CompiledAutomaton.getCommonSuffix can be extraordinarily slow, even with default maxDeterminizedStates limit [LUCENE-9981]

[asfimport]

We have a maxDeterminizedStates = 10000 limit designed to keep regexp-type queries from blowing up.

But we have an adversary that will run for 268s on my laptop before hitting exception, first reported here: opensearch-project/OpenSearch#687

When I run the test and jstack the threads, this what I see:

"TEST-TestOpensearch687.testInteresting-seed#[4B9C20A027A9850C]" `#15` prio=5 os_prio=0 cpu=56960.04ms elapsed=57.49s tid=0x00007fff7006ca80 nid=0x231c8 runnable  [0x00007fff8b7f0000]
   java.lang.Thread.State: RUNNABLE
	at org.apache.lucene.util.automaton.SortedIntSet.decr(SortedIntSet.java:106)
	at org.apache.lucene.util.automaton.Operations.determinize(Operations.java:769)
	at org.apache.lucene.util.automaton.Operations.getCommonSuffixBytesRef(Operations.java:1155)
	at org.apache.lucene.util.automaton.CompiledAutomaton.<init>(CompiledAutomaton.java:247)
	at org.apache.lucene.search.AutomatonQuery.<init>(AutomatonQuery.java:104)
	at org.apache.lucene.search.AutomatonQuery.<init>(AutomatonQuery.java:82)
	at org.apache.lucene.search.RegexpQuery.<init>(RegexpQuery.java:138)
	at org.apache.lucene.search.RegexpQuery.<init>(RegexpQuery.java:114)
	at org.apache.lucene.search.RegexpQuery.<init>(RegexpQuery.java:72)
	at org.apache.lucene.search.RegexpQuery.<init>(RegexpQuery.java:62)
	at org.apache.lucene.TestOpensearch687.testInteresting(TestOpensearch687.java:42)

This is really sad, as getCommonSuffixBytesRef() is only supposed to be an "up-front" optimization to make the actual subsequent terms-intensive part of the query faster. But it makes the whole query run for nearly 5 minutes before it does anything.

So I definitely think we should improve getCommonSuffixBytesRef to be more "best-effort". For example, it can reduce the lower bound to 1000 and catch the exception like such:

try {
   // this is slow, and just an opto anyway, so don't burn cycles on it for some crazy worst-case.
   // if we don't set this common suffix, the query will just run a bit slower, that's all.
   int limit = Math.min(1000, maxDeterminizedStates);
   BytesRef suffix = Operations.getCommonSuffixBytesRef(binary, limit);
   ... (setting commonSuffixRef)
} catch (TooComplexTooDeterminizeException notWorthIt) {
  commonSuffixRef = null;
}

Another, maybe simpler option, is to just check that input state/transitions accounts don't exceed some low limit N.

Basically this opto is geared at stuff like leading wildcard query of "*foo". By computing that the common suffix is "foo" we can spend less CPU in the terms dictionary because we can first do a memcmp before having to run data thru any finite state machine. It's really a microopt and we shouldn't be spending whole seconds of cpu on it, ever.

But I still don't quite understand how the current limits are giving the behavior today, maybe there is a bigger issue and I don't want to shove something under the rug.

---

Migrated from LUCENE-9981 by Robert Muir (@rmuir), 1 vote, resolved Jun 22 2021
Attachments: LUCENE-9981_nfaprefix.patch, LUCENE-9981_test.patch, LUCENE-9981.patch (versions: 5), three-repeats.png, three-repeats-reverse-det.png

[asfimport]

Robert Muir (@rmuir) (migrated from JIRA)

Before we det(reverse()) this automaton to compute the common suffix for the optimization, note that it has:

• 52000 states
• 84000 transitions

I think we should just not even bother to do this optimization if the automaton is "big" (say more than 1,000 states or more than 1,000 transitions).

Something like this is a 1-line change:

--- a/lucene/core/src/java/org/apache/lucene/util/automaton/CompiledAutomaton.java
+++ b/lucene/core/src/java/org/apache/lucene/util/automaton/CompiledAutomaton.java
`@@` -237,7 +237,7 `@@` public class CompiledAutomaton implements Accountable {
       binary = new UTF32ToUTF8().convert(automaton);
     }

-    if (this.finite) {
+    if (this.finite || binary.getNumStates() > 1000 || binary.getNumTransitions() > 1000) {
       commonSuffixRef = null;
     } else {
       // NOTE: this is a very costly operation!  We should test if it's really warranted in

This means the test passes in 5 seconds instead of failing with exception after 268 seconds. I think its a good general fix for this specific method.

But still, I think there might be more interesting problems here: 5 seconds still sucks, especially on a 0-document index. And you can be sure I don't want to add a unit test taking 5 seconds of cpu time :)

[asfimport]

Ori D (migrated from JIRA)

Hi @rmuir,

Thanks for handling this 👍

Just wanted to add that I could not agree with you more on the fact that 5 seconds is still too high.

From security perspective, even 5 seconds of loading the CPU can be considered as very high and can easily cause a DOS for any server if executed multiple times concurrently. 

I think that we should aim to no more than few hundred of milliseconds. Whatever we cannot achieve in 200-500 ms is probably not a good optimization anyhow.

Not sure if the solution means just decrease the default limit from 1000 to 100 in your patch, or maybe add additional code that limits the whole calculation by (configurable) time.

 

Cheers,

Ori.

 

[asfimport]

Robert Muir (@rmuir) (migrated from JIRA)

Hi Ori D. This issue isn't a security issue. I won't add any timeout.

The security issue is instead projects such as solr and elasticsearch that allow unauthenticated requests by default. They should require auth, then nobody can make unauthenticated requests that consume lots of cpu. There are other ways to create slow seaches too. I would open issues with those respective projects and ask them to fix it, so that attackers can't make unauthenticated requests out of box. That will address your security issue.

[asfimport]

Ori D (migrated from JIRA)

@rmuir,

I'm not saying a timeout must be added as a solution, I'm only suggesting that the final solution would not lead to an execution time of more than few hundreds of ms.

The fact a user is authenticated doesn't necessarily protect you from DOS attacks. It indeed reduces the chance, but does not completely eliminate the risk.

For example, in our application an arbitrary user can download a trial. The user is registered and authenticated, but can still perform legal applicative operations that might lead to a long Elasticsearch/Lucene regexp processing on our server.

Even an enterprise user can make non-intentional mistake and write a bad script that calls many APIs on our server, and load it so much in a way the server will not be available for other customers/tenants.

The point is that it will be much harder to load the server with 200 ms operation than with 5 seconds one.

With 200ms, an application usually have other protective mechanisms to cope with DOS attacks, since it is still considered a valid REST api time.

 

 

[asfimport]

Robert Muir (@rmuir) (migrated from JIRA)

Nope, but exposing very slow queries (via DSL) to unauthenticated users is literally begging for trouble.

require auth so that only the things that should speak to your search server can (such as your web front end). And don't expose crazy queries like wildcards and regexes if you care about performance: you can use something like lucene's SimpleQueryParser which has only a few features and allows you to toggle stuff like that off.

[asfimport]

Michael McCandless (@mikemccand) (migrated from JIRA)

What a delightful RegExp! To be able to actually visualize it, I reduced the repeat count to three:

(.*a){3} 

 

Resulting in this fun automaton (determinized, and converted to operate in UTF-8 byte space):

[asfimport]

Michael McCandless (@mikemccand) (migrated from JIRA)

Here's the same automaton, reversed and determinized – it has even fewer states after that!

[asfimport]

Michael McCandless (@mikemccand) (migrated from JIRA)

One curious observation is that, somehow, parsing the reversed string takes quite a bit fewer states than parsing the forward string.  Maybe UTF-8 is simpler to parse in reverse!?  Hmm, or, maybe I need to minimize both automata before jumping to this conclusion – because det(rev(det(a))) is very similar (same as?) to minimizing.

[asfimport]

Michael McCandless (@mikemccand) (migrated from JIRA)

I think we should do two separate things here:

• Implement a more efficient getCommonSuffixBytesRef that directly enumerates transitions, backwards, from the final states, and does not require that the automaton looks deterministic when viewed backwards.  We could then also enhance getCommonPrefixBytesRef to operate the same way (and not require determinization), but that's an enhancement that can come later :)

• Find a better way to limit "determinize"'s efforts than the number of determinized states!  Clearly this is an example adversarial RegExp that is able to burn tons of CPU effort doing the powerset construction in determinize yet produces a small (number of states) final automaton.  I think the problem in this case is that each powerset has a larger and larger number of states in it, causing determinize to have O(N^2) cost for this RegExp ((.*a){N}).  The number of determinized states does not explode, so we don't trip the 10000 (default) limit, but we do tons of O(N^2) work tracking these powerset states.  Maybe we can change the limit to be the sum of the sizes of all powersets considered so far?

[asfimport]

Michael McCandless (@mikemccand) (migrated from JIRA)

Also, I opened this fun spinoff issue: #11022.  That should be a big speedup when we need to determinize these sorts of adversarial-ish regexps.

[asfimport]

Michael McCandless (@mikemccand) (migrated from JIRA)

Here is a starter patch for the 2nd fix.

It is not committable yet ... just a start, but it seems to work, and aborts this adversarial query (@rmuir's new test case) after ~120 msec (timing in the unit tests, might be faster w/o assertions) on my Ryzen Threadripper 3990X box.

It tracks a new effortSpent long value while determinizing, summing up the net size of all the powersets determinize is iterating through.  It is hacky now, allowing for an average subset size multiplier of 10 times the incoming maxDeterminizedStates.  This change does successfully block the new test case, and passes all existing tests, but I don't like how it throws a misleading exception message, i.e. it is not clear to the caller how they could increase the maxDeterminizedStates threshold (what value to use) to succeed.

We could maybe keep the existing API signature, but change the meaning of this int parameter to be something like maxEffort and fix the exception message accordingly?  Or, we could add another int parameter and keep the existing check, but that is a big API change and rather confusing to have two parameters related to giving up on too-hard cases?

[asfimport]

Robert Muir (@rmuir) (migrated from JIRA)

I attached LUCENE-9981_nfa_prefix.patch, which uses an NFA algorithm to compute getCommonPrefix().

Hence we no longer need to determinize() after reverse() to get the common suffix. There might be other unnecessary det's too, have not looked!

Some queryparser tests fail, but its simply because they no longer hit TooComplexToDeterminizeException anymore, because we aren't determinizing here anymore :) So these tests need to be disabled or fixed? But I think the logic is correct. @mikemccand can you look?

[asfimport]

Michael McCandless (@mikemccand) (migrated from JIRA)

[~mikemccand] can you look?

Awesome, looking now!

[asfimport]

Michael McCandless (@mikemccand) (migrated from JIRA)

Patch looks great – I'll make some small fixes, merge with my change, and upload another iteration!

[asfimport]

Michael McCandless (@mikemccand) (migrated from JIRA)

Initial patch merging @rmuir and my fixes.

I made some small fixes to @rmuir's patch, tweaking javadocs, and changing one if to assert.

And then I changed the int maxDeterminizedStates to long workLimit in Operations.determinize.  Then I changed all places that used to pass the limit of state count for the determinized automaton, to a more opaque "work limit".  This is an API break (int -> long, and state count -> "effort"), so I don't think we can straight backport this to 8.x.