVA 2006, Berlin, Germany, July 13-14, 2006, Proceedings(Lecture Notes in Computer Science, Vol. 4064), Roland Büschkes and Pavel Laskov (Eds.). Springer, 129–143. https://doi.org/10.1007/11790754_8

Digital Library

[11]

Richard M. Chang, Guofei Jiang, Franjo Ivancic, Sriram Sankaranarayanan, and Vitaly Shmatikov. 2009. Inputs of Coma: Static Detection of Denial-of-Service Vulnerabilities. In Proceedings of the 22nd IEEE Computer Security Foundations Symposium, CSF 2009, Port Jefferson, New York, USA, July 8-10, 2009. IEEE Computer Society, 186–199. https://doi.org/10.1109/CSF.2009.13

Digital Library

[12]

Scott A. Crosby and Dan S. Wallach. 2003. Denial of Service via Algorithmic Complexity Attacks. In Proceedings of the 12th USENIX Security Symposium, Washington, D.C., USA, August 4-8, 2003. USENIX Association. https://www.usenix.org/conference/12th-usenix-security-symposium/denial-service-algorithmic-complexity-attacks

[13]

CVE-2011-4885 2011. CVE-2011-4885.Available from CVE Details, CVE-ID CVE-2011-4885. https://www.cvedetails.com/cve/CVE-2011-4885/

[14]

CVE-2012-1150 2012. CVE-2012-1150.Available from National Vulnerability Database, CVE-ID CVE-2009-1897. https://nvd.nist.gov/vuln/detail/CVE-2012-1150

[15]

CVE-2012-2739 2012. CVE-2012-1150.Available from National Vulnerability Database, CVE-ID CVE-2012-2739. https://nvd.nist.gov/vuln/detail/CVE-2012-2739

[16]

CVE-2021-41168 2021. CVE-2021-41168.Available from National Vulnerability Database, CVE-ID CVE-2021-41168. https://nvd.nist.gov/vuln/detail/CVE-2021-41168

[17]

Gregory J. Duck, Xiang Gao, and Abhik Roychoudhury. 2020. Binary rewriting without control flow recovery. In Proceedings of the 41st ACM SIGPLAN International Conference on Programming Language Design and Implementation, PLDI 2020, London, UK, June 15-20, 2020, Alastair F. Donaldson and Emina Torlak (Eds.). ACM, 151–163. https://doi.org/10.1145/3385412.3385972

Digital Library

[18]

Mohammad Reza Farhadi, Benjamin C. M. Fung, Philippe Charland, and Mourad Debbabi. 2014. BinClone: Detecting Code Clones in Malware. In Eighth International Conference on Software Security and Reliability, SERE 2014, San Francisco, California, USA, June 30 - July 2, 2014. IEEE, 78–87. https://doi.org/10.1109/SERE.2014.21

Digital Library

[19]

Antonio Flores-Montoya and Eric M. Schulte. 2020. Datalog Disassembly. In 29th USENIX Security Symposium, USENIX Security 2020, August 12-14, 2020, Srdjan Capkunand Franziska Roesner (Eds.). USENIX Association, 1075–1092. https://www.usenix.org/conference/usenixsecurity20/presentation/flores-montoya

[20]

GNU Project Free Software Foundation. 2022. GNU make. https://www.gnu.org/software/make/manual/make.html.

[21]

Glenn Fowler, Phong Vo, and Landon Curt Noll. 2012. The FNV Non-Cryptographic Hash Algorithm. https://datatracker.ietf.org/doc/html/draft-eastlake-fnv-03.

[22]

Inc Free Software Foundation. 2022. Using the GNU Compiler Collection (GCC). https://gcc.gnu.org/onlinedocs/gcc-4.7.2/gcc/Optimize-Options.html.

[23]

freepascal 2021. Free Pascal. https://www.freepascal.org/.

[24]

ghidra 2022. Ghidra. https://ghidra-sre.org/.

[25]

gnu 2022. GCC, the GNU Compiler Collection. http://www.gnu.org/software/gcc/index.html.

