Archive

Daily Archives: October 14, 2010

REDoS and Cloud Computing

October 14, 2010
Secure Development, Security Tools
Leave a Comment

Microsoft has released a RegEx fuzzer and I suggest that people check it out as it is reasonably nifty. Finding and fixing costly Regexes certainly has a great deal of utility.

That said, I have a bit of an issue with a sentiment aired by Brian Sullivan in an SDL Blog Post introducing the tool:

“I’ve predicted before that as cloud computing gains wider adoption, we’ll start to see a significant increase in denial of service (DoS) attacks against those services. When you’re paying for the processor time, bandwidth and storage that your applications use, attacks that explicitly target and consume those resources can get very expensive very quickly, not to mention the costs of downtime for legitimate users. Attackers will shift from pursuing elusive privilege elevation vulnerabilities to simply blackmailing SaaS providers: pay me $10,000 or I’ll make your app consume $20,000 worth of server resources,”

This should not be the application’s problem. This isn’t an attack against the application, but rather against the Cloud Providers’ business model and it isn’t reasonable to offload the responsibility for reducing exploitation scenarios onto the App Developers. Just as the basic business model make credit cards susceptable to fraud and thus most (all?) Credit Card providers accept the risk for that fraud instead of pushing it onto customers, the Cloud Provider should adopt the same stance. Admittedly the application design impacts the ease of carrying out fraud with regard to cloud providers, but the consumer’s practices influence fraud the same way for credit card companies. Not only is it appropriate for Cloud Providers to assume this risk given that the exploit is in their business model, it is in their best interest. Should extortion tactics hypothesized above see any widespread adoption the long term impact is going to be on the confidence in the Cloud model. The bottom line hurt by that impact isn’t going to be consumers of the cloud, but the providers. By assuming the risk, rather than passing it off to customers, Cloud Providers may suffer increased cost per customer, but they will not losing customers due to a lack of confidence in the basic service model.

~ Joshbw