Static Analysis for Regular Expression Denial-of-Service Attacks

James Kirrage; Asiri Rathnayake Mudiyanselage; Hayo Thielecke

doi:10.1007/978-3-642-38631-2_11

Static Analysis for Regular Expression Denial-of-Service Attacks

James Kirrage, Asiri Rathnayake Mudiyanselage, Hayo Thielecke

Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Chapter

15 Citations (Scopus)

Abstract

Regular expressions are a concise yet expressive language for expressing patterns. For instance, in networked software, they are used for input validation and intrusion detection. Yet some widely deployed regular expression matchers based on backtracking are themselves vulnerable to denial-of-service attacks, since their runtime can be exponential for certain input strings. This paper presents a static analysis for detecting such vulnerable regular expressions. The running time of the analysis compares favourably with tools based on fuzzing, that is, randomly generating inputs and measuring how long matching them takes. Unlike fuzzers, the analysis pinpoints the source of the vulnerability and generates possible malicious inputs for programmers to use in security testing. Moreover, the analysis has a firm theoretical foundation in abstract machines. Testing the analysis on two large repositories of regular expressions shows that the analysis is able to find significant numbers of vulnerable regular expressions in a matter of seconds.

Original language	English
Title of host publication	Network and System Security
Subtitle of host publication	7th International Conference, NSS 2013, Madrid, Spain, June 3-4, 2013, Proceedings
Editors	Javier Lopez, Xinyi Huang, Ravi Sandhu
Publisher	Springer
Pages	135-148
ISBN (Electronic)	978-3-642-38631-2
ISBN (Print)	978-3-642-38630-5
DOIs	https://doi.org/10.1007/978-3-642-38631-2_11
Publication status	Published - 1 Jun 2013

Publication series

Name	Lecture Notes in Computer Science
Publisher	Springer
Volume	7873
ISSN (Print)	0302-9743

Access to Document

10.1007/978-3-642-38631-2_11

Cite this

Kirrage, J., Rathnayake Mudiyanselage, A., & Thielecke, H. (2013). Static Analysis for Regular Expression Denial-of-Service Attacks. In J. Lopez, X. Huang, & R. Sandhu (Eds.), Network and System Security: 7th International Conference, NSS 2013, Madrid, Spain, June 3-4, 2013, Proceedings (pp. 135-148). (Lecture Notes in Computer Science; Vol. 7873). Springer. https://doi.org/10.1007/978-3-642-38631-2_11

@inbook{0cc69f4c0e684cfdb2a6c1e752c83514,

title = "Static Analysis for Regular Expression Denial-of-Service Attacks",

abstract = "Regular expressions are a concise yet expressive language for expressing patterns. For instance, in networked software, they are used for input validation and intrusion detection. Yet some widely deployed regular expression matchers based on backtracking are themselves vulnerable to denial-of-service attacks, since their runtime can be exponential for certain input strings. This paper presents a static analysis for detecting such vulnerable regular expressions. The running time of the analysis compares favourably with tools based on fuzzing, that is, randomly generating inputs and measuring how long matching them takes. Unlike fuzzers, the analysis pinpoints the source of the vulnerability and generates possible malicious inputs for programmers to use in security testing. Moreover, the analysis has a firm theoretical foundation in abstract machines. Testing the analysis on two large repositories of regular expressions shows that the analysis is able to find significant numbers of vulnerable regular expressions in a matter of seconds.",

author = "James Kirrage and {Rathnayake Mudiyanselage}, Asiri and Hayo Thielecke",

year = "2013",

month = jun,

day = "1",

doi = "10.1007/978-3-642-38631-2_11",

language = "English",

isbn = "978-3-642-38630-5",

series = "Lecture Notes in Computer Science",

publisher = "Springer",

pages = "135--148",

editor = "Lopez, {Javier } and Xinyi Huang and Ravi Sandhu",

booktitle = "Network and System Security",

}

Kirrage, J, Rathnayake Mudiyanselage, A & Thielecke, H 2013, Static Analysis for Regular Expression Denial-of-Service Attacks. in J Lopez, X Huang & R Sandhu (eds), Network and System Security: 7th International Conference, NSS 2013, Madrid, Spain, June 3-4, 2013, Proceedings. Lecture Notes in Computer Science, vol. 7873, Springer, pp. 135-148. https://doi.org/10.1007/978-3-642-38631-2_11

Static Analysis for Regular Expression Denial-of-Service Attacks. / Kirrage, James; Rathnayake Mudiyanselage, Asiri; Thielecke, Hayo.
Network and System Security: 7th International Conference, NSS 2013, Madrid, Spain, June 3-4, 2013, Proceedings. ed. / Javier Lopez; Xinyi Huang; Ravi Sandhu. Springer, 2013. p. 135-148 (Lecture Notes in Computer Science; Vol. 7873).

Research output: Chapter in Book/Report/Conference proceeding › Chapter

TY - CHAP

T1 - Static Analysis for Regular Expression Denial-of-Service Attacks

AU - Kirrage, James

AU - Rathnayake Mudiyanselage, Asiri

AU - Thielecke, Hayo

PY - 2013/6/1

Y1 - 2013/6/1

N2 - Regular expressions are a concise yet expressive language for expressing patterns. For instance, in networked software, they are used for input validation and intrusion detection. Yet some widely deployed regular expression matchers based on backtracking are themselves vulnerable to denial-of-service attacks, since their runtime can be exponential for certain input strings. This paper presents a static analysis for detecting such vulnerable regular expressions. The running time of the analysis compares favourably with tools based on fuzzing, that is, randomly generating inputs and measuring how long matching them takes. Unlike fuzzers, the analysis pinpoints the source of the vulnerability and generates possible malicious inputs for programmers to use in security testing. Moreover, the analysis has a firm theoretical foundation in abstract machines. Testing the analysis on two large repositories of regular expressions shows that the analysis is able to find significant numbers of vulnerable regular expressions in a matter of seconds.

AB - Regular expressions are a concise yet expressive language for expressing patterns. For instance, in networked software, they are used for input validation and intrusion detection. Yet some widely deployed regular expression matchers based on backtracking are themselves vulnerable to denial-of-service attacks, since their runtime can be exponential for certain input strings. This paper presents a static analysis for detecting such vulnerable regular expressions. The running time of the analysis compares favourably with tools based on fuzzing, that is, randomly generating inputs and measuring how long matching them takes. Unlike fuzzers, the analysis pinpoints the source of the vulnerability and generates possible malicious inputs for programmers to use in security testing. Moreover, the analysis has a firm theoretical foundation in abstract machines. Testing the analysis on two large repositories of regular expressions shows that the analysis is able to find significant numbers of vulnerable regular expressions in a matter of seconds.

U2 - 10.1007/978-3-642-38631-2_11

DO - 10.1007/978-3-642-38631-2_11

M3 - Chapter

SN - 978-3-642-38630-5

T3 - Lecture Notes in Computer Science

SP - 135

EP - 148

BT - Network and System Security

A2 - Lopez, Javier

A2 - Huang, Xinyi

A2 - Sandhu, Ravi

PB - Springer

ER -

Static Analysis for Regular Expression Denial-of-Service Attacks

Abstract

Publication series

Access to Document

Fingerprint

Cite this