[26]

Felix Gröbert, Carsten Willems, and Thorsten Holz. 2011. Automated Identification of Cryptographic Primitives in Binary Programs. In Recent Advances in Intrusion Detection - 14th International Symposium, RAID 2011, Menlo Park, CA, USA, September 20-21, 2011. Proceedings(Lecture Notes in Computer Science, Vol. 6961), Robin Sommer, Davide Balzarotti, and Gregor Maier (Eds.). Springer, 41–60. https://doi.org/10.1007/978-3-642-23644-0_3

Digital Library

[27]

Christian Heimes. [n.d.]. PEP 456 – Secure and interchangeable hash algorithm. https://www.python.org/dev/peps/pep-0456/.

[28]

Hex-Rays. [n.d.]. IDA F.L.I.R.T. Technology: In-Depth. https://hex-rays.com/products/ida/tech/flirt/in_depth/.

[29]

Brian Kernighan and Dennis Ritchie. 1972. The C Programming Language. Prentice Hall PTR, New Jersey, USA.

Digital Library

[30]

James Kirrage, Asiri Rathnayake, and Hayo Thielecke. 2013. Static Analysis for Regular Expression Denial-of-Service Attacks. In Network and System Security - 7th International Conference, NSS 2013, Madrid, Spain, June 3-4, 2013. Proceedings(Lecture Notes in Computer Science, Vol. 7873), Javier López, Xinyi Huang, and Ravi S. Sandhu (Eds.). Springer, 135–148. https://doi.org/10.1007/978-3-642-38631-2_11

[31]

Donald Ervin Knuth. 1998. The art of computer programming, Volume III, 2nd Edition. Addison-Wesley. http://www.worldcat.org/oclc/312994415

Digital Library

[32]

Daniel Lemire and Owen Kaser. 2014. Strongly Universal String Hashing is Fast. Comput. J. 57, 11 (2014), 1624–1638. https://doi.org/10.1093/comjnl/bxt070

[33]

Pierre Lestringant, Frédéric Guihéry, and Pierre-Alain Fouque. 2015. Automated Identification of Cryptographic Primitives in Binary Code with Data Flow Graph Isomorphism. In Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, ASIA CCS ’15, Singapore, April 14-17, 2015, Feng Bao, Steven Miller, Jianying Zhou, and Gail-Joon Ahn (Eds.). ACM, 203–214. https://doi.org/10.1145/2714576.2714639

Digital Library

[34]

George Marsaglia 2003. Xorshift rngs. Journal of Statistical Software 8, 14 (2003), 1–6.

[35]

Carlo Meijer, Veelasha Moonsamy, and Jos Wetzels. 2021. Where’s Crypto?: Automated Identification and Classification of Proprietary Cryptographic Primitives in Binary Code. In 30th USENIX Security Symposium, USENIX Security 2021, August 11-13, 2021, Michael Bailey and Rachel Greenstadt (Eds.). USENIX Association, 555–572. https://www.usenix.org/conference/usenixsecurity21/presentation/meijer

[36]

Wei Meng, Chenxiong Qian, Shuang Hao, Kevin Borgolte, Giovanni Vigna, Christopher Kruegel, and Wenke Lee. 2018. Rampart: Protecting Web Applications from CPU-Exhaustion Denial-of-Service Attacks. In 27th USENIX Security Symposium, USENIX Security 2018, Baltimore, MD, USA, August 15-17, 2018, William Enck and Adrienne Porter Felt (Eds.). USENIX Association, 393–410. https://www.usenix.org/conference/usenixsecurity18/presentation/meng

[37]

Jayakrishna Menon, Christophe Hauser, Yan Shoshitaishvili, and Stephen Schwab. 2018. A Binary Analysis Approach to Retrofit Security in Input Parsing Routines. In 2018 IEEE Security and Privacy Workshops, SP Workshops 2018, San Francisco, CA, USA, May 24, 2018. IEEE Computer Society, 306–322. https://doi.org/10.1109/SPW.2018.00049

[38]

perlsec - Perl security. 2003. Algorithmic Complexity Attacks. https://perldoc.perl.org/perlsec.html.

