New tool detects RegEx security weakness
Monday, 25 October 2010

Microsoft has released a Regex Fuzzer that tests a .NET regular expression for vulnerability to a form of Denial of Service attack. How does it work and how serious is the problem?

Banner

 

You might think regular expressions are great and entirely harmless - it's not as if they were vulnerable to anything like a SQL injection attack. However the innocent looking regular expression can be turned to a sinister purpose. If an attacker knows that input is put through a regular expression then they can arrange to send it a sequence of characters that send it into an infinite loop. The result is that your application goes into a tight loop, becomes unresponsive and used up resources i.e. a Denial of Service or DoS attack.

Of course the problem for the attacker and for you is to work out what sequence of characters, if any, will send the regular expression into a tight loop. You could play this game all day but it is easier to write an automatic testing tool and this is what the Regex Fuzzer is. You input the expression and it is tested with sets of input characters. If you test it for long enough then your confidence grows that if you can't find an effective string neither will an attacker.

security

It comes as something of a surprise that you can't produce a deterministic test that a regular expression won't loop, but it appears that if you allow capture groups and back tracking the computation system becomes so powerful that it is as difficult as the Turing machine halting problem - which is, of course, unsolvable.

You can download the testing tool from:

Microsoft Downloads

and more information is available from:

http://www.microsoft.com/security/sdl/default.aspx

Further reading:

.NET Regular Expressions in depth

 

<ASIN:0596514271>

<ASIN:0596520689>

<ASIN:0596528124>

Banner


Nao Plays Music Like A Human
02/11/2014

You may have seen lots of cute videos of Nao playing a musical instrument, but these have mostly been closed loop - that is, if you took the instrument away Nao would carry on playing it. In this vide [ ... ]



Cybercrime From OU and BBC
01/11/2014

The Open University and the BBC have teamed up in a 6-part TV series about cybercrime. It starts today, Saturday, November 1 (repeated tomorrow) and can be viewed worldwide on BBC World News.


More News

Last Updated ( Monday, 25 October 2010 )
 
 

   
RSS feed of news items only
I Programmer News
Copyright © 2014 i-programmer.info. All Rights Reserved.
Joomla! is Free Software released under the GNU/GPL License.