Algorithmic complexity attacks and libc qsort() (opens in new tab)

(calmerthanyouare.org)

149 pointsmatslina11y ago52 comments

52 comments

One semi-interesting thing here is that the "killer adversary" described on that page requires knowing that the algorithm you're trying to exploit is quicksort.

Long ago, I wrote adversaries that attempt to force _any_ algorithm that is extracting a partial or total order from data to approach their worst case.

These adversaries, like McIlroy's adversary, sits in the compare() function, but it asks itself "what answer can I give, consistent with the data so far, to force the algorithm to ask me the largest number of subsequent questions?"

For non-introspective quicksorts this will be O(n^2), but it should also bring out the worst constant factors in O(n\logn) worst case time algorithms.

I did some experiments: http://nicknash.me/2012/07/31/adversaries/

A proper reference is the Kahn's "Sorting and Entropy", IIRC.

samsamoa11y ago

Very interesting writeup. How did you determine the number of topological sortings for your "Yes" and "No" examples? I'm getting 360 and 144, rather than 120 and 48 that you wrote.

simias11y ago

I'm surprised the article does not point out more directly that it's usually pretty simple to mitigate this attack vector by switching to mergesort. The worst case is O(n log n) so there's no real "killer input".

I think it's a good rule of thumb to say "if you need to sort large quantities of untrusted data you should probably use mergesort".

j2kun11y ago

I've always liked mergesort for this reason. It's easier to understand and there's no wondering about complexity.

astrada11y ago

Well, sometimes you have space constraints. The O(n) extra-space required by mergesort isn't always available. But if you don't have space constraints, mergesort is a very good choice because you can easily write a highly scalable parallel version of the algorithm.

4 more replies

matslinaOP11y ago

Mergesort would be a poor choice for qsort() due to the linear space complexity. With N bytes of RAM, you'd only be able to sort (a bit less than) N/2 bytes of data. An in-place algorithm is preferable.

Glibc is the only libc I'm aware of that implements mergesort. It still falls back to quicksort for large inputs though.

mzs11y ago

I just heard about smoothsort: http://code.google.com/p/combsortcs2p-and-other-sorting-algo...

Also, nice little write-up, thanks. I also dig the extracted sort implementations you dug-out: https://github.com/matslina/qsort

tedunangst11y ago

All BSD derived libcs contains mergesort(), and heapsort() as well.

1 more reply

valarauca111y ago

If you are ever handling input data from basically anything outside of the program. Its better to use a constant speed algorithm like merge sort. Just because of attacks like this, I'm really surprised algorithm exploits attacks like this haven't come to the forefront of attacks recently.

Application level DDoS's leave the kernel/network/sockets layers exposed for exploitation. Since their tasks will take priority over user's applications.

Gracana11y ago

> Application level DDoS's leave the kernel/network/sockets layers exposed for exploitation. Since their tasks will take priority over user's applications.

So what's the benefit of that, just that you can maximize the chaos you cause by attacking in two different ways?

1 more reply

userbinator11y ago

I think heapsort is a better replacement - in-place, guaranteed O(n log n) time (so also quite resistant to information leakage via timing disclosure, which could be important in higher security applications.)

CJefferson11y ago

Just in case anyone is curious, this does not effect any implementation of std::sort in C++ I am aware of.

They all use introsort -- basically use quicksort until you have done some number of partitions, then switch to heapsorting the cells of the partition. This ensures fast quick-sort performance while guaranteeing O(n log n) worst case.

comex11y ago

In Linux-land, glibc's qsort also uses introsort, and musl libc's uses smoothsort:

http://www.etalabs.net/compare_libcs.html

mqsiuser11y ago

As someone who implemented an open source quicksort (http://www.mqseries.net/phpBB2/viewtopic.php?p=273722) which is used by many in production:

Now this is very interesting, but could also be prevented with a random number generator (which influences the selection of the pivot element). If this would have been exploited, people would have looked into mitigating this.

