Symbolic Regex Matcher

Saarikivi, Olli; Veanes, Margus; Wan, Tiki; Xu, H. Eric

doi:10.1007/978-3-030-17462-0_24

Cited by 12 publications

(5 citation statements)

References 7 publications

(11 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Should web service providers prioritize ReDoS mitigations? Several research communities have investigated the ReDoS problem, including from empirical software engineering [45][46][47], systems [41,49,85], cybersecurity [48,99], and theory [89,93,111,114]. This research investment has somewhat shaky motivation: Crosby's proposal of ReDoS [42], case studies of regex-induced service outages [57,65], and three empirical measurement studies [45,99,114].…”

Section: Discussionmentioning

confidence: 99%

See 1 more Smart Citation

Exploiting input sanitization for regex denial of service

Barlas

Davis

2022

Proceedings of the 44th International Conference on Software Engineering

View full text Add to dashboard Cite

Web services use server-side input sanitization to guard against harmful input. Some web services publish their sanitization logic to make their client interface more usable, e.g., allowing clients to debug invalid requests locally. However, this usability practice poses a security risk. Specifically, services may share the regexes they use to sanitize input strings -and regex-based denial of service (ReDoS) is an emerging threat. Although prominent service outages caused by ReDoS have spurred interest in this topic, we know little about the degree to which live web services are vulnerable to ReDoS.In this paper, we conduct the first black-box study measuring the extent of ReDoS vulnerabilities in live web services. We apply the Consistent Sanitization Assumption: that client-side sanitization logic, including regexes, is consistent with the sanitization logic on the server-side. We identify a service's regex-based input sanitization in its HTML forms or its API, find vulnerable regexes among these regexes, craft ReDoS probes, and pinpoint vulnerabilities. We analyzed the HTML forms of 1,000 services and the APIs of 475 services. Of these, 355 services publish regexes; 17 services publish unsafe regexes; and 6 services are vulnerable to ReDoS through their APIs (6 domains; 15 subdomains). Both Microsoft and Amazon Web Services patched their web services as a result of our disclosure. Since these vulnerabilities were from API specifications, not HTML forms, we proposed a ReDoS defense for a popular API validation library, and our patch has been merged. To summarize: in client-visible sanitization logic, some web services advertise Re-DoS vulnerabilities in plain sight. Our results motivate short-term patches and long-term fundamental solutions."Make measurable what cannot be measured. " -Galileo Galilei CCS CONCEPTS• Security and privacy → Denial-of-service attacks; Web application security; • General and reference → Empirical studies; Measurement; Validation.

show abstract

Section: Discussionmentioning

confidence: 99%

“…Prior researchers have not studied whether attackers can identify ReDoS vulnerabilities in a black-box manner. If so, the engineering community should prioritize adopting ReDoS mitigations [48,93,104].…”

Section: Introductionmentioning

confidence: 99%

Exploiting input sanitization for regex denial of service

Barlas

Davis

2022

Proceedings of the 44th International Conference on Software Engineering

View full text Add to dashboard Cite

show abstract

“…An implementation of a class of counter automata, proposed in [59], is based on queues for representing sets of counter values. A variety of software regex matchers, including RE2 [18,41], Rust's Regex [44], PCRE [37], SRM [45], and Hyperscan [65] support the matching of regexes with counting. These matchers are typically based on the execution of DFAs or NFAs.…”

Section: Related Workmentioning

confidence: 99%

Software-hardware codesign for efficient in-memory regular pattern matching

Kong

Chattopadhyay

et al. 2022

Proceedings of the 43rd ACM SIGPLAN International Conference on Programming Language Design and Implementation

View full text Add to dashboard Cite

Regular pattern matching is used in numerous application domains, including text processing, bioinformatics, and network security. Patterns are typically expressed with an extended syntax of regular expressions. This syntax includes the computationally challenging construct of bounded repetition or counting, which describes the repetition of a pattern a fixed number of times. We develop a specialized in-memory hardware architecture that integrates counter and bit vector modules into a state-of-the-art in-memory NFA accelerator. The design is inspired by the theoretical model of nondeterministic counter automata (NCA). A key feature of our approach is that we statically analyze regular expressions to determine bounds on the amount of memory needed for the occurrences of bounded repetition. The results of this analysis are used by a regex-to-hardware compiler in order to make an appropriate selection of counter or bit vector modules. We evaluate our hardware implementation using a simulator based on circuit parameters collected by SPICE simulation in TSMC 28nm CMOS process. We find that the use of counter and bit vector modules outperforms unfolding

show abstract

“…Together with many optimizations, it is implemented in Intel's Hyperscan [15]. When combined with caching, it becomes the on-the-fly subset construction of a DFA, also called online DFA-simulation (implemented in RE2 from Google, GNU grep, SRM, or the standard matcher of Rust [16,17,18,19]). Without counting, the major factor in the worst-case complexity is O(nm 2 ), with n being the length of the text and m the size of the number of character occurrences in the regex (m is smaller than size of the regex, the length of string defining it).…”

Section: Introductionmentioning

confidence: 99%

Fast Matching of Regular Patterns with Synchronizing Counting (Technical Report)

Holík¹,

Síč²,

Turoňová³

et al. 2023

Preprint

View full text Add to dashboard Cite

Fast matching of regular expressions with bounded repetition, aka counting, such as (ab){50,100}, i.e., matching linear in the length of the text and independent of the repetition bounds, has been an open problem for at least two decades. We show that, for a wide class of regular expressions with counting, which we call synchronizing, fast matching is possible. We empirically show that the class covers nearly all counting used in usual applications of regex matching. This complexity result is based on an improvement and analysis of a recent matching algorithm that compiles regexes to deterministic counting-set automata (automata with registers that hold sets of numbers).

show abstract

Symbolic Regex Matcher

Cited by 12 publications

References 7 publications

Exploiting input sanitization for regex denial of service

Exploiting input sanitization for regex denial of service

Software-hardware codesign for efficient in-memory regular pattern matching

Fast Matching of Regular Patterns with Synchronizing Counting (Technical Report)

Contact Info

Product

Resources

About