Monday, October 18, 2010

Microsoft Releases New Regex Fuzzer

Via -

Microsoft has released a new fuzzing tool designed specifically to find mistakes in regular expressions in application code that could be vulnerable to attack. The SDL Regex Fuzzer identifies problematic lines that might cause an application to be susceptible to attacks that consume huge amounts of resources and cause denial-of-service conditions.

The new fuzzer is meant to be used specifically to find vulnerable regular expressions in application code that could lead to a special kind of attack known as a ReDoS. Microsoft officials say that as more and more applications are moved to cloud providers, attackers will begin to focus their attention on those applications in new and profitable ways.

"I’ve predicted before that as cloud computing gains wider adoption, we’ll start to see a significant increase in denial of service (DoS) attacks against those services. When you’re paying for the processor time, bandwidth and storage that your applications use, attacks that explicitly target and consume those resources can get very expensive very quickly, not to mention the costs of downtime for legitimate users. Attackers will shift from pursuing elusive privilege elevation vulnerabilities to simply blackmailing SaaS providers: pay me $10,000 or I’ll make your app consume $20,000 worth of server resources," Microsoft's Bryan Sullivan wrote in a blog post explaining the SDL Regex Fuzzer.

As Sullivan explains in an article on the problem from earlier this year, a small change to an input string can cause major problems for a regular expression engine.


Microsoft Download Center - SDL Regex Fuzzer

No comments:

Post a Comment