Medusa: Unveil Memory Exhaustion DoS Vulnerabilities in Protocol Implementations
Authors: 
Zhengjie Du, Yuekang Li, Yaowen Zheng, Xiaohan Zhang, Cen Zhang, Yi Liu, Sheikh Mahbub Habib, Xinghua Li, Linzhang Wang, 
Yang Liu, Bing MaoAuthors Info & Claims
Zhengjie Du, Yuekang Li, Yaowen Zheng, Xiaohan Zhang, Cen Zhang, Yi Liu, Sheikh Mahbub Habib, Xinghua Li, Linzhang Wang, Yang Liu, Bing MaoAuthors Info & ClaimsPages 1668 - 1679
Abstract
Web services have brought great convenience to our daily lives. Meanwhile, they are vulnerable to Denial-of-Service (DoS) attacks. DoS attacks launched via vulnerabilities in the services can cause great harm. The vulnerabilities in protocol implementations are especially important because they are the keystones of web services. One vulnerable protocol implementation can affect all the web services built on top of it. Compared to the vulnerabilities that cause the target service to crash, resource exhaustion vulnerabilities are equally if not more important. This is because such vulnerabilities can deplete the system resources, leading to the unavailability of not only the vulnerable service but also other services running on the same machine. Despite the significance of this type of vulnerability, there has been limited research in this area.
In this paper, we propose Medusa, a dynamic analysis framework to detect memory exhaustion vulnerabilities in protocol implementations, which are the most common type of resource exhaustion vulnerabilities. Medusa works in two phases: exploration phase and verification. In the exploration phase, a protocol property graph (PPG) is constructed to embed the states with relevant properties including memory consumption information. In the verification phase, the PPG is used to simulate DoS attacks to verify the vulnerabilities. We implemented Medusa and evaluated its performance on 21 implementations of five protocols. The results demonstrate that Medusa outperforms the state-of-the-art techniques by discovering overall 127× maximum memory consumption. Lastly, Medusa has discovered six 0-day vulnerabilities in six protocol implementations for three protocols. Particularly, one of the vulnerabilities was found in Eclipse Mosquitto, which can affect thousands of services and it has been assigned with a CVE ID.
Supplemental Material
MP4 File
video presentation
- Download
- 1417.31 MB
MP4 File
Supplemental video
- Download
- 28.85 MB
References
[1]
Anastasios Andronidis and Cristian Cadar. Snapfuzz: high-throughput fuzzing of network applications. In Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis, pages 340--351, 2022.
[2]
Anonymous. Medusa: Unveil memory exhaustion dos vulnerabilities in protocol implementations, 2023. URL: https://sites.google.com/view/medusa-dos.
[3]
Eirini Anthi, Lowri Williams, Amir Javed, and Peter Burnap. Hardening machine learning denial of service (dos) defences against adversarial attacks in iot smart home networks. Comput. Secur., 108:102352, 2021.
[4]
Luis Gustavo Araujo Rodriguez and Daniel Macêdo Batista. Program-aware fuzzing for mqtt applications. In Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis, pages 582--586, 2020.
[5]
Cornelius Aschermann, Sergej Schumilo, Ali Abbasi, and Thorsten Holz. Ijon: Exploring deep state spaces via fuzzing. In 2020 IEEE Symposium on Security and Privacy (SP), pages 1597--1612. IEEE, 2020.
[6]
Vaggelis Atlidakis, Patrice Godefroid, and Marina Polishchuk. Restler: Stateful rest api fuzzing. In 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE), pages 748--758. IEEE, 2019.
[7]
Jinsheng Ba, Marcel Böhme, Zahra Mirzamomen, and Abhik Roychoudhury. Stateful greybox fuzzing. In 31st USENIX Security Symposium (USENIX Security, pages 3255--3272, 2022.
[8]
Felipe Balabanian. (cve-2017--7651) - mosquitto server shutdown attack, 2018. URL: https://bugs.eclipse.org/bugs/show_bug.cgi?id=529754#c0.
[9]
Terrehon Bowden, Jorge Nerin, Shen Feng, and Stefani Seibold. The /proc filesystem, 2009. URL: https://docs.kernel.org/filesystems/proc.html.
[10]
Chia Yuan Cho, Domagoj Babic, Pongsin Poosankam, Kevin Zhijie Chen, Edward XueJun Wu, and Dawn Song. MACE: Model-inference-assisted concolic exploration for protocol and vulnerability discovery. In Proceedings of 20th USENIX Security Symposium, 2011.
[11]
Peach community. Peach fuzzer: Smartfuzzer that is capable of performing both generation and mutation based fuzzing, 2023. URL: https://peachtech.gitlab.io/peach-fuzzer-community/.
[12]
MITRE corporation. Common vulnerabilities and exposures, 2023. URL: https://cve.mitre.org/.
[13]
CWE. Common weakness enumeration, 2023. URL: https://cwe.mitre.org/index.html.
[14]
Docker. Use containers to build, share and run your applications, 2023. URL: https://www.docker.com/resources/what-container.
[15]
Eclipse. An open source mqtt broker, 2023. URL: https://mosquitto.org/.
[16]
Andrea Fioraldi1, Daniele Cono D'Elia, and Davide Balzarotti1. The use of likely invariants as feedback for fuzzers. 2021.
[17]
FIRST. Common vulnerability scoring system version 3.1 calculator, 2023. URL: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/RL:O.
[18]
LLC Fortra. Sulley: A pure-python fully automated and unattended fuzzing framework., 2023. URL: https://github.com/OpenRCE/sulley.
[19]
giampaolo. psutil, 2023. URL: https://github.com/giampaolo/psutil.
[20]
Serkan Gönen, Mehmet Ali Bariskan, Gökçe Karacayilmaz, Birkan Alhan, Ercan Nurcan Yilmaz, Harun Artuner, and Erhan Sindiren. A novel approach to prevention of hello flood attack in iot usingmachine learning algorithm. El-Cezeri Fen ve Mühendislik Dergisi, 2022.
[21]
Richard Gooch. Overview of the linux virtual file system, 2005. URL: https://www.kernel.org/doc/html/latest/filesystems/vfs.html.
[22]
Graphviz. Graphviz, 2021. URL: https://graphviz.org/.
[23]
Graphviz. Graphviz online, 2023. URL: https://dreampuf.github.io/ GraphvizOnline/.
[24]
Saad Hikmat Haji and Siddeeq Y. Ameen. Attack and anomaly detection in iot networks using machine learning techniques: A review. Asian Journal of Research in Computer Science, 2021.
[25]
Alefiya Hussain, John S. Heidemann, and Christos Papadopoulos. A framework for classifying denial of service attacks. In Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, 2003.
[26]
Rauli Kaksonen, Marko Laakso, and Ari Takanen. Software security assessment through specification mutations and fault injection. In Communications and Multimedia Security Issues of the New Century: IFIP TC6/TC11 Fifth Joint Working Conference on Communications and Multimedia Security (CMS'01) May 21--22, 2001, Darmstadt, Germany, pages 173--183. Springer, 2001.
[27]
Takahisa Kitagawa, Miyuki Hanaoka, and Kenji Kono. AspFuzz: A state-aware protocol fuzzer based on application-layer protocols. In The IEEE symposium on Computers and Communications, pages 202--208. IEEE, 2010.
[28]
George Klees, Andrew Ruef, Benji Cooper, ShiyiWei, and Michael Hicks. Evaluating fuzz testing. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pages 2123--2138, 2018.
[29]
lcamtuf. American fuzzy lop (afl) fuzzer, 2023. URL: https://lcamtuf.coredump.cx/afl/.
[30]
Adil Hussien Mohammed, Shima Rashidi, and Yusra Ahmed Salih. Detecting denial of service attacks in internet of things using software-defined networking and ensemble learning. Cihan University-Erbil Scientific Journal, 2022.
[31]
Nadim Nachar et al. The mann-whitney u: A test for assessing whether two independent samples come from the same distribution. Tutorials in quantitative Methods for Psychology, 4(1):13--20, 2008.
[32]
Roberto Natella and Van-Thuan Pham. Profuzzbench: A benchmark for stateful protocol fuzzing. In Proceedings of the 30th ACMSIGSOFT International Symposium on Software Testing and Analysis, 2021.
[33]
neo4j. Cypher query language, 2021. URL: https://neo4j.com/developer/cypher/.
[34]
Hui Peng, Yan Shoshitaishvili, and Mathias Payer. T-fuzz: fuzzing by program transformation. In 2018 IEEE Symposium on Security and Privacy (SP), pages 697--710. IEEE, 2018.
[35]
Tao Peng, Christopher Leckie, and Kotagiri Ramamohanarao. Survey of networkbased defense mechanisms countering the dos and ddos problems. ACM Comput. Surv., 39:3, 2007.
[36]
Joshua Pereyda. Boofuzz: A fork and successor of the sulley fuzzing framework, 2023. URL: https://github.com/jtpereyda/boofuzz.
[37]
Van-Thuan Pham, Marcel Böhme, and Abhik Roychoudhury. Aflnet: a greybox fuzzer for network protocols. In 2020 IEEE 13th International Conference on Software Testing, Validation and Verification (ICST), pages 460--465. IEEE, 2020.
[38]
Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitry Vyukov. Addresssanitizer: A fast address sanity checker. 2012.
[39]
Naeem Firdous Syed, Zubair A. Baig, Ahmed Ibrahim, and Craig Valli. Denial of service attack detection through machine learning for the iot. Journal of Information and Telecommunication, 4:482 -- 503, 2020.
[40]
Inc. Synopsys. Defensics fuzz testing: Identify defects and zero-day vulnerabilities in services and protocols, 2023. URL: https://www.synopsys.com/softwareintegrity/ security-testing/fuzz-testing.html.
[41]
András Vargha and Harold D. Delaney. A critique and improvement of the cl common language effect size statistics of mcgraw and wong. Journal of Educational and Behavioral Statistics, 25(2):101--132, 2000.
[42]
Cheng Wen, Haijun Wang, Yuekang Li, Shengchao Qin, Yang Liu, Zhiwu Xu, Hongxu Chen, Xiaofei Xie, Geguang Pu, and Ting Liu. Memlock: Memory usage guided fuzzing. In Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering, pages 765--777, 2020.
[43]
Wikipedia. Denial-of-service attack, 2023. URL: https://en.wikipedia.org/wiki/ Denial-of-service_attack.
[44]
Wikipeia. Breadth-first search, 2023. URL: https://en.wikipedia.org/wiki/Breadthfirst_search.
[45]
Wikipeia. Java virtual machine, 2023. URL: https://en.wikipedia.org/wiki/Java_virtual_machine.
[46]
Wikipeia. Node.js v19.5.0 documentation, 2023. URL: https://nodejs.org/api/vm.html.
[47]
Wu Zhijun, LiWenjing, Liu Liang, and Yue Meng. Low-rate dos attacks, detection, defense, and challenges: A survey. IEEE Access, 8:43920--43943, 2020.
Index Terms
- Medusa: Unveil Memory Exhaustion DoS Vulnerabilities in Protocol Implementations
Recommendations
Machine learning combating DOS and DDOS attacks
In recent years, technology is booming at a breakneck speed as so the need of security. Vulnerabilities in the layers of the OSI model and the networks are paving new ways for intruders and hackers to steal the confidential information. Security attacks ...
An Active Security Protocol against DoS Attacks
ISCC '02: Proceedings of the Seventh International Symposium on Computers and Communications (ISCC'02)Denial of Service (DoS) attacks represent, in today's Internet, one of the most complex issues to address. A session is under a DoS attack if it cannot achieve its intended throughput due to the misbehavior of other sessions. Many research studies dealt ...
TCP Ack storm DoS attacks
We present Ack-storm DoS attacks, a new family of DoS attacks exploiting a subtle design flaw in the core TCP specifications. The attacks can be launched by a very weak MitM attacker, which can only eavesdrop occasionally and spoof packets (a Weakling ...
Comments
Information & Contributors
Information
Published In
May 2024
4826 pages
ISBN:9798400701719
DOI:10.1145/3589334
- General Chairs:
- Tat-Seng Chua,
- Chong-Wah Ngo,
- Proceedings Chair:
- Roy Ka-Wei Lee,
- Program Chairs:
- Ravi Kumar,
- Hady W. Lauw
Copyright © 2024 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 13 May 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- Chinese National Key R&D Program
- RIE2020 Industry Alignment Fund
- Chinese National Natural Science Foundation
Conference
WWW '24
Sponsor:
Acceptance Rates
Overall Acceptance Rate 1,899 of 8,196 submissions, 23%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 483Total Downloads
- Downloads (Last 12 months)483
- Downloads (Last 6 weeks)43
Reflects downloads up to 05 Mar 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in