Edit: You can detect recursion-tree-degeneration (just check the depth) and react to it (pivot selection)

sgeisenh11y ago

Yeah, random pivot quicksort is n log n expected case. Its pretty easy to show that it is realistically impossible to exceed n log n for large data sets. The constants are quite high, though, due to the need to generate a random number for each element.

Additionally, quicksort is just as easy to implement in parallel as mergesort and runs about as fast since it can be performed in-place.

jmount11y ago

Some historic quick-sort mis-implementations had O(n^2) runtime when trying to sort constant data (all keys equal, the effect was due to not picking the partition carefully in that case). See: http://www.win-vector.com/blog/2008/04/sorting-in-anger/

mzs11y ago

"Inspecting a diff between the qsort() of 4.4BSD-Lite and that of current day FreeBSD reveals that very little has changed since 1994."

That reminds me :)

  $ expr \( -2147483648 \) \* -1
  -2147483648
  $ expr \( -2147483648 \) / -1
  Floating point exception: 8 (core dumped)
  $ uname -srm
  FreeBSD 8.4-RELEASE-p9 i386

Malus11y ago

Looks like it is fixed now:

  $ expr \( -2147483648 \) \* -1

  2147483648

  $ expr \( -2147483648 \) / -1 

  2147483648

  $ uname -srm

  FreeBSD 10.0-RELEASE amd64

Or maybe it doesn't work on i386?

mzs11y ago

It's likely an i386 thing:

  $ echo | awk '{ print 2 ** 31 }'
  2147483648

Make sure you are using /bin/expr and maybe give -9223372036854775808 a whirl too.

1 more reply

Jabbles11y ago

In comparison, the Go standard sort function is not vulnerable to this, and references the same paper as this article:

http://golang.org/src/pkg/sort/sort.go#L168

mzs11y ago

I don't see it, seems just a median of three quick sort - the median of three for the partition selection is to mitigate poor performance of quick sort on sorted and reverse sorted inputs.

edit: I'm an idiot, totally glossed-over the switch to heap sort logic.

mattchamb11y ago

This is the same approach used the the .NET framework in Array.Sort: http://referencesource.microsoft.com/#mscorlib/system/collec...

You can see the fallback to heapsort here: http://referencesource.microsoft.com/#mscorlib/system/collec...

lelf11y ago

Huh? And by what black magic its qsort is not O(n^2) (worst)?

bcoates11y ago

It sets a stack limit proportional to log(n) and gives up and heapsorts the subproblem if the limit is exceeded. You get no more than n log(n) quicksort operations, plus heapsorting any partition of the input which is also n log(n)

In other words, they use the worst-case n log(n) heapsort with an optimization to use the much faster quicksort for non-pathological inputs, which is almost always.

chowells11y ago

Well, Tarjan developed an O(n) worst-case order statistics algorithm, which you could use to implement exact pivot selection and partitioning in O(n) time. The constant factors would be horrid, but it would be a valid implementation of quicksort with a worst-case running time of O(n log n)

galapago11y ago

The bogosort is well known to be invulnerable to such attacks.

haberman11y ago

A similar DoS-with-degenerate-input these days is hash flooding. In the same way that quicksort can degrade from O(n lg n) to O(n^2) with degenerate input, so can hash tables degrade from O(1) to O(n) when all of the keys have hash collisions.

This is the main motivation behind SipHash, a new hash function that is designed to be cryptographically collision-resistant but fast enough to use in hash tables: https://131002.net/siphash/

chowells11y ago

You mean the one mentioned in the article?

Though you and the article both are perpetuating the lie that hash table operations are O(1). What magical hash function distributes n inputs into O(n) buckets in O(1) time? (Hint: distributing into O(n) buckets requires looking at O(log n) bits.)

haberman11y ago

> Though you and the article both are perpetuating the lie that hash table operations are O(1).

Hash table operations are O(1) on average, assuming a uniform hash function, and assuming that the number of buckets is kept greater than the number of elements. More info here: http://en.wikipedia.org/wiki/Hash_table#Performance_analysis

Computing the hash function itself is not usually factored into this analysis, probably because it's an orthogonal concern (ie. hash functions and hash table implementations can be mixed and matched), and because computing the hash function for every operation is not strictly required (the hash of the key can be cached).

But even if you are factoring in computation of the hash function, this is a strange argument:

> Hint: distributing into O(n) buckets requires looking at O(log n) bits.

Computers can look at O(log n) bits in a single operation for any "n" that can reasonably be held in memory.

For example, if your hash table has less than 4B entries, "log n" is less than 32. Any 32 bit computer can "look at" 32 bits in a single operation. So I can't see why you think that "log n" needs to be a factor in the complexity analysis.

ccurtsinger11y ago

There is no "killer input" for randomized quicksort. I'm surprised libc doesn't select pivots randomly already.

ahomescu111y ago

Except if you know the PRNG state, but I imagine that's really hard to pull off.

gamegoblin11y ago

I wonder of it's possible to do some statistical attacks by sending sample input and measuring response time? That is, after getting the response times for a million sorts, perhaps you can make inferences into the current PRNG state?

I suspect fluctuations in latency would make this exceedingly difficult, but I am constantly amazed by the statistical attacks people pull off.

1 more reply

jacquesm11y ago

Quite nifty. Imagine how you could seed a service with data over a very long period of time knowing and then at the wrong moment you make a single request causing the server to fall over.

This sort of thing might even work where the target comes to you for data (such as a search engine crawling you).

petergeoghegan11y ago

PostgreSQL removed the switch to insertion sort even before NetBSD, in 2006.

FlyingLawnmower11y ago

Was anyone able to view the linked research paper on Hash Table exploits?

icegreentea11y ago

You gotta dig a bit. But here:

https://www.usenix.org/legacy/publications/library/proceedin...

pbsd11y ago

52 comments

nicknash11y ago

One semi-interesting thing here is that the "killer adversary" described on that page requires knowing that the algorithm you're trying to exploit is quicksort.

Long ago, I wrote adversaries that attempt to force _any_ algorithm that is extracting a partial or total order from data to approach their worst case.

For non-introspective quicksorts this will be O(n^2), but it should also bring out the worst constant factors in O(n\logn) worst case time algorithms.

I did some experiments: http://nicknash.me/2012/07/31/adversaries/

A proper reference is the Kahn's "Sorting and Entropy", IIRC.

samsamoa11y ago

Very interesting writeup. How did you determine the number of topological sortings for your "Yes" and "No" examples? I'm getting 360 and 144, rather than 120 and 48 that you wrote.

simias11y ago

I think it's a good rule of thumb to say "if you need to sort large quantities of untrusted data you should probably use mergesort".

j2kun11y ago

I've always liked mergesort for this reason. It's easier to understand and there's no wondering about complexity.

astrada11y ago

4 more replies

matslinaOP11y ago

Glibc is the only libc I'm aware of that implements mergesort. It still falls back to quicksort for large inputs though.

mzs11y ago

I just heard about smoothsort: http://code.google.com/p/combsortcs2p-and-other-sorting-algo...

Also, nice little write-up, thanks. I also dig the extracted sort implementations you dug-out: https://github.com/matslina/qsort

tedunangst11y ago

All BSD derived libcs contains mergesort(), and heapsort() as well.

1 more reply

valarauca111y ago

Application level DDoS's leave the kernel/network/sockets layers exposed for exploitation. Since their tasks will take priority over user's applications.

Gracana11y ago

> Application level DDoS's leave the kernel/network/sockets layers exposed for exploitation. Since their tasks will take priority over user's applications.

So what's the benefit of that, just that you can maximize the chaos you cause by attacking in two different ways?

