Algoritmic Complexity Attacks and 2.4.20 the dcache code

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Scott A Crosby <scrosby@cs.rice.edu>
To: linux-kernel@vger.kernel.org
Subject: Algoritmic Complexity Attacks and 2.4.20 the dcache code
Date: 29 May 2003 15:42:39 -0500	[thread overview]
Message-ID: <oydbrxlbi2o.fsf@bert.cs.rice.edu> (raw)

Hello. We have analyzed this software to determine its vulnerability
to a new class of DoS attacks that related to a recent paper. ''Denial
of Service via Algorithmic Complexity Attacks.''

This paper discusses a new class of denial of service attacks that
work by exploiting the difference between average case performance and
worst-case performance. In an adversarial environment, the data
structures used by an application may be forced to experience their
worst case performance. For instance, hash tables are usually thought
of as being constant time operations, but with large numbers of
collisions will degrade to a linked list and may lead to a 100-10,000
times performance degradation. Because of the widespread use of hash
tables, the potential for attack is extremely widespread. Fortunately,
in many cases, other limits on the system limit the impact of these
attacks.

To be attackable, an application must have a deterministic or
predictable hash function and accept untrusted input. In general, for
the attack to be signifigant, the applications must be willing and
able to accept hundreds to tens of thousands of 'attack
inputs'. Because of that requirement, it is difficult to judge the
impact of these attack without knowing the source code extremely well,
and knowing all ways in which a program is used.

As part of this project, one of the applications examined was the
linux kernel 2.4.20, both the networking stack (subject of another
email) and in this email, the dcache.

I have confirmed via an actual attack that it is possible to force the
dcache to experience a 200x performance degradation if the attacker
can control filenames. On a P4-1.8ghz, the time to list a directory of
10,000 files is 18 seconds instead of .1 seconds.

The solution for these attacks on hash tables is to make the hash
function unpredictable via a technique known as universal
hashing. Universal hashing is a keyed hash function where, based on
the key, one of a large set hash functions is chosen. When
benchmarking, we observe that for short or medium length inputs, it is
comparable in performance to simple predictable hash functions such as
the ones in Python or Perl. Our paper has graphs and charts of our
benchmarked performance.

I highly advise using a universal hashing library, either our own or
someone elses. As is historically seen, it is very easy to make silly
mistakes when attempting to implement your own 'secure' algorithm.

The abstract, paper, and a library implementing universal hashing is
available at   http://www.cs.rice.edu/~scrosby/hash/.

Scott

next             reply	other threads:[~2003-05-29 20:30 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-05-29 20:42 Scott A Crosby [this message]
2003-05-30  3:57 ` Algoritmic Complexity Attacks and 2.4.20 the dcache code David S. Miller
2003-05-30  4:29   ` Ingo Molnar
2003-05-30 18:16     ` Timothy Miller
2003-05-30 18:53       ` Scott A Crosby
2003-05-30  5:04   ` Scott A Crosby
2003-05-30  6:24     ` David S. Miller
2003-05-30  6:46       ` Scott A Crosby
2003-05-30  6:56         ` David S. Miller
2003-05-30  8:59       ` Alex Riesen
2003-05-30  9:00         ` David S. Miller
2003-05-30 15:05           ` Scott A Crosby
2003-05-31  6:18             ` David S. Miller
2003-05-31  8:02               ` Willy TARREAU
2003-05-31  8:12                 ` David S. Miller
2003-05-31  8:56                   ` Willy Tarreau
2003-05-31  8:58                     ` David S. Miller
2003-05-31  8:58                   ` David Schwartz
2003-05-31  9:01                     ` David S. Miller
2003-05-31  6:30           ` William Lee Irwin III
2003-05-31  6:33             ` David S. Miller
2003-05-31  6:41               ` William Lee Irwin III
2003-05-31  6:45                 ` David S. Miller
2003-05-31 18:40                   ` Aaron Lehmann
2003-05-30  4:02 ` Ingo Molnar
2003-05-30  4:42   ` Scott A Crosby
2003-05-30  5:01     ` David S. Miller
2003-05-30 13:48 ` Nikita Danilov
2003-06-01  1:15 ` Daniel Phillips

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=oydbrxlbi2o.fsf@bert.cs.rice.edu \
    --to=scrosby@cs.rice.edu \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox