This DoS goes loop-di-loop

•

0 likes•332 views

The document discusses different types of denial of service (DoS) attacks that can impact Node.js applications, including regular expression DoS (ReDoS), JSON parsing DoS, and storage/I/O DoS. It provides code examples demonstrating how these attacks work and suggestions for mitigations, such as using libraries less vulnerable to ReDoS, limiting input sizes, and ensuring asynchronous storage operations.

Software

This DoS Goes Loop-di-Loop
Allon Mureinik
Senior Manager, Seeker Node.js and .NET Agents
Synopsys, Inc.
allon.mureinik@synopsys.com / @mureinik / https://www.linkedin.com/in/mureinik/
FlawCon, 20/10/2019

© 2019 Synopsys, Inc. 2This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0)
Developers vs Hackers
How will an
unreasonable person
abuse it?
How will a
reasonable person
use it?
https://thenounproject.com/term/theater/17128

© 2019 Synopsys, Inc. 3This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0)
Quick Reminder: Node.js’ Event Loop
https://thenounproject.com/term/redo/62716

© 2019 Synopsys, Inc. 4This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0)
Benchmarks
https://www.tandemseven.com/blog/performance-java-vs-node/

© 2019 Synopsys, Inc. 5This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0)
Reminder: Denial of Service (DoS)
https://thenounproject.com/term/decline/373722

$© 2019 Synopsys, Inc. 6This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) Regex DoS (ReDoS) console.log('a'sttime'); let regex = new RegExp('^(a+)+$'); for (let i = 1; i < 100; ++i) { const str = Array(i + 1).join('a') + 'b'; const before = new Date(); regex.test(str); const after = new Date(); const time = after - before; console.log(`${i}t${time}`); }$

© 2019 Synopsys, Inc. 7This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0)
Regex DoS (ReDoS) - results
0
50,000
100,000
150,000
200,000
250,000
300,000
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 33 34 35
Time(ms)
As

© 2019 Synopsys, Inc. 8This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0)
https://thenounproject.com/term/alternative-route/2902159
•Check your regexes
–E.g., use safe-regex, vuln-regex-detector
•Don’t allow tainted input as regex
–Not always possible…
–If you must, sanitize it (again safe-regex etc.)
•Don’t allow tainted input to be evaluated by a dodgy regex
–Usually not possible…
–Use length limits
•Think about alternative solutions
–re2 isn’t vulnerable to ReDoS
–Use specific tools for specific needs (e.g., validator.js)
Regex DoS (ReDoS) - Remediation

© 2019 Synopsys, Inc. 9This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0)
JSON DoS
for (let i = 1024; i <= 1024 * 1024 ; i += 1024) {
const str = '"' + Array(i + 1).join('a') + '"';
const before = new Date();
for (let j = 1; j < 100; ++j) {
JSON.parse(str);
}
const after = new Date();
console.log(`${i}t${after-before}`);
}

© 2019 Synopsys, Inc. 10This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0)
JSON DoS - Results
-50
0
50
100
150
200
250
300
0 200 400 600 800 1000 1200
Time(ms)
String Lengh (KB)

© 2019 Synopsys, Inc. 11This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0)
https://thenounproject.com/term/alternative-route/2902159/
•Don’t allow tainted input to be parsed
–Not realistic…
•Limit the size of the input
–Express: app.use(express.json({limit: '50kb'})
–Hapi: route.options.payload.maxBytes = 50 * 1024
•If you aren’t parsing JSON by a middle, consider alternative
libraries like BFJ or JSONStream
JSON DoS - Remediation

© 2019 Synopsys, Inc. 12This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0)
“If anything can hang, it will”
- Murphy’s law of storage
Storage (I/O) DoS

© 2019 Synopsys, Inc. 13This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0)
The are two ways to perform storage operations in Node.js:
1. The async way
–Delegate a storage operation to the kernel, and wait for a callback
–E.g.: fs.readDir, fs.writeFile, etc
–3rd parties follow similar patterns (e.g., fs-extra, adm-zip)
2. The wrong way
Storage (I/O) DoS - Remediation

© 2019 Synopsys, Inc. 15This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0)
Questions?
https://thenounproject.com/term/questions/1195076/

Thank You
Contact
allon.mureinik@synopsys.com
@mureinik
https://www.linkedin.com/in/mureinik/

Open source thrives on diversity. The last couple of years has seen huge strides in that aspect with codes of conduct and initiatives like the Contributor Covenant. While these advancements are crucial, they are not enough. In order to truly be inclusive, it’s not enough for the community members to be welcoming and unbiased, the communities’ processes and procedures really support inclusiveness by not only making marginalized members welcome, but allowing them to fully participate. Slides from my talks at FOSDEM 2020 and DevConf.CZ 2020

Chaos Debugging for Microservices

Christian Posta

Distributed microservices introduce new challenges: failure modes are harder to anticipate and resolve. In this session, we present a “Chaos Debugging” framework enabled by three open source projects: Gloo Shot, Squash, and Loop to help you increase your microservices’ “immunity” to issues. Gloo Shot integrates with any service mesh to implement advanced, realistic chaos experiments. Squash connects powerful and mature debuggers (gdb, dlv, java debugging) to your microservices while they run in Kubernetes. Loop extends the capability of your service mesh to observe your application and record full transactions for sandboxed replay and debugging. Come to this demo-heavy talk to see how together, Squash, Gloo Shot, and Loop allow you to trigger, replay, and investigate failure modes of your microservices in a language agnostic and efficient manner without requiring any changes to your code.

apidays Paris 2022 - Blurred Lines, Denis Jannot, Solo.io

apidays

apidays Paris 2022 - APIs the next 10 years: Software, Society, Sovereignty, Sustainability December 14, 15 & 16, 2022 Blurred Lines - When North/South meets East/West Denis Jannot, Director of Field Engineering at EMEA, Solo.io ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/ Deep dive into the API industry with our reports: https://www.apidays.global/industry-reports/ Subscribe to our global newsletter: https://apidays.typeform.com/to/i1MPEW

Monoliths, Microservices, Events, Functions: What It Takes to Go Through the ...

VMware Tanzu

Private Cloud Platform as a Service

Jim Kaskade

The security phoenix - from the ashes of DEV-OPS Appsec California 2020

NSC42 Ltd

Title: The Security Phoenix Subtitle: From the ashes of DEVOPS Synopsis: The talk will take the audience on a path to integrate security in development covering aspect like SDLC, People and Technology, Metrix, and maturity matrix. The Talk will focus on several aspect like: • Visibility of vulnerabilities in production • Traceability of software built and source of the component • Visualization of vulnerabilities and target (Divide in quarter, Build vs Fix) • Maturity matrix and path to evolution with KCI • Advanced concepts like breaking the build, license to operate If time is available, the talk will explore some additional lesson learned rough length: Compressed 25+5 min long version 30 min Audience Take Away: ● How to build a cybersecurity programme with people and technology at the heart ● How and why to trace component and how they are built ● Why visibility in production and traceability is important ● How to set targets for product teams and what to measure in various phases ● How to involve risk assessment and where to apply governance ● Use cases to visualize vulnerabilities

apidays LIVE Australia 2020 - From micro to macro-coordination through domain...

apidays

Consumer Driven Contracts and Your Microservice Architecture

VMware Tanzu

SpringOne Platform 2017 Marcin Grzejszczak, Pivotal; Adib Saikali, Pivotal "Consumer driven contracts (CDC) are like TDD applied to the API. It’s especially important in the world of microservices. Since it’s driven by consumers, it’s much more user friendly. Of course microservices are really cool, but most people do not take into consideration plenty of potential obstacles that should be tackled. Then instead of frequent, fully automated deploys via a delivery pipeline, you might end up in an asylum due to frequent mental breakdowns caused by production disasters. We will write a system using the CDC approach together with Spring Boot, Spring Cloud Contract verifier. We’ll show you how easy it is to write applications that have a consumer driven API and that will allow a developer to speed up the time of writing his better quality softwar"

Security Architecture in DEVOPS Title: Security Architect, slayer of dragons defenders of the realms and protectors of the cybersecurity automation Synopsis: The talk will take the audience on a journey from the origin of the security architecture, the challenge of cloud security and the role of an architect in the dev-sec-ops world. The talk explains the difference between traditional command and control governance and the solution to avoid starving automation and innovation with traditional security governance We will explore: Security Gates and why they do not always work in dev-ops Automation how-tos: How to deploy cybersecurity at scale Why is important to know how to deal with people Automation in the pipeline is the king If time is available the talk will explore some additional lesson learned rough length: compressed version 30 min normally 50 min or workshop format Audience Take Away: How to build a cybersecurity programme with architecture at the heart how to do traditional security governance how to mix governance and agile development as well as dev sec ops how to extract patterns from existing design the value of design principle patterns and why they are key to go fast. how and when to use tools (SAST/DAST) and when to engineer

Open AR Cloud One Year Since the Launch

Open AR Cloud

Consumer Driven Contracts and Your Microservice Architecture

Marcin Grzejszczak

Consumer driven contracts (CDC) are like TDD applied to the API. It’s especially important in the world of microservices. Since it’s driven by consumers, it’s much more user friendly. Of course microservices are really cool, but most people do not take into consideration plenty of potential obstacles that should be tackled. Then instead of frequent, fully automated deploys via a delivery pipeline, you might end up in an asylum due to frequent mental breakdowns caused by production disasters. We will write a system using the CDC approach together with Spring Boot, Spring Cloud Contract verifier. We’ll show you how easy it is to write applications that have a consumer driven API and that will allow a developer to speed up the time of writing his better quality software.

Internet of Things Security & Privacy

Chris Adriaensen

Webinar–OWASP Top 10 for JavaScript for Developers

Synopsys Software Integrity Group

During a recent webinar, Lewis Ardern, senior security consultant presented "OWASP Top 10 for JavaScript Developers." 19_10_EMEA_WB_Owasp Top 10 for Java Script Developers With the release of the OWASP Top 10 2017, we saw new contenders for the most critical security issues in the web application landscape. Much of the OWASP documentation concerning issues, remediation advice, and code samples focuses on Java, C++, and C#. However, it doesn’t give much attention to JavaScript. JavaScript has drastically changed over the last few years with the release of Angular, React, and Vue, alongside the growing use of Node.js and its libraries and frameworks. This talk will introduce you to the OWASP Top 10 by explaining JavaScript client and server-side vulnerabilities. For more information, please visit our website at www.synopsys.com/standards

AWS Summit Singapore 2019 | Learn How to Achieve Complete Visibility, Strong ...

AWS Summits

Chevron Phillips Chemical Co LLC .docx

mccormicknadine86

Chevron Phillips Chemical Co LLC 1 Chevron Phillips Chemical Co LLC Chevron Phillips Chemical Company LLC is one of the world’s top producers of olefins and polyolefins with Specialty Chemical groups offering a wide range of alkanes, mining chemicals, aromatics, and natural gas odorants around the globe. Based in Woodlands TX, Chevron Phillips Chemical Company LLC is a joint venture between Houston-based Phillip 66 and California-based Chevron Corp with over $16 billion in assets, over $9 billion in revenue, employing nearly 5000 workers throughout 33 facilities(Chevron Phillips Chemical Company LLC, 2020). Chevron Corporation and Phillips Petroleum Company, now Phillips 66 each own 50 percent of Chevron Phillips Chemical Company LLC. Chevron Phillips Chemical (CPChem) has 31 facilities located in the United States, Belgium, Columbia, Saudi Arabia, and Singapore along with two major research, technology, and quality control centers in Kingwood, TX and Bartlesville, OK(Chevron Phillips Chemical Company LLC, 2020).Chevron Phillips Chemical along with Qatar Petroleum inked an agreement to pursue an $8 billion petrochemical complex that would have a 2-million-metric-ton-per-year ethylene cracker plant and 1-million-metric-ton-per-year polyethylene plant. Most recently CHChem has begun construction on a $5.86 billion project that will employ approximately 3500 workers by 2024(Pulsinelli, 2019). Chevron Phillips Chemical has been recognized at the American Chemistry Council’s (ACC) Responsible Care Conference and Expo for achieving energy-efficiency improvements for back-to-back years(Chevron Phillips Chemical Company LLC, 2020). Chevron Phillips Chemical Company has agree to report spills of pre-production plastic pellets, which are believed to be a significant source of ocean plastic pollution(Second Large Plastics Manufacturer, 2019).CPChem approach to stakeholder engagement is to identify and include stakeholders in the design and implementation of the engagement process. References Chevron Phillips Chemical Company LLC. (2020, February 7). Retrieved from cpchem.com: http://www.cpchem.com/en-us/sustain/pages/about-chevron%20phillips%20chemical.aspx Pulsinelli, O. (2019, June 21). Chevron Phillips Chemical reportedly make $15B acquisition bid. Retrieved from Houston Business Journal: https://www.bizjournals.com/houston/news/2019/06/21/chevron-phillips-chemical-reportedly-makes-15b.html Second Large Plastics Manufacturer. (2019, April 9). Retrieved from Plastic Pollution Coalition: https://www.plasticpollutioncoalition.org/blog/2019/4/9/7vynjta76svqssdj39yx76yxgmol47 2/29/2020 Originality Report https://csp.blackboard.com/webapps/mdb-sa-BB58b699acdcc23/originalityReport/ultra?attemptId=7e50cc7a-9e77-416c-97b5-756aeb916af6&course_id=_15095_1&… 1/4 %43 SafeAssign Originality Report 100 ITM 510 Research in Information ...

Chevron Phillips Chemical Co LLC .docx

bissacr

Check Point Consolidation

Group of company MUK

Dart on Arm - Flutter Bangalore June 2021

Chris Swan

Devoxx UK 2022 - Application security: What should the attack landscape look ...

Chris Swan

What do we need to do in the next few years to ensure that the attack landscape for 2030 isn't the same as 2020? Better languages and frameworks have already brought substantial improvements in memory safety, eliminating whole classes of vulnerabilities caused by buffer overflows.Yet despite a major reshuffle in 2021, the OWASP top 10 remains full of things that boil down to a lack of input validation. An issue that has bedevilled tech since its inception. We're all told that we shouldn't trust the input to our programs, and that validation is our best defence. But developers get precious little help on that front from today's languages and frameworks; something that can and should change. This talk will examine a hypothetical evolution of TypeScript - ValidScript, to consider a future where input validation is baked in.

Tools to Slay the Fire Breathing Monoliths in Your Enterprise

VMware Tanzu

SpringOne Platform 2017 Rohit Kelapure, Pivotal; Joe Szodfridt, Pivotal; Shaun Anderson, Pivotal Are fire-breathing monoliths lurking throughout your Enterprise? Many of these ancient behemoths can be millions of lines long and can wreak havoc when trying to evolve and transform your business. Unfortunately, your business depends on services they provide, so they can’t just be eliminated without a battle plan. The Pivotal App Transformation practice has continuously refined approaches and techniques to slay your monoliths. In this session, we will discuss how to carve up your legacy dragons into manageable pieces using techniques and patterns such as Event Storming, Strangling, Starving, Slice Analysis and Domain Driven Decomposition. Monolith slaying is not easy, but with the right tools and weapons at your disposal, your journey to the Cloud can be as easy as a stroll through the forest.

W3 conf hill-html5-security-realitiesBrad Hill

Common Missteps in Cross-Platform Development.pdf

Pridesys IT Ltd.

IoTivity: Smart Home to Automotive and Beyond

Samsung Open Source Group

Des ops101 : Overview - RH CoP UI/UX 9nov2018

Samir Dash

Oracle Code Capgemini: API management & microservices a match made in heaven

luisw19

Dev net and_tech_centers_working_together_final_for_tech_center_webex_session...Ravanne Harris

Injustice - Developers Among Us (SciFiDevCon 2024)

Allon Mureinik

Most of us don’t wear capes to work. Most of us don’t have colleagues who are tricked by supervillains into killing their wives and blowing up their cities. However, some, if not most, of us have colleagues who think of themselves as heroes, but if they would take a step back and ask how others see them, they might be surprised to hear they are the unintentional villains of the story. In this talk from SciFiDevCon 2024 I’ll go over some of the worst ways developers may harm their teams and colleagues while meaning well, and how those who try to keep them grounded are the real unsung heroes of software development.

Default to Async - Prevent DoS attacks on your app and your day

Allon Mureinik

Similar to This DoS goes loop-di-loop

Ivanti Patch Tuesday for April 2020

Ivanti

Cheqd: Making privacy-preserving digital credentials fun

SSIMeetup

Nsc42 security knights slayer of dragons 0-5_very_short_15m_share

NSC42 Ltd

Open AR Cloud One Year Since the Launch

Open AR Cloud

Consumer Driven Contracts and Your Microservice Architecture

Marcin Grzejszczak

Internet of Things Security & Privacy

Chris Adriaensen

Webinar–OWASP Top 10 for JavaScript for Developers

Synopsys Software Integrity Group

AWS Summit Singapore 2019 | Learn How to Achieve Complete Visibility, Strong ...

AWS Summits

Chevron Phillips Chemical Co LLC .docx

mccormicknadine86

Chevron Phillips Chemical Co LLC .docx

bissacr

Check Point Consolidation

Group of company MUK

Dart on Arm - Flutter Bangalore June 2021

Chris Swan

Devoxx UK 2022 - Application security: What should the attack landscape look ...

Chris Swan

Tools to Slay the Fire Breathing Monoliths in Your Enterprise

VMware Tanzu

W3 conf hill-html5-security-realitiesBrad Hill

Common Missteps in Cross-Platform Development.pdf

Pridesys IT Ltd.

IoTivity: Smart Home to Automotive and Beyond

Samsung Open Source Group

Des ops101 : Overview - RH CoP UI/UX 9nov2018

Samir Dash

Oracle Code Capgemini: API management & microservices a match made in heaven

luisw19

Dev net and_tech_centers_working_together_final_for_tech_center_webex_session...Ravanne Harris

Similar to This DoS goes loop-di-loop (20)

Ivanti Patch Tuesday for April 2020

Cheqd: Making privacy-preserving digital credentials fun

Nsc42 security knights slayer of dragons 0-5_very_short_15m_share

Open AR Cloud One Year Since the Launch

Consumer Driven Contracts and Your Microservice Architecture

Internet of Things Security & Privacy

Webinar–OWASP Top 10 for JavaScript for Developers

AWS Summit Singapore 2019 | Learn How to Achieve Complete Visibility, Strong ...

Chevron Phillips Chemical Co LLC .docx

Check Point Consolidation

Dart on Arm - Flutter Bangalore June 2021

Devoxx UK 2022 - Application security: What should the attack landscape look ...

Tools to Slay the Fire Breathing Monoliths in Your Enterprise

W3 conf hill-html5-security-realities

Common Missteps in Cross-Platform Development.pdf

IoTivity: Smart Home to Automotive and Beyond

Des ops101 : Overview - RH CoP UI/UX 9nov2018

Oracle Code Capgemini: API management & microservices a match made in heaven

Dev net and_tech_centers_working_together_final_for_tech_center_webex_session...

