Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
Hi everyone, Bryan here. I’m at the RSA Conference Europe this week to present “When a Billion Laughs Are Not So Funny: Application-Level Denial of Service Attacks.” I’ve predicted before that as cloud computing gains wider adoption, we’ll start to see a significant increase in denial of service (DoS) attacks against those services. When you’re paying for the processor time, bandwidth and storage that your applications use, attacks that explicitly target and consume those resources can get very expensive very quickly, not to mention the costs of downtime for legitimate users. Attackers will shift from pursuing elusive privilege elevation vulnerabilities to simply blackmailing SaaS providers: pay me $10,000 or I’ll make your app consume $20,000 worth of server resources. My talk this week covers some of the many ways attackers can exploit DoS vulnerabilities in SaaS, and what we as developers can do to find and prevent these vulnerabilities.
One of the vulnerabilities I’ll be talking about is the regular expression DoS (or ReDoS) brought to light by Checkmarx researchers at the OWASP Israel 2009 conference. Until now, the only way to detect ReDoS vulnerabilities was through manual code review. So I’m pleased to announce the immediate availability of a new tool, the SDL Regex Fuzzer, as a free download. SDL Regex Fuzzer will evaluate regular expression patterns to determine whether they could be vulnerable to ReDoS. It usually takes only a few seconds of testing to make a determination. And like the rest of the suite of SDL tools, SDL Regex Fuzzer integrates with the SDL Process Template and MSF-Agile+SDL Process Template to help you track and eliminate detected vulnerabilities. Give it a try and let us know what you think.
Please note that Checkmarx, the first company to publish details of ReDos also provides a RegEx to analyze RegExs for ReDos. Manual review was not the only way to discover this issue.
Nice work - this is a very interesting take of this topic!
I'm glad Microsoft is in the game security now. This tool will be useful for many app devs and testers. Thank you!
Any plans for a command line interface so large numbers of regular expressions can be evaluated in a batch?
Any chance of making this open source and releasing the code MS-PL?
it crashed on this without letting me to submit a bug report:
here's the debug error message:
Exception of type 'System.OutOfMemoryException' was thrown.
at System.Collections.Generic.List`1.set_Capacity(Int32 value)
at System.Collections.Generic.List`1.EnsureCapacity(Int32 min)
at Rex.Chooser.ChooseSmallBias(Int32 n)
at Rex.RexEngine.GenerateMember(SFA`1 fa)
at Microsoft.Security.SDL.RegexFuzzer.Engine.TestInputs(Int32 iterations, AttackSet attackSet, String& vulnerableTest)
at System.Threading.ThreadHelper.ThreadStart_Context(Object state)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
It crashes on the expression:
Is the code available? We're considering using this functionality in a Java environment.
Thanks to everyone for the feedback on the SDL RegEx Fuzzer tool. Of the issues that have been reported (by Ray and Richard), we have been able to reproduce both – root cause is a bug in the tool’s handling of the number of OR “|” conditions in a regular expression. A bug has been logged to be considered in the scope of a future release. If you find other issues or have enhancements you’d like to see, please post these as comments or submit them within the MSDN SDL Tools forum here:
Mark and James, we currently have no plans to release the source code for this tool.
The SDL Team