2017
DOI: 10.1007/978-3-662-54580-5_1
|View full text |Cite
|
Sign up to set email alerts
|

Static Detection of DoS Vulnerabilities in Programs that Use Regular Expressions

Abstract: In an algorithmic complexity attack, a malicious party takes advantage of the worst-case behavior of an algorithm to cause denial-ofservice. A prominent algorithmic complexity attack is regular expression denial-of-service (ReDoS ), in which the attacker exploits a vulnerable regular expression by providing a carefully-crafted input string that triggers worst-case behavior of the matching algorithm. This paper proposes a technique for automatically finding ReDoS vulnerabilities in programs. Specifically, our a… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
3
1
1

Citation Types

2
32
0

Year Published

2019
2019
2024
2024

Publication Types

Select...
5
2
1

Relationship

0
8

Authors

Journals

citations
Cited by 39 publications
(34 citation statements)
references
References 31 publications
2
32
0
Order By: Relevance
“…Prior work for detecting AC vulnerabilities in Java programs includes static analysis on popular libraries [32], [38], [62], object-graph engineering on Java's serialization facilities [21], and exploiting worst-case runtime of algorithms found in commercial grade networking equipment [20]. On the Android platform, Huang et al [29] use a combination of static and dynamic analysis to detect AC vulnerabilities within Android's System Server.…”
Section: A Ac Vulnerability Analysismentioning
confidence: 99%
See 1 more Smart Citation
“…Prior work for detecting AC vulnerabilities in Java programs includes static analysis on popular libraries [32], [38], [62], object-graph engineering on Java's serialization facilities [21], and exploiting worst-case runtime of algorithms found in commercial grade networking equipment [20]. On the Android platform, Huang et al [29] use a combination of static and dynamic analysis to detect AC vulnerabilities within Android's System Server.…”
Section: A Ac Vulnerability Analysismentioning
confidence: 99%
“…In fact, prior research has started to explore program analysis techniques for finding AC vulnerabilities in software. Most of this work is based on manual or static analysis that scales to real world code bases, but focuses on detecting known sources of AC vulnerabilities, such as triggering worst case performance of commonly used data structures [19], regular expression engines [32], [57], [62], or serialization APIs [21]. Fuzz testing, where a fuzzer feeds random input to a program under test until the program either crashes or times out, has historically revealed serious bugs that permit Remote Code-Execution (RCE) exploits in widely used software such as operating system kernels, mobile devices, and web browsers.…”
Section: Introductionmentioning
confidence: 99%
“…In order to answer our remaining research questions we needed a polyglot regex corpus: a set of regexes extracted from a large sample of software projects written in many programming languages. The existing regex corpuses are small-scale [20,107] or include only two programming languages [26]. Our corpus is neither, covering about 200,000 projects in 8 programming languages Ð see Table 1.…”
Section: Polyglot Regex Corpusmentioning
confidence: 99%
“…The increasing use of regular expressions has led many researchers to consider them as the domain of their work. Wüstholz V [2] proposed a tool called "Exploiter" to secure applications that use regular expressions. Cochran RA [3] offered a tool called "CROWDBOOST" to help developers find the most appropriate regular expression.…”
Section: Introductionmentioning
confidence: 99%
“…Spishak E proposed an annotation-based API to help the developer find the errors of regular expressions during the compilation phase of a program [10]. Other works aimed at helping the developer to simplify, validate or automatically generate regular expressions [2][3][4]. All features built into our Regex Criteria API will be illustrated by examples implemented using the Java language syntax.…”
Section: Introductionmentioning
confidence: 99%