Insecure Context Switching: Inoculating Regular Expressions for Survivability

For most computer end–users, web browsers and Internet services act as the providers and protectors of their personal information, from bank accounts to personal correspondence. These systems are critical to users’ continued lifestyles but often show no evidence of survivability [43], or robustness against present and future attacks. Software defects, considered the largest risk to survivability [43], are quite prevalent in consumer products and Web service software components [9]. Recent widespread security issues [17] [16] serve to emphasize this fact and show a lack investment in survivability engineering practices [19] [20] [49] [52] that may have mitigated the risk. Common software components that comprise industry software, commercial or free, were authored and deployed with functional isolation in mind. Despite original intent, many of these components are migrating in to Internet–connected systems. The context switch from functional isolation to extreme connectivity changes the threat environment of these components dramatically [7] [52]. Most software that has undergone this sort of insecure context switch has received very little security attention. This paper briefly surveys recent examples of these sorts of context switches. In particular, we focus on the survivability and inoculation [29] of regular expression engine implementations in connected environments. Through the course of this research, a number of critical vulnerabilities were uncovered that traverse operating systems and applications including Adobe Flash, Apple Safari, Perl, GnuPG, and ICU.