SlowFuzz: Automated Domain-Independent Detection of Algorithmic Complexity Vulnerabilities

Algorithmic complexity vulnerabilities occur when the worst-case time/space complexity of an application is significantly higher than the respective average case for particular user-controlled inputs. When such conditions are met, an attacker can launch Denial-of-Service attacks against a vulnerable application by providing inputs that trigger the worst-case behavior. Such attacks have been known to have serious effects on production systems, take down entire websites, or lead to bypasses of Web Application Firewalls. Unfortunately, existing detection mechanisms for algorithmic complexity vulnerabilities are domain-specific and often require significant manual effort. In this paper, we design, implement, and evaluate SlowFuzz, a domain-independent framework for automatically finding algorithmic complexity vulnerabilities. SlowFuzz automatically finds inputs that trigger worst-case algorithmic behavior in the tested binary. SlowFuzz uses resource-usage-guided evolutionary search techniques to automatically find inputs that maximize computational resource utilization for a given application. We demonstrate that SlowFuzz successfully generates inputs that match the theoretical worst-case performance for several well-known algorithms. SlowFuzz was also able to generate a large number of inputs that trigger different algorithmic complexity vulnerabilities in real-world applications, including various zip parsers used in antivirus software, regular expression libraries used in Web Application Firewalls, as well as hash table implementations used in Web applications. In particular, SlowFuzz generated inputs that achieve 300-times slowdown in the decompression routine of the bzip utility, discovered regular expressions that exhibit matching times exponential in the input size, and also managed to automatically produce inputs that trigger a high number of collisions in PHP's default hashtable implementation.

[1]  Ronald L. Rivest,et al.  Introduction to Algorithms , 1990 .

[2]  Stefan M. Petters,et al.  Making worst case execution time analysis for hard real-time tasks on state of the art processors feasible , 1999, Proceedings Sixth International Conference on Real-Time Computing Systems and Applications. RTCSA'99 (Cat. No.PR00306).

[3]  M. Douglas McIlroy A Killer Adversary for Quicksort , 1999, Softw. Pract. Exp..

[4]  Stefan M. Petters Bounding the execution time of real-time tasks on modern processors , 2000, Proceedings Seventh International Conference on Real-Time Computing Systems and Applications.

[5]  Clifford Stein,et al.  Introduction to Algorithms, 2nd edition. , 2001 .

[6]  John A. Clark,et al.  A search-based automated test-data generation framework for safety-critical systems , 2002 .

[7]  Guillem Bernat,et al.  WCET analysis of probabilistic hard real-time systems , 2002, 23rd IEEE Real-Time Systems Symposium, 2002. RTSS 2002..

[8]  Dan S. Wallach,et al.  Denial of Service via Algorithmic Complexity Attacks , 2003, USENIX Security Symposium.

[9]  Matthias Grochtmann,et al.  Verifying Timing Constraints of Real-Time Systems by Means of Evolutionary Testing , 1998, Real-Time Systems.

[10]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[11]  Somesh Jha,et al.  Backtracking Algorithmic Complexity Attacks against a NIDS , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[12]  Patrice Godefroid,et al.  Automated Whitebox Fuzz Testing , 2008, NDSS.

[13]  Xiang Cai,et al.  Exploiting Unix File-System Races via Algorithmic Complexity Attacks , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[14]  Iain Bate,et al.  WCET analysis of modern processors using multi-criteria optimisation , 2009, 2009 1st International Symposium on Search Based Software Engineering.

[15]  Kedar S. Namjoshi,et al.  Robust and Fast Pattern Matching for Intrusion Detection , 2010, 2010 Proceedings IEEE INFOCOM.

[16]  Guillem Bernat,et al.  Hybrid measurement-based WCET analysis at the source level using object-level traces , 2010, WCET.

[17]  Yang Zhang,et al.  A Covert Timing Channel via Algorithmic Complexity Attacks: Design and Analysis , 2011, 2011 IEEE International Conference on Communications (ICC).

[18]  Allen D. Householder,et al.  Probability-Based Parameter Selection for Black-Box Fuzz Testing , 2012 .

[19]  Antonio González,et al.  Hardware/Software Mechanisms for Protecting an IDS against Algorithmic Complexity Attacks , 2012, 2012 IEEE 26th International Parallel and Distributed Processing Symposium Workshops & PhD Forum.

[20]  Antonio González,et al.  Improving the Resilience of an IDS against Performance Throttling Attacks , 2012, SecureComm.

[21]  Shan Lu,et al.  Understanding and detecting real-world performance bugs , 2012, PLDI.

[22]  Herbert Bos,et al.  Dowsing for Overflows: A Guided Fuzzer to Find Buffer Boundary Violations , 2013, USENIX Security Symposium.

[23]  Hayo Thielecke,et al.  Static Analysis for Regular Expression Denial-of-Service Attacks , 2013, NSS.

[24]  Xin-She Yang,et al.  Introduction to Algorithms , 2021, Nature-Inspired Optimization Algorithms.

[25]  Brink van der Merwe,et al.  Analyzing Catastrophic Backtracking Behavior in Practical Regular Expression Matching , 2014, AFL.

[26]  Qi Luo,et al.  Automating performance bottleneck detection using search-based application profiling , 2015, ISSTA.

[27]  David Brumley,et al.  Program-Adaptive Mutational Fuzzing , 2015, 2015 IEEE Symposium on Security and Privacy.

[28]  Angelos D. Keromytis,et al.  DynaGuard: Armoring Canary-based Protections against Brute-force Attacks , 2015, ACSAC 2015.

[29]  Murali Krishna Ramanathan,et al.  Efficient flow profiling for detecting performance bugs , 2016, ISSTA.

[30]  Ganesh Ram Santhanam,et al.  Statically-Informed Dynamic Analysis Tools to Detect Algorithmic Complexity Vulnerabilities , 2016, 2016 IEEE 16th International Working Conference on Source Code Analysis and Manipulation (SCAM).

[31]  Christopher Krügel,et al.  Driller: Augmenting Fuzzing Through Selective Symbolic Execution , 2016, NDSS.

[32]  Salvatore J. Stolfo,et al.  NEZHA: Efficient Domain-Independent Differential Testing , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[33]  Isil Dillig,et al.  Static Detection of DoS Vulnerabilities in Programs that Use Regular Expressions , 2017, TACAS.

[34]  Herbert Bos,et al.  VUzzer: Application-aware Evolutionary Fuzzing , 2017, NDSS.