[39]

Theofilos Petsios, Jason Zhao, Angelos D. Keromytis, and Suman Jana. 2017. SlowFuzz: Automated Domain-Independent Detection of Algorithmic Complexity Vulnerabilities. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, October 30 - November 03, 2017, Bhavani M. Thuraisingham, David Evans, Tal Malkin, and Dongyan Xu (Eds.). ACM, 2155–2168. https://doi.org/10.1145/3133956.3134073

Digital Library

[40]

M. V. Ramakrishna and Justin Zobel. 1997. Performance in Practice of String Hashing Functions. In Database Systems for Advanced Applications ’97, Proceedings of the Fifth International Conference on Database Systems for Advanced Applications (DASFAA), Melbourne, Australia, April 1-4, 1997(Advanced Database Research and Development Series, Vol. 6), Rodney W. Topor and Katsumi Tanaka (Eds.). World Scientific, 215–224.

[41]

reddit 2005. Reddit. https://www.reddit.com.

[42]

sdbm 2007. SDBM Library. https://apr.apache.org/docs/apr-util/0.9/group__APR__Util__DBM__SDBM.html.

[43]

Robert Sedgewick. 1990. Algorithms in C. Addison-Wesley Professional, Bosotn, MA.

[44]

snudown 2018. Snudown. https://www.github.com/reddit/snudown.

[45]

JHU/APL Staff. 2019. Assembled Labeled Library for Static Analysis Research (ALLSTAR) Dataset. http://allstar.jhuapl.edu/

[46]

Mark N. Wegman and Larry Carter. 1981. New Hash Functions and Their Use in Authentication and Set Equality. J. Comput. Syst. Sci. 22, 3 (1981), 265–279. https://doi.org/10.1016/0022-0000(81)90033-7

[47]

Zhengzi Xu, Bihuan Chen, Mahinthan Chandramohan, Yang Liu, and Fu Song. 2017. SPAIN: security patch analysis for binaries towards understanding the pain and pills. In Proceedings of the 39th International Conference on Software Engineering, ICSE 2017, Buenos Aires, Argentina, May 20-28, 2017, Sebastián Uchitel, Alessandro Orso, and Martin P. Robillard (Eds.). IEEE / ACM, 462–472. https://doi.org/10.1109/ICSE.2017.49

Digital Library

Cited By

Tandon RWang HWeideman NArakelyan SBartlett GHauser CMirkovic J(2023)Leader: Defense Against Exploit-Based Denial-of-Service Attacks on Web ApplicationsProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607238(744-758)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3607199.3607238

Index Terms

Harm-DoS: Hash Algorithm Replacement for Mitigating Denial-of-Service Vulnerabilities in Binary Executables
1. Security and privacy
  1. Software and application security
    1. Software security engineering
  2. Systems security
    1. Denial-of-service attacks

Recommendations

Mitigating denial of service attacks: a tutorial

This tutorial describes what Denial of Service (DOS) attacks are. how they can be carried out in IP networks, and how one can defend against them. Distributed DoS (DDoS) attacks are included here as a subset of DoS attacks. A DoS attack has two phases: ...
Mitigating Distributed Denial-of-Service Attacks: Application-Defense and Network-Defense Methods
EC2ND '11: Proceedings of the 2011 Seventh European Conference on Computer Network Defense

Distributed Denial of Service (DDoS) attacks can be so powerful that they can easily deplete the computing resources or bandwidth of the potential targets. Based on the types of the targets, DDoS attacks can be addressed in two levels: application-level ...
Surviving Distributed Denial-of-Service Attacks

A series of distributed denial-of-service (DDoS) attacks were launched against computer systems and services in the US and South Korea beginning July 4th. A DDoS attack is an attempt to make a computer service unavailable to its intended users. The ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

RAID '22: Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses

October 2022

536 pages

ISBN:9781450397049

DOI:10.1145/3545948

Copyright © 2022 Owner/Author.

This work is licensed under a Creative Commons Attribution International 4.0 License.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 26 October 2022

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

NSF

Conference

RAID 2022

RAID 2022: 25th International Symposium on Research in Attacks, Intrusions and Defenses

October 26 - 28, 2022

Limassol, Cyprus

Acceptance Rates

Overall Acceptance Rate 43 of 173 submissions, 25%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
470
Total Downloads

Downloads (Last 12 months)291
Downloads (Last 6 weeks)33

Reflects downloads up to 03 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Tandon RWang HWeideman NArakelyan SBartlett GHauser CMirkovic J(2023)Leader: Defense Against Exploit-Based Denial-of-Service Attacks on Web ApplicationsProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607238(744-758)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3607199.3607238

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents