Acquirer: A Hybrid Approach to Detecting Algorithmic Complexity Vulnerabilities

ABSTRACTAlgorithmic Complexity (AC) Denial-of-Service attacks have been a threat for over twenty years. Attackers craft particular input vectors to trigger the worst-case logic of some code running on the server side, which leads to high resource consumption and performance degradation. In response, several vulnerability detection tools have been developed to help developers prevent such attacks. Nevertheless, these state-of-the-art tools either focus on a specific type of vulnerability or suffer from state explosion. They are either limited to a small detection scope or unable to run efficiently. This paper aims to develop a fully automated approach to effectively and efficiently detecting AC vulnerabilities. We present the design and implementation of Acquirer, which detects AC vulnerabilities in Java programs. Acquirer first statically locates potentially vulnerable structures in the target program, then performs efficient selective path exploration to dynamically verify the existence of two different execution paths with a significant computation cost difference. The vulnerable structures it detects can also help the developers analyze and fix the corresponding vulnerabilities. We evaluated Acquirer with two widely used benchmark datasets and compared it with four state-of-the-art tools. In the evaluation, it detected 22 known AC vulnerabilities, which substantially out performed all the existing tools together. Besides, it discovered 11 previously unknown AC vulnerabilities in popular real-world applications. Our evaluation demonstrates that Acquirer is highly effective and efficient in automatically detecting AC vulnerabilities.