Algorithmic Complexity Vulnerabilities (ACV) are a class of vulnerabilities that enable Denial of Service Attacks. ACVs stem from asymmetric consumption of resources due to complex loop termination logic, recursion, and/or resource intensive library APIs. Completely automated detection of ACVs is intractable and it calls for tools that assist human analysts.
We present DISCOVER, a suite of tools that facilitates human-on-the-loop detection of ACVs. DISCOVER’s workflow can be broken into three phases – (1) Automated characterization of loops, (2) Selection of suspicious loops, and (3) Interactive audit of selected loops. We demonstrate DISCOVER using a case study using a DARPA challenge app. DISCOVER supports analysis of Java source code and Java bytecode. We demonstrate it for Java bytecode.
Venue: The 27th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE 2019), Tallinn, Estonia, August 2019.
Authors: Payas Awadhutkar, Ganesh Ram Santhanam, Benjamin Holland, Suresh Kothari
Paper (PDF): fse2019-demo-preprint.pdf