Preprint Article Version 1 Preserved in Portico This version is not peer-reviewed

Analyzing and Discovering Spacial Algorithm Complexity Vulnerabilities in Recursion

Version 1 : Received: 15 January 2024 / Approved: 15 January 2024 / Online: 16 January 2024 (03:14:44 CET)

A peer-reviewed article of this Preprint also exists.

Wang, Z.; Bu, D.; Tian, W.; Cui, B. Analyzing and Discovering Spatial Algorithm Complexity Vulnerabilities in Recursion. Appl. Sci. 2024, 14, 1855. Wang, Z.; Bu, D.; Tian, W.; Cui, B. Analyzing and Discovering Spatial Algorithm Complexity Vulnerabilities in Recursion. Appl. Sci. 2024, 14, 1855.

Abstract

The algorithmic complexity vulnerability (ACV) that may lead to denial of service attacks greatly disrupts the security and availability of applications, and due to the widespread use of third-party libraries, its impact may be amplified through the software supply chain. The existing work in the field is dedicated to abstract loop or iterative patterns and fuzzing the entire application to discover algorithm complexity vulnerabilities, but they still face efficiency and effectiveness issues. Our research focuses on: (1) Proposing a representation and extraction method for code features related to algorithmic complexity vulnerabilities, helping analysts quickly understand program logic; (2) Providing a new ACV detecting model, focusing on the spatial complexity anomalies caused by deep recursion structures, and proposing a new filtering method; (3) Aiming at the difficulty of efficiently generating complex-data-type-related payloads using existing symbol execution techniques, a call-chain-guided payload construction method is proposed. We tested third-party components in the open-source Java Maven Repository, identified many unexposed vulnerabilities and 8 of them received CVE (Common Vulnerabilities & Exposures) identifiers, and demonstrated that our method can discover more algorithmic complexity vulnerabilities compared to existing tools with better performance.

Keywords

Spacial Algorithm Complexity Vulnerability; Recursion Structure; Call Chain

Subject

Computer Science and Mathematics, Software

Comments (0)

We encourage comments and feedback from a broad range of readers. See criteria for comments and our Diversity statement.

Leave a public comment
Send a private comment to the author(s)
* All users must log in before leaving a comment
Views 0
Downloads 0
Comments 0


×
Alerts
Notify me about updates to this article or when a peer-reviewed version is published.
We use cookies on our website to ensure you get the best experience.
Read more about our cookies here.