Static Detection of DoS Vulnerabilities in Programs that Use Regular Expressions

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10206)


In an algorithmic complexity attack, a malicious party takes advantage of the worst-case behavior of an algorithm to cause denial-of-service. A prominent algorithmic complexity attack is regular expression denial-of-service (ReDoS), in which the attacker exploits a vulnerable regular expression by providing a carefully-crafted input string that triggers worst-case behavior of the matching algorithm. This paper proposes a technique for automatically finding ReDoS vulnerabilities in programs. Specifically, our approach automatically identifies vulnerable regular expressions in the program and determines whether an “evil” input string can be matched against a vulnerable regular expression. We have implemented our proposed approach in a tool called Rexploiter and found 41 exploitable security vulnerabilities in Java web applications.


Regular Expression Input String Abstract Domain Security Vulnerability Attack Pattern 



This work is supported by AFRL Award FA8750-15-2-0096.


  1. 1.
  2. 2.
  3. 3.
  4. 4.
  5. 5.
  6. 6.
    Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Traon, Y.L., Octeau, D., McDaniel, P.: Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. In: PLDI, pp. 259–269. ACM (2014)Google Scholar
  7. 7.
    Ball, T., Podelski, A., Rajamani, S.K.: Boolean and cartesian abstraction for model checking C programs. In: Margaria, T., Yi, W. (eds.) TACAS 2001. LNCS, vol. 2031, pp. 268–283. Springer, Heidelberg (2001). doi: 10.1007/3-540-45319-9_19 CrossRefGoogle Scholar
  8. 8.
    Bandhakavi, S., Tiku, N., Pittman, W., King, S.T., Madhusudan, P., Winslett, M.: Vetting browser extensions for security vulnerabilities with VEX. Commun. ACM 54(9), 91–99 (2011)CrossRefGoogle Scholar
  9. 9.
    Berglund, M., Drewes, F., van der Merwe, B.: Analyzing catastrophic backtracking behavior in practical regular expression matching. In: AFL. EPTCS, vol. 151, pp. 109–123 (2014)Google Scholar
  10. 10.
    Chang, R.M., Jiang, G., Ivancic, F., Sankaranarayanan, S., Shmatikov, V.: Inputs of coma: static detection of denial-of-service vulnerabilities. In: CSF, pp. 186–199. IEEE Computer Society (2009)Google Scholar
  11. 11.
    Chaudhuri, A., Foster, J.S.: Symbolic security analysis of ruby-on-rails web applications. In: CCS, pp. 585–594. ACM (2010)Google Scholar
  12. 12.
    Christensen, A.S., Møller, A., Schwartzbach, M.I.: Precise analysis of string expressions. In: Cousot, R. (ed.) SAS 2003. LNCS, vol. 2694, pp. 1–18. Springer, Heidelberg (2003). doi: 10.1007/3-540-44898-5_1 CrossRefGoogle Scholar
  13. 13.
    Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: POPL, pp. 238–252. ACM (1977)Google Scholar
  14. 14.
    Crosby, S.A., Wallach, D.S.: Denial of service via algorithmic complexity attacks. In: USENIX Security Symposium. USENIX Association (2003)Google Scholar
  15. 15.
    Dahse, J., Holz, T.: Static detection of second-order vulnerabilities in web applications. In: USENIX Security Symposium, pp. 989–1003. USENIX Association (2014)Google Scholar
  16. 16.
    Huang, H., Zhu, S., Chen, K., Liu, P.: From system services freezing to system server shutdown in Android: all you need is a loop in an app. In: CCS, pp. 1236–1247. ACM (2015)Google Scholar
  17. 17.
    Kiezun, A., Guo, P.J., Jayaraman, K., Ernst, M.D.: Automatic creation of SQL injection and cross-site scripting attacks. In: ICSE, pp. 199–209. IEEE (2009)Google Scholar
  18. 18.
    Kirrage, J., Rathnayake, A., Thielecke, H.: Static analysis for regular expression denial-of-service attacks. In: Lopez, J., Huang, X., Sandhu, R. (eds.) NSS 2013. LNCS, vol. 7873, pp. 135–148. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-38631-2_11 CrossRefGoogle Scholar
  19. 19.
    Livshits, V.B., Lam, M.S.: Finding security vulnerabilities in Java applications with static analysis. In: USENIX Security Symposium. USENIX Association (2005)Google Scholar
  20. 20.
    Martin, M.C., Livshits, V.B., Lam, M.S.: Finding application errors and security flaws using PQL: a program query language. In: OOPSLA, pp. 365–383. ACM (2005)Google Scholar
  21. 21.
    Olivo, O., Dillig, I., Lin, C.: Detecting and exploiting second order denial-of-service vulnerabilities in web applications. In: CCS, pp. 616–628. ACM (2015)Google Scholar
  22. 22.
    Rathnayake, A., Thielecke, H.: Static analysis for regular expression exponential runtime via substructural logics. CoRR abs/1405.7058 (2014)Google Scholar
  23. 23.
    Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. In: POPL, pp. 372–382. ACM (2006)Google Scholar
  24. 24.
    Sugiyama, S., Minamide, Y.: Checking time linearity of regular expression matching based on backtracking. IPSJ Online Trans. 7, 82–92 (2014)CrossRefGoogle Scholar
  25. 25.
    Thompson, K.: Programming techniques: regular expression search algorithm. Commun. ACM 11(6), 419–422 (1968)CrossRefMATHGoogle Scholar
  26. 26.
    Tripp, O., Pistoia, M., Fink, S.J., Sridharan, M., Weisman, O.: TAJ: effective taint analysis of web applications. In: PLDI, pp. 87–97. ACM (2009)Google Scholar
  27. 27.
    Wassermann, G., Su, Z.: Sound and precise analysis of web applications for injection vulnerabilities. In: PLDI, pp. 32–41. ACM (2007)Google Scholar
  28. 28.
    Wassermann, G., Su, Z.: Static detection of cross-site scripting vulnerabilities. In: ICSE, pp. 171–180. ACM (2008)Google Scholar
  29. 29.
    Wassermann, G., Yu, D., Chander, A., Dhurjati, D., Inamura, H., Su, Z.: Dynamic test input generation for web applications. In: ISSTA, pp. 249–260. ACM (2008)Google Scholar
  30. 30.
    Weideman, N., Merwe, B., Berglund, M., Watson, B.: Analyzing matching time behavior of backtracking regular expression matchers by using ambiguity of NFA. In: Han, Y.-S., Salomaa, K. (eds.) CIAA 2016. LNCS, vol. 9705, pp. 322–334. Springer, Cham (2016). doi: 10.1007/978-3-319-40946-7_27 CrossRefGoogle Scholar
  31. 31.
    Wüstholz, V., Olivo, O., Heule, M.J.H., Dillig, I.: Static detection of DoS vulnerabilities in programs that use regular expressions (extended version). CoRR abs/1701.04045 (2017)Google Scholar
  32. 32.
    Xie, Y., Aiken, A.: Static detection of security vulnerabilities in scripting languages. In: USENIX Security Symposium. USENIX Association (2006)Google Scholar
  33. 33.
    Yu, F., Alkhalaf, M., Bultan, T.: Stranger: an automata-based string analysis tool for PHP. In: Esparza, J., Majumdar, R. (eds.) TACAS 2010. LNCS, vol. 6015, pp. 154–157. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-12002-2_13 CrossRefGoogle Scholar
  34. 34.
    Yu, F., Alkhalaf, M., Bultan, T., Ibarra, O.H.: Automata-based symbolic string analysis for vulnerability detection. FMSD 44(1), 44–70 (2014)MATHGoogle Scholar
  35. 35.
    Yu, F., Bultan, T., Hardekopf, B.: String abstractions for string verification. In: Groce, A., Musuvathi, M. (eds.) SPIN 2011. LNCS, vol. 6823, pp. 20–37. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-22306-8_3 CrossRefGoogle Scholar

Copyright information

© Springer-Verlag GmbH Germany 2017

Authors and Affiliations

  1. 1.The University of Texas at AustinAustinUSA

Personalised recommendations