Using Selective Memoization to Defeat Regular Expression Denial of Service (ReDoS)

Davis, James N.; Servant, Francisco; Lee, Dong-Yoon

doi:10.1109/sp40001.2021.00032

Cited by 15 publications

(14 citation statements)

References 60 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Complementary to our efforts here, prior work identifies the presence of ReDoS vulnerabilities in thousands of JavaScript and Python modules (Davis et al 2018;Staicu and Pradel 2018;Davis et al 2021). While the prior work (Davis et al 2018) took a deep dive into a particular type of vulnerability, this work looks more broadly at issues resulting from regular expressions (including ReDoS issues, which were also present in two PRs in our dataset, Section 4.1.3).…”

Section: Related Workmentioning

confidence: 91%

Demystifying regular expression bugs

Wang¹,

Brown

Jennings

et al. 2021

Empir Software Eng

View full text Add to dashboard Cite

Regular expressions cause string-related bugs and open security vulnerabilities for DOS attacks. However, beyond ReDoS (Regular expression Denial of Service), little is known about the extent to which regular expression issues affect software development and how these issues are addressed in practice. We conduct an empirical study of 356 regex-related bugs from merged pull requests in Apache, Mozilla, Facebook, and Google GitHub repositories. We identify and classify the nature of the regular expression problems, the fixes, and the related changes in the test code. The most important findings in this paper are as follows: 1) incorrect regular expression semantics is the dominant root cause of regular expression bugs (165/356, 46.3%). The remaining root causes are incorrect API usage (9.3%) and other code issues that require regular expression changes in the fix (29.5%), 2) fixing regular expression bugs is nontrivial as it takes more time and more lines of code to fix them compared to the general pull requests, 3) most (51%) of the regex-related pull requests do not contain test code changes. Certain regex bug types (e.g., compile error, performance issues, regex representation) are less likely to include test code changes than others, and 4) the dominant type of test code changes in regex-related pull requests is test case addition (75%). The results of this study contribute to a broader understanding of the practical problems faced by developers when using, fixing, and testing regular expressions. Keywords Regular expression bug characteristics• Pull requests • Bug fixes • Test code

show abstract

Section: Related Workmentioning

confidence: 91%

Demystifying regular expression bugs

Wang¹,

Brown

Jennings

et al. 2021

Empir Software Eng

View full text Add to dashