An algorithmic complexity attack is a denial of service attack that triggers worst case behaviour in code that is otherwise expected to perform well. The canonical example would be the widely published attacks against hash table implementations, where carefully crafted inputs made snappy O(1) operations deteriorate into O(n) time sinks. Several major programming language implementations and web frameworks were vulnerable.
Quicksort is also commonly mentioned in this context. Its expected O(nlogn) and worst case O(n2) makes it a prime candidate. When we previously looked at libc qsort() implementations it became clear that while many different algorithms are in use, quicksort is by far the most common choice. This is so for good reasons. In addition to the average-case complexity, quicksort is cache friendly and optimizes well.
In this post we’ll have a look at how to trigger worst case performance in a couple of libc qsort() implementations.
more here..........http://calmerthanyouare.org/2014/06/11/algorithmic-complexity-attacks-and-libc-qsort.html
Quicksort is also commonly mentioned in this context. Its expected O(nlogn) and worst case O(n2) makes it a prime candidate. When we previously looked at libc qsort() implementations it became clear that while many different algorithms are in use, quicksort is by far the most common choice. This is so for good reasons. In addition to the average-case complexity, quicksort is cache friendly and optimizes well.
In this post we’ll have a look at how to trigger worst case performance in a couple of libc qsort() implementations.
more here..........http://calmerthanyouare.org/2014/06/11/algorithmic-complexity-attacks-and-libc-qsort.html