J-Viz: Finding algorithmic complexity attacks via graph visualization of Java bytecode

Abstract

We describe a security visualization tool for finding algorithmic complexity attacks in Java bytecode. Our tool, which we call J-Viz, visualizes connected directed graphs derived from Java bytecode according to a canonical node ordering, which we call the sibling-first recursive (SFR) numbering. The particular graphs we consider are derived from applying Shiver's k-CFA framework to Java bytecode, and our visualizer includes helpful links between the nodes of an input graph and the Java bytecode that produced it, as well as a decompiled version of that Java bytecode. We show through experiments involving test cases provided by DARPA that the canonical drawing paradigm used in J-Viz is effective for identifying potential security vulnerabilities for algorithmic complexity attacks.