1 more reply

userbinator11y ago

CJefferson11y ago

Just in case anyone is curious, this does not effect any implementation of std::sort in C++ I am aware of.

comex11y ago

In Linux-land, glibc's qsort also uses introsort, and musl libc's uses smoothsort:

http://www.etalabs.net/compare_libcs.html

mqsiuser11y ago

As someone who implemented an open source quicksort (http://www.mqseries.net/phpBB2/viewtopic.php?p=273722) which is used by many in production:

Edit: You can detect recursion-tree-degeneration (just check the depth) and react to it (pivot selection)

sgeisenh11y ago

Additionally, quicksort is just as easy to implement in parallel as mergesort and runs about as fast since it can be performed in-place.

jmount11y ago

mzs11y ago

"Inspecting a diff between the qsort() of 4.4BSD-Lite and that of current day FreeBSD reveals that very little has changed since 1994."

That reminds me :)

  $ expr \( -2147483648 \) \* -1
  -2147483648
  $ expr \( -2147483648 \) / -1
  Floating point exception: 8 (core dumped)
  $ uname -srm
  FreeBSD 8.4-RELEASE-p9 i386

Malus11y ago

Looks like it is fixed now:

  $ expr \( -2147483648 \) \* -1

  2147483648

  $ expr \( -2147483648 \) / -1 

  2147483648

  $ uname -srm

  FreeBSD 10.0-RELEASE amd64

Or maybe it doesn't work on i386?

mzs11y ago

It's likely an i386 thing:

  $ echo | awk '{ print 2 ** 31 }'
  2147483648

Make sure you are using /bin/expr and maybe give -9223372036854775808 a whirl too.

1 more reply

Jabbles11y ago

In comparison, the Go standard sort function is not vulnerable to this, and references the same paper as this article:

http://golang.org/src/pkg/sort/sort.go#L168

mzs11y ago

I don't see it, seems just a median of three quick sort - the median of three for the partition selection is to mitigate poor performance of quick sort on sorted and reverse sorted inputs.

edit: I'm an idiot, totally glossed-over the switch to heap sort logic.

mattchamb11y ago

This is the same approach used the the .NET framework in Array.Sort: http://referencesource.microsoft.com/#mscorlib/system/collec...

You can see the fallback to heapsort here: http://referencesource.microsoft.com/#mscorlib/system/collec...

lelf11y ago

Huh? And by what black magic its qsort is not O(n^2) (worst)?

bcoates11y ago

In other words, they use the worst-case n log(n) heapsort with an optimization to use the much faster quicksort for non-pathological inputs, which is almost always.

chowells11y ago

galapago11y ago

The bogosort is well known to be invulnerable to such attacks.

haberman11y ago

This is the main motivation behind SipHash, a new hash function that is designed to be cryptographically collision-resistant but fast enough to use in hash tables: https://131002.net/siphash/

chowells11y ago

You mean the one mentioned in the article?

haberman11y ago

> Though you and the article both are perpetuating the lie that hash table operations are O(1).

But even if you are factoring in computation of the hash function, this is a strange argument:

> Hint: distributing into O(n) buckets requires looking at O(log n) bits.

Computers can look at O(log n) bits in a single operation for any "n" that can reasonably be held in memory.

ccurtsinger11y ago

There is no "killer input" for randomized quicksort. I'm surprised libc doesn't select pivots randomly already.

ahomescu111y ago

Except if you know the PRNG state, but I imagine that's really hard to pull off.

gamegoblin11y ago

I suspect fluctuations in latency would make this exceedingly difficult, but I am constantly amazed by the statistical attacks people pull off.

1 more reply

jacquesm11y ago

Quite nifty. Imagine how you could seed a service with data over a very long period of time knowing and then at the wrong moment you make a single request causing the server to fall over.

This sort of thing might even work where the target comes to you for data (such as a search engine crawling you).

petergeoghegan11y ago

PostgreSQL removed the switch to insertion sort even before NetBSD, in 2006.

FlyingLawnmower11y ago

Was anyone able to view the linked research paper on Hash Table exploits?

icegreentea11y ago

You gotta dig a bit. But here:

https://www.usenix.org/legacy/publications/library/proceedin...

pbsd11y ago