Thursday, March 17, 2011

Nasty Bug Eats Up CPU Cycles

After a long break, I have found time to write a very shot article regarding recent java vulnerability surfaced out. The first this comes to my mind is the original article compelled me to write a blog in my own words. You are able to read original one here. It was published on ‘The Register’ online magazine with the heading of ‘Mark-of-the-Beast’ bug topples java apps. Simply, latest version (definitely it will be java 1.6 along with update number) of java runtime causes to hang the computer when programme encounter a numerical value with large decimal points. Now it is time see what it is all about and get your hands busy on keyboard to type below simple code. It might be unbelievable that this simple code fragment would cause 100% CPU utilization in java.exe process. It will happen for sure.




I have tested this vulnerability in my machine. This is the system environment details as follows.In nutshell, it was susceptible even in Linux environment.You can try it by it yourself if you are a opensource Linux user J(geeks fond of Linux) how this nasty bug eats up your CPU cycles until 100%. 

Community people define this kind of vulnerabilities as an application level denial of service. In the sense, let’s take previous example, the process which runs the JVM eat up all the CPU cycles. JVM is an application level process not a low level OS process. This was first exposed in PHP language after found that it also could possible in java. As far as updates Oracle won’t give a perfect solution to the vulnerability. The Risk is most of the java enabled web sites are now vulnerable to the application level denial of service. Size of the attack might be less than 1000 bytes and attacker won’t be caught most of the times. Moreover, you won’t be able to prevent the attack by any kind of ISP or firewall.  I would quote reasons to the vulnerability which was explained by Bryan Sullivan.

The problem with this particular range of values that causes the hang for Java is that there's a logic flaw in the Java code that performs the approximation. There's a loop in the code that tests different possibilities to try to get as close as possible to the correct value: a little higher value this iteration, then a little lower, and so on until the best approximation is made. But when this code tries to approximate values around 2.225073858507201E-208, it loops forever, never finding an acceptable approximation”.

I would murmur to myself, there were, are and will be no silver bullets in software industry. The ancient proverb comes to my mind.”The small leak can sink a great ship”. Same thing can be applied here. Big boss JVM hangs forever due to incapability of handling large decimal point numbers.

At the end, this week is very bad to Planet Earth.I don't want to remind there was catastrophe occurred in Japan making millions damage to the economy and usual day to day work.And Red Nose Day in UK shakes minds reminding there are many people dying because of  not having proper safety to keep away from Malaria.There might be roadblocks, difficulties  on the way.However, everything in life is possible.Personally, I was thinking it is more important to write something which improve our thinking power which helps to get rid of big time failures in our life.Hope you all waiting for the next article I'm going to write as soon as I get time.Keep moving until next Tsunami wave wets your feet :P.



© Nuwan Arambage-"transcending verge of life"



No comments:

Post a Comment