Caught in the Web -- esorics21.pdf (375.31 kB)
Download fileCaught in the Web: DoS Vulnerabilities in Parsers for Structured Data?
conference contribution
posted on 2021-08-17, 23:41 authored by Shawn Rasheed, Jens DietrichJens Dietrich, Amjed TahirWe study a class of denial-of-service (DoS) vulnerabilities
that occur in parsing structured data. These vulnerabilities enable low
bandwidth DoS attacks with input that causes algorithms to execute in
disproportionately large time and / or space. We generalise the characteristics
of these vulnerabilities, and frame them in terms of three aspects,
TTT: (1) the Topology of composite data structures formed by
the internal representation of parsed data, (2) the presence of recursive
functions for the Traversal of the data structures and (3) the presence
of a Trigger that enables an attacker to activate the traversal.
An analysis based on this abstraction was implemented for one target
platform (Java), and in our study, we found that the impact of the results
obtained with this method goes beyond Java. The inputs from our
investigation revealed several similar vulnerabilities in programs written
in other languages such as Rust and PHP. As a result we have reported
11 issues (of which seven have been accepted as issues), and obtained
four CVEs for some of those issues in PDF, SVG and YAML libraries
across di erent languages.