Static Analysis for Regular Expression Denial-of-Service Attacks

  • James Kirrage
  • Asiri Rathnayake
  • Hayo Thielecke
Conference paper

DOI: 10.1007/978-3-642-38631-2_11

Volume 7873 of the book series Lecture Notes in Computer Science (LNCS)
Cite this paper as:
Kirrage J., Rathnayake A., Thielecke H. (2013) Static Analysis for Regular Expression Denial-of-Service Attacks. In: Lopez J., Huang X., Sandhu R. (eds) Network and System Security. NSS 2013. Lecture Notes in Computer Science, vol 7873. Springer, Berlin, Heidelberg

Abstract

Regular expressions are a concise yet expressive language for expressing patterns. For instance, in networked software, they are used for input validation and intrusion detection. Yet some widely deployed regular expression matchers based on backtracking are themselves vulnerable to denial-of-service attacks, since their runtime can be exponential for certain input strings. This paper presents a static analysis for detecting such vulnerable regular expressions. The running time of the analysis compares favourably with tools based on fuzzing, that is, randomly generating inputs and measuring how long matching them takes. Unlike fuzzers, the analysis pinpoints the source of the vulnerability and generates possible malicious inputs for programmers to use in security testing. Moreover, the analysis has a firm theoretical foundation in abstract machines. Testing the analysis on two large repositories of regular expressions shows that the analysis is able to find significant numbers of vulnerable regular expressions in a matter of seconds.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • James Kirrage
    • 1
  • Asiri Rathnayake
    • 1
  • Hayo Thielecke
    • 1
  1. 1.University of BirminghamUK