Microsoft announced yesterday the availability of a new fuzzing tool that examines regular expressions in application code and determines whether those expressions are vulnerable to denial-of-service (DoS) attacks.Attackers will shift from pursuing elusive privilege elevation vulnerabilities to simply blackmailing SaaS providers: 'Pay me $10,000 or I'll make your app consume $20,000 worth of server resources.
security program managerMicrosoft's Security Development Lifecycle team
The SDL RegEx Fuzzer is a free download that examines regular expression patterns and determines whether they could be exploited by an attacker to cause a denial-of-service condition in an application.
Bryan Sullivan, security program manager for Microsoft's Security Development Lifecycle team, wrote in a blog entry Wednesday, announcing the availability of the tool and that he expects attackers to shift away from privilege escalation attacks and turn their attention to DoS against software service providers. Cloud computing, he wrote, will lead attackers down the road of blackmailing providers.
"When you're paying for the processor time, bandwidth and storage that your applications use, attacks that explicitly target and consume those resources can get very expensive very quickly, not to mention the costs of downtime for legitimate users," Sullivan wrote. "Attackers will shift from pursuing elusive privilege elevation vulnerabilities to simply blackmailing SaaS providers: 'Pay me $10,000 or I'll make your app consume $20,000 worth of server resources.'"
Sullivan added that recent enhancements to memory protection via Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) will further take attackers away from privilege escalation attacks. He said tools such as the SDL RegEx Fuzzer could help developers deploy DoS protection before the problem escalates.
SDL RegEx Fuzzer specifically targets a condition termed ReDoS, discussed by Checkmarx chief architect Alex Roichman and senior programmer Adar Weidman during a security event last year.
"Poorly written regular expression can be exploited so a relatively short attack string (fewer than 50 characters) can take hours or more to evaluate," Sullivan wrote in the May issue of MSDN Magazine. "In the worst-case scenario, the processing time is actually exponential to the number of characters in the input string, meaning that adding a single character to the string doubles the processing time."
SDL RegEd Fuzzer counters this by comparing regular expressions in application code against a set of random inputs, Sullivan wrote. Any expressions taking a long time to process are flagged as vulnerable and would need to be addressed by a programmer.
I can (run) each regex test sequentially on a separate worker thread and set a timeout value for that thread's completion. If the thread does not complete its processing within a reasonable amount of time, say five seconds to test a single input, we assume the regular expression has been DoS'd," Sullivan wrote.