Microsoft has released a free tool to help programmers test their regular expressions for vulnerability to denial of service attacks.
The JSDL Regex Fuzzer, released by the software giant earlier this week, is designed to test programmers’ regular expressions – a ubiquitous formal language for matching strings of text – for clauses that execute in exponential time and which stand the chance of being exploited for nefarious means.
Someone please tell me that I misread the article.
Did Microsoft actually said that a spinning process can make a computer unresponsive as naturally as if it was a fact of life ?
I mean… It’s already annoying that we can freeze Windows 7 with a three-lines batch file and most Unices with seven characters (fork bombing). Now, this is worse.
Not sure why that is surprising. DOS just means denial of service. All systems have a capacity beyond which they can no longer serve additional clients. If you send in enough requests that consume enough of the systems resources, boom Denial of Service.
It’s apparently not about sending many requests (DDoS), but rather about a single process slowing down the whole OS. But as I said, I may have misunderstood the article.
I don’t think this is necessarily about OS responsiveness as it is app responsiveness. If you can bring down the app, it doesn’t matter that the OS is still responsive (granted, affecting the OS is a worse case). The app can no longer service requests (or can’t do so in a timely manner).
Here’s a bit more info:
http://blogs.msdn.com/b/sdl/archive/2010/10/12/new-tool-sdl-regex-f…