Jump to content

Billion laughs attack: Difference between revisions

From Wikipedia, the free encyclopedia
Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
rmv random link
Removed misleading sentence, see http://docs.python.org/2.7/library/xml.html#xml-vulnerabilities or http://docs.python.org/3.3/library/xml.html#xml-vulnerabilities; if there are parsers that are not vulnerable to the attack, please list them
Line 34: Line 34:
</syntaxhighlight>
</syntaxhighlight>


When an XML parser loads this document, it sees that it includes one root element, "lolz", that contains the text "&lol9;". However, "&lol9;" is a defined entity that expands to a string containing ten "&lol8;" strings. Each "&lol8;" string is a defined entity that expands to ten "&lol7;" strings, and so on. After all the entity expansions have been processed, this small (< 1 KB) block of XML will actually contain 10<sup>9</sup> = a billion "lol"s, taking up almost 3 [[gigabyte]]s of memory.<ref>{{cite web|url=http://msdn.microsoft.com/en-us/magazine/ee335713.aspx|author=Bryan Sullivan|accessdate=2011-12-21|title=XML Denial of Service Attacks and Defenses}}</ref> However, many XML parsers will consider entities which resolve to entities which resolve to entities to be an entity loop and stop processing the XML almost immediately with one or more errors.{{Citation needed|date=October 2013}}
When an XML parser loads this document, it sees that it includes one root element, "lolz", that contains the text "&lol9;". However, "&lol9;" is a defined entity that expands to a string containing ten "&lol8;" strings. Each "&lol8;" string is a defined entity that expands to ten "&lol7;" strings, and so on. After all the entity expansions have been processed, this small (< 1 KB) block of XML will actually contain 10<sup>9</sup> = a billion "lol"s, taking up almost 3 [[gigabyte]]s of memory.<ref>{{cite web|url=http://msdn.microsoft.com/en-us/magazine/ee335713.aspx|author=Bryan Sullivan|accessdate=2011-12-21|title=XML Denial of Service Attacks and Defenses}}</ref>


==Variations==
==Variations==

Revision as of 10:00, 11 February 2014

In computer security, a billion laughs attack is a type of denial-of-service (DoS) attack which is aimed at parsers of XML documents.[1]

It is also referred to as an XML bomb or as an exponential entity expansion attack.[2]

Details

The example attack consists of defining 10 entities, each defined as consisting of 10 of the previous entity, with the document consisting of a single instance of the largest entity, which expands to one billion copies of the first entity.

In the most frequently cited example, the first entity is the string "lol", hence the name "billion laughs". The amount of computer memory used would likely exceed that available to the process parsing the XML (it certainly would have at the time the vulnerability was first reported).

While the original form of the attack was aimed specifically at XML parsers, the term may be applicable to similar subjects as well.[1]

The problem was first reported as early as 2003, but began to be widely addressed in 2008.[3]

Defenses against this kind of attack include capping the memory allocated in an individual parser if loss of the document is acceptable, or treating entities symbolically and expanding them lazily only when (and to the extent) their content is to be used.

Code example

<?xml version="1.0"?>
<!DOCTYPE lolz [
 <!ENTITY lol "lol">
 <!ELEMENT lolz (#PCDATA)>
 <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
 <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
 <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
 <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
 <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
 <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
 <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
 <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
 <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>

When an XML parser loads this document, it sees that it includes one root element, "lolz", that contains the text "&lol9;". However, "&lol9;" is a defined entity that expands to a string containing ten "&lol8;" strings. Each "&lol8;" string is a defined entity that expands to ten "&lol7;" strings, and so on. After all the entity expansions have been processed, this small (< 1 KB) block of XML will actually contain 109 = a billion "lol"s, taking up almost 3 gigabytes of memory.[4]

Variations

The billion laughs attack described above takes an exponential amount of space. The quadratic blowup variation causes quadratic growth in storage requirements by simply repeating a large entity over and over again, to avoid countermeasures that detect heavily nested entities. [5] (See computational complexity theory for comparisons of different growth classes.)

See also

References

  1. ^ a b Harold, Elliotte Rusty (27 May 2005). "Tip: Configure SAX parsers for secure processing". IBM developerWorks. Archived from the original on 4 March 2011. Retrieved 4 March 2011.
  2. ^ Sullivan, Bryan (November 2009). "XML Denial of Service Attacks and Defenses". MSDN Magazine. Microsoft Corporation. Retrieved 2011-05-31.
  3. ^ "CVE-2003-1564". Common Vulnerabilities and Exposures. The MITRE Corporation. 2003-02-02. Retrieved 2011-06-01.
  4. ^ Bryan Sullivan. "XML Denial of Service Attacks and Defenses". Retrieved 2011-12-21.
  5. ^ http://docs.python.org/2/library/xml.html#xml-vulnerabilities
Retrieved from "https://en.wikipedia.org/w/index.php?title=Billion_laughs_attack&oldid=594956370"