More from Allon Mureinik

Injustice - Developers Among Us (SciFiDevCon 2024)

Allon Mureinik

Default to Async - Prevent DoS attacks on your app and your day

Allon Mureinik

What an episode of Rick and Morty taught me about (accidental) toxicity

Allon Mureinik

Most people don’t set out to be toxic on purpose (and if you do – this talk probably isn’t for you), but many of us may have toxic behavior we aren’t even aware of. In this talk I’ll discuss accidental toxicity, how to recognize it, and how to avoid it to make your workplace truly inclusive, or at the very least, better than a vat of acid. Talk from SciFiDevCon 2023 https://www.scifidevcon.com/courses/2023-may-the-fourth-event/contents/6445c71664185

We are the Borg, you will be interviewed

Allon Mureinik

When I started interviewing for my first job, back in 2006, I noticed that most of the interviewers I had were asking the exact same questions, and expecting the exact same answers. Either they had all been reading the same Interviewing 101 book, or I was been interviewed by a hive mind. In this talk from SciFiDevCon 2022, I've shared how I passed those interviews not by providing the best answer, but by doing something the hive mind would never – by showcasing my individuality. Ironically, I did that by introducing the Borg to the interview process. Recording: https://youtu.be/kiSVdnKy7fM

What I wish I knew about security - Allon Mureinik DevConf.CZ 2022

Allon Mureinik

Eighteen years into my career, I decided to pivot and move from infrastructure-related work to the world of application security. If there’s one thing I’ve learned in the three years of working in application security is that it’s a funny business. Our entire business model is based on pointing out the mistakes of other programmers. In this talk, I want to shoot myself in the foot and share some concepts that could help eliminate a lot of those mistakes, and reduce my job to snuffing out the more interesting mistakes.

Somebody set up us the bomb DevConf.CZ 2022 Lightning Talk

Allon Mureinik

Zoom out

Allon Mureinik

How open source made me a better manager

Allon Mureinik

Management seems like a simple job - you tell people what to do, they do it, rinse, repeat. For bad managers, it really is this simple. Good managers do things differently. They let team members affect, if not drive, the team's direction. They allow the best ideas to guide the team's activity, no matter who brings them up. They are not intimidated by non-managers displaying leadership qualities, they encourage them. While these sentiments aren't unique to open source, they are the core of open source communities - allowing individuals to exert influence without any official authority. That's why I think working in open source is the best way to learn how to be a good manager, and I'll try to share this concept in my talk.

Automatic for the People

Allon Mureinik

Being a maintainer, or even a notable contributor in an open source project is a damn hard job. Not only are you expected to tackle the hardest programming tasks, but suddenly you're also expected to do all these "softer" things - review other people's work, provide feedback, ramp up other contributors, etc. In this talk from DevConf.us 2018, I've shown how your gut instinct as an engineer - to automate everything - can actually work here too (at least to a certain degree), and take a lot of the load off your shoulders.

Automatic for the people

Allon Mureinik

Being a maintainer, or even a notable contributor in an open source project is a damn hard job. Not only are you expected to tackle the hardest programming tasks, but suddenly you're also expected to do all these "softer" things - review other people's work, provide feedback, ramp up other contributors, etc. In this session, I'll show how your gut instinct as an engineer - to automate everything - can actually work here too (at least to a certain degree), and take a lot of the load off your shoulders. Slides from my DevConf.CZ 2018 talk

Mockito - How a mocking library built a real community

Allon Mureinik

Mockito - how a mocking library built a real community (August Penguin 2017)

Allon Mureinik

Reversim Summit 2016 - Ja-WAT

Allon Mureinik

Java prides itself in not allowing you to shoot yourself in the foot, but doesn't always live up to the hype. Recent editions have introduced powerful new syntactic tools which make development much easier, but can often result in "WAT" moments. This lightening talk (given in Reversim Summit 2016), inspired by Gary Bernhardt's famous WAT talk will showcase some of the cases where Java has left me scratching my head and asking "WAT?".

Virtualization Management The oVirt Way (August Penguin 2015)

Allon Mureinik

Step by Step - Reusing old features to build new ones

Allon Mureinik

Designing monolithic infrastructures is a common mistake in large projects. However, more often than not, these infrastructures are too generic, make false assumptions or are simply delivered too late for feature developers to use, becoming "white elephants". This presentation is a case study of the work done by my team to deliver Live Merging of Snapshots oVirt from the initial steps in oVirt 3.1.0 to the full delivery in 3.5.0, and how good design can be feature-driven, building infra-structures step by step, while gaining small wins during the process.

oVirt 3.5 Storage Features Overview

Allon Mureinik

Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...

Allon Mureinik

Live Storage Migration in oVirt (Open Storage Meetup May 2013)

Allon Mureinik

Retro Testing (DevConTLV Jan 2014)

Allon Mureinik

More from Allon Mureinik (19)

Injustice - Developers Among Us (SciFiDevCon 2024)

Default to Async - Prevent DoS attacks on your app and your day

What an episode of Rick and Morty taught me about (accidental) toxicity

We are the Borg, you will be interviewed

What I wish I knew about security - Allon Mureinik DevConf.CZ 2022

Somebody set up us the bomb DevConf.CZ 2022 Lightning Talk

Zoom out

How open source made me a better manager

Automatic for the People

Automatic for the people

Mockito - How a mocking library built a real community

Mockito - how a mocking library built a real community (August Penguin 2017)

Reversim Summit 2016 - Ja-WAT

Virtualization Management The oVirt Way (August Penguin 2015)

Step by Step - Reusing old features to build new ones

oVirt 3.5 Storage Features Overview

Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...

Live Storage Migration in oVirt (Open Storage Meetup May 2013)

Retro Testing (DevConTLV Jan 2014)

Recently uploaded

BoxLang: Review our Visionary Licenses of 2024

Ortus Solutions, Corp

Enhancing Research Orchestration Capabilities at ORNL.pdf

Globus

Cross-facility research orchestration comes with ever-changing constraints regarding the availability and suitability of various compute and data resources. In short, a flexible data and processing fabric is needed to enable the dynamic redirection of data and compute tasks throughout the lifecycle of an experiment. In this talk, we illustrate how we easily leveraged Globus services to instrument the ACE research testbed at the Oak Ridge Leadership Computing Facility with flexible data and task orchestration capabilities.

Large Language Models and the End of Programming

Matt Welsh

Globus Compute Introduction - GlobusWorld 2024

Globus

May Marketo Masterclass, London MUG May 22 2024.pdf

Adele Miller

Lecture 1 Introduction to games development

abdulrafaychaudhry

Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...

Globus

The U.S. Geological Survey (USGS) has made substantial investments in meeting evolving scientific, technical, and policy driven demands on storing, managing, and delivering data. As these demands continue to grow in complexity and scale, the USGS must continue to explore innovative solutions to improve its management, curation, sharing, delivering, and preservation approaches for large-scale research data. Supporting these needs, the USGS has partnered with the University of Chicago-Globus to research and develop advanced repository components and workflows leveraging its current investment in Globus. The primary outcome of this partnership includes the development of a prototype enterprise repository, driven by USGS Data Release requirements, through exploration and implementation of the entire suite of the Globus platform offerings, including Globus Flow, Globus Auth, Globus Transfer, and Globus Search. This presentation will provide insights into this research partnership, introduce the unique requirements and challenges being addressed and provide relevant project progress.

Providing Globus Services to Users of JASMIN for Environmental Data Analysis

Globus

JASMIN is the UK’s high-performance data analysis platform for environmental science, operated by STFC on behalf of the UK Natural Environment Research Council (NERC). In addition to its role in hosting the CEDA Archive (NERC’s long-term repository for climate, atmospheric science & Earth observation data in the UK), JASMIN provides a collaborative platform to a community of around 2,000 scientists in the UK and beyond, providing nearly 400 environmental science projects with working space, compute resources and tools to facilitate their work. High-performance data transfer into and out of JASMIN has always been a key feature, with many scientists bringing model outputs from supercomputers elsewhere in the UK, to analyse against observational or other model data in the CEDA Archive. A growing number of JASMIN users are now realising the benefits of using the Globus service to provide reliable and efficient data movement and other tasks in this and other contexts. Further use cases involve long-distance (intercontinental) transfers to and from JASMIN, and collecting results from a mobile atmospheric radar system, pushing data to JASMIN via a lightweight Globus deployment. We provide details of how Globus fits into our current infrastructure, our experience of the recent migration to GCSv5.4, and of our interest in developing use of the wider ecosystem of Globus services for the benefit of our user community.

A Sighting of filterA in Typelevel Rite of Passage

Philip Schwarz

Globus Compute wth IRI Workflows - GlobusWorld 2024

Globus

As part of the DOE Integrated Research Infrastructure (IRI) program, NERSC at Lawrence Berkeley National Lab and ALCF at Argonne National Lab are working closely with General Atomics on accelerating the computing requirements of the DIII-D experiment. As part of the work the team is investigating ways to speedup the time to solution for many different parts of the DIII-D workflow including how they run jobs on HPC systems. One of these routes is looking at Globus Compute as a way to replace the current method for managing tasks and we describe a brief proof of concept showing how Globus Compute could help to schedule jobs and be a tool to connect compute at different facilities.

Understanding Globus Data Transfers with NetSage

Globus

NetSage is an open privacy-aware network measurement, analysis, and visualization service designed to help end-users visualize and reason about large data transfers. NetSage traditionally has used a combination of passive measurements, including SNMP and flow data, as well as active measurements, mainly perfSONAR, to provide longitudinal network performance data visualization. It has been deployed by dozens of networks world wide, and is supported domestically by the Engagement and Performance Operations Center (EPOC), NSF #2328479. We have recently expanded the NetSage data sources to include logs for Globus data transfers, following the same privacy-preserving approach as for Flow data. Using the logs for the Texas Advanced Computing Center (TACC) as an example, this talk will walk through several different example use cases that NetSage can answer, including: Who is using Globus to share data with my institution, and what kind of performance are they able to achieve? How many transfers has Globus supported for us? Which sites are we sharing the most data with, and how is that changing over time? How is my site using Globus to move data internally, and what kind of performance do we see for those transfers? What percentage of data transfers at my institution used Globus, and how did the overall data transfer performance compare to the Globus users?

OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam

takuyayamamoto1800

AI Pilot Review: The World’s First Virtual Assistant Marketing Suite

Google

AI Pilot Review: The World’s First Virtual Assistant Marketing Suite 👉👉 Click Here To Get More Info 👇👇 https://sumonreview.com/ai-pilot-review/ AI Pilot Review: Key Features ✅Deploy AI expert bots in Any Niche With Just A Click ✅With one keyword, generate complete funnels, websites, landing pages, and more. ✅More than 85 AI features are included in the AI pilot. ✅No setup or configuration; use your voice (like Siri) to do whatever you want. ✅You Can Use AI Pilot To Create your version of AI Pilot And Charge People For It… ✅ZERO Manual Work With AI Pilot. Never write, Design, Or Code Again. ✅ZERO Limits On Features Or Usages ✅Use Our AI-powered Traffic To Get Hundreds Of Customers ✅No Complicated Setup: Get Up And Running In 2 Minutes ✅99.99% Up-Time Guaranteed ✅30 Days Money-Back Guarantee ✅ZERO Upfront Cost See My Other Reviews Article: (1) TubeTrivia AI Review: https://sumonreview.com/tubetrivia-ai-review (2) SocioWave Review: https://sumonreview.com/sociowave-review (3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review (4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review

Cracking the code review at SpringIO 2024

Paco van Beckhoven

Code reviews are vital for ensuring good code quality. They serve as one of our last lines of defense against bugs and subpar code reaching production. Yet, they often turn into annoying tasks riddled with frustration, hostility, unclear feedback and lack of standards. How can we improve this crucial process? In this session we will cover: - The Art of Effective Code Reviews - Streamlining the Review Process - Elevating Reviews with Automated Tools By the end of this presentation, you'll have the knowledge on how to organize and improve your code review proces

2024 RoOUG Security model for the cloud.pptx

Georgi Kodinov

Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...

Mind IT Systems

Cyaniclab : Software Development Agency Portfolio.pdf

Cyanic lab

CyanicLab, an offshore custom software development company based in Sweden,India, Finland, is your go-to partner for startup development and innovative web design solutions. Our expert team specializes in crafting cutting-edge software tailored to meet the unique needs of startups and established enterprises alike. From conceptualization to execution, we offer comprehensive services including web and mobile app development, UI/UX design, and ongoing software maintenance. Ready to elevate your business? Contact CyanicLab today and let us propel your vision to success with our top-notch IT solutions.

Prosigns: Transforming Business with Tailored Technology Solutions

Prosigns

Unlocking Business Potential: Tailored Technology Solutions by Prosigns Discover how Prosigns, a leading technology solutions provider, partners with businesses to drive innovation and success. Our presentation showcases our comprehensive range of services, including custom software development, web and mobile app development, AI & ML solutions, blockchain integration, DevOps services, and Microsoft Dynamics 365 support. Custom Software Development: Prosigns specializes in creating bespoke software solutions that cater to your unique business needs. Our team of experts works closely with you to understand your requirements and deliver tailor-made software that enhances efficiency and drives growth. Web and Mobile App Development: From responsive websites to intuitive mobile applications, Prosigns develops cutting-edge solutions that engage users and deliver seamless experiences across devices. AI & ML Solutions: Harnessing the power of Artificial Intelligence and Machine Learning, Prosigns provides smart solutions that automate processes, provide valuable insights, and drive informed decision-making. Blockchain Integration: Prosigns offers comprehensive blockchain solutions, including development, integration, and consulting services, enabling businesses to leverage blockchain technology for enhanced security, transparency, and efficiency. DevOps Services: Prosigns' DevOps services streamline development and operations processes, ensuring faster and more reliable software delivery through automation and continuous integration. Microsoft Dynamics 365 Support: Prosigns provides comprehensive support and maintenance services for Microsoft Dynamics 365, ensuring your system is always up-to-date, secure, and running smoothly. Learn how our collaborative approach and dedication to excellence help businesses achieve their goals and stay ahead in today's digital landscape. From concept to deployment, Prosigns is your trusted partner for transforming ideas into reality and unlocking the full potential of your business. Join us on a journey of innovation and growth. Let's partner for success with Prosigns.

