Microsoft has released a free tool to help programmers test their regular expressions for vulnerability to denial of service attacks.
The SDL Regex Fuzzer, released by the software giant earlier this week, is designed to test programmers’ regular expressions – a ubiquitous formal language for matching strings of text – for clauses that execute in exponential time and which stand the chance of being exploited for nefarious means.
Certain regular expression clauses, such as the grouping of a repeating clause within a repeating clause, can be exploited by an attacker to cause the system to ‘spin,’ making it unavailable for general use – a denial of service, or DoS, attack.
Unlike distributed denial of service attacks (DDoS), which are brute-force methods of taking down a web-facing system by directing excess traffic from many machines to a single target as experienced by The Ministry of Sound and ACS Law, a DoS attack can be carried out by a single individual to devastating effect.
Although poorly constructed regular expressions represent only a single aspect of a program that can be subjected to DoS attack, it’s a welcome addition to a programmer’s toolkit – and one that should help make future software more robust.
If you’d like a copy of the SDL Regex Fuzzer, and you’re running Windows XP or newer with a copy of the .NET Framework 3.5 installed, you can snag it for free from the Microsoft Download page.