Low-Effort Denial of Service with Recursion
Alexis Challande, Brad Swain
Recursion is a powerful programming technique, but when applied carelessly to user input, it becomes a ticking time bomb. Our research uncovers widespread vulnerabilities lurking in popular open-source projects, including Google's ProtocolBuffer, ElasticSearch, or OpenSearch.
We demonstrate how seemingly innocuous recursive functions can be exploited to crash applications, leading to denial-of-service attacks.
As CodeQL beginners, we developed and refined a query to detect potentially vulnerable recursive patterns in large codebases. We'll share how we developed our approach to find these vulnerabilities, combining automated detection with manual analysis to uncover real-world weaknesses.
This process revealed a handful of vulnerabilities across major projects, which we responsibly disclosed and helped fix. We'll delve into the mechanics of these vulnerabilities, exploring why even memory-safe languages like Rust aren't immune. Join us for an eye-opening journey into leveraging CodeQL for offense and discovering hidden weaknesses in recursive patterns.
Speaker Bio:
Alexis Challande (@DarkaMaul) is a Security Researcher working at Trail of Bits, where he is part of the Ecosystem group. While his work mostly focuses on open-source supply chain security, he is also deeply interested in applying new static analysis tools and techniques to uncover vulnerabilities at scale.
Brad Swain is a security engineer at Trail of Bits with a background in program analysis and experience with compilers and operating systems. Brad has worked on engineering projects and DARPA funded research programs aimed at developing tools for analyzing and securing software systems