First Steps with Globus Compute Multi-User Endpoints

Globus

In this presentation we will share our experiences around getting started with the Globus Compute multi-user endpoint. Working with the Pharmacology group at the University of Auckland, we have previously written an application using Globus Compute that can offload computationally expensive steps in the researcher's workflows, which they wish to manage from their familiar Windows environments, onto the NeSI (New Zealand eScience Infrastructure) cluster. Some of the challenges we have encountered were that each researcher had to set up and manage their own single-user globus compute endpoint and that the workloads had varying resource requirements (CPUs, memory and wall time) between different runs. We hope that the multi-user endpoint will help to address these challenges and share an update on our progress here.

A Comprehensive Look at Generative AI in Retail App Testing.pdf

kalichargn70th171

Recently uploaded (20)

BoxLang: Review our Visionary Licenses of 2024

Enhancing Research Orchestration Capabilities at ORNL.pdf

Large Language Models and the End of Programming

Globus Compute Introduction - GlobusWorld 2024

May Marketo Masterclass, London MUG May 22 2024.pdf

Lecture 1 Introduction to games development

Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...

Providing Globus Services to Users of JASMIN for Environmental Data Analysis

A Sighting of filterA in Typelevel Rite of Passage

Globus Compute wth IRI Workflows - GlobusWorld 2024

Understanding Globus Data Transfers with NetSage

OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam

AI Pilot Review: The World’s First Virtual Assistant Marketing Suite

Cracking the code review at SpringIO 2024

2024 RoOUG Security model for the cloud.pptx

Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...

Cyaniclab : Software Development Agency Portfolio.pdf

Prosigns: Transforming Business with Tailored Technology Solutions

First Steps with Globus Compute Multi-User Endpoints

A Comprehensive Look at Generative AI in Retail App Testing.pdf

This DoS goes loop-di-loop

1. This DoS Goes Loop-di-Loop Allon Mureinik Senior Manager, Seeker Node.js and .NET Agents Synopsys, Inc. allon.mureinik@synopsys.com / @mureinik / https://www.linkedin.com/in/mureinik/ FlawCon, 20/10/2019

2. © 2019 Synopsys, Inc. 2This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) Developers vs Hackers How will an unreasonable person abuse it? How will a reasonable person use it? https://thenounproject.com/term/theater/17128

6. © 2019 Synopsys, Inc. 6This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) Regex DoS (ReDoS) console.log('a'sttime'); let regex = new RegExp('^(a+)+$'); for (let i = 1; i < 100; ++i) { const str = Array(i + 1).join('a') + 'b'; const before = new Date(); regex.test(str); const after = new Date(); const time = after - before; console.log(`${i}t${time}`); }

7. © 2019 Synopsys, Inc. 7This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) Regex DoS (ReDoS) - results 0 50,000 100,000 150,000 200,000 250,000 300,000 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 33 34 35 Time(ms) As

8. © 2019 Synopsys, Inc. 8This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) https://thenounproject.com/term/alternative-route/2902159 •Check your regexes –E.g., use safe-regex, vuln-regex-detector •Don’t allow tainted input as regex –Not always possible… –If you must, sanitize it (again safe-regex etc.) •Don’t allow tainted input to be evaluated by a dodgy regex –Usually not possible… –Use length limits •Think about alternative solutions –re2 isn’t vulnerable to ReDoS –Use specific tools for specific needs (e.g., validator.js) Regex DoS (ReDoS) - Remediation

9. © 2019 Synopsys, Inc. 9This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) JSON DoS for (let i = 1024; i <= 1024 * 1024 ; i += 1024) { const str = '"' + Array(i + 1).join('a') + '"'; const before = new Date(); for (let j = 1; j < 100; ++j) { JSON.parse(str); } const after = new Date(); console.log(`${i}t${after-before}`); }

10. © 2019 Synopsys, Inc. 10This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) JSON DoS - Results -50 0 50 100 150 200 250 300 0 200 400 600 800 1000 1200 Time(ms) String Lengh (KB)

11. © 2019 Synopsys, Inc. 11This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) https://thenounproject.com/term/alternative-route/2902159/ •Don’t allow tainted input to be parsed –Not realistic… •Limit the size of the input –Express: app.use(express.json({limit: '50kb'}) –Hapi: route.options.payload.maxBytes = 50 * 1024 •If you aren’t parsing JSON by a middle, consider alternative libraries like BFJ or JSONStream JSON DoS - Remediation

13. © 2019 Synopsys, Inc. 13This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) The are two ways to perform storage operations in Node.js: 1. The async way –Delegate a storage operation to the kernel, and wait for a callback –E.g.: fs.readDir, fs.writeFile, etc –3rd parties follow similar patterns (e.g., fs-extra, adm-zip) 2. The wrong way Storage (I/O) DoS - Remediation

15. Thank You Contact allon.mureinik@synopsys.com @mureinik https://www.linkedin.com/in/mureinik/

This DoS goes loop-di-loop

Recommended

Recommended

More Related Content

Similar to This DoS goes loop-di-loop

Similar to This DoS goes loop-di-loop (20)

More from Allon Mureinik

More from Allon Mureinik (19)

Recently uploaded

Recently uploaded (20)

This DoS goes loop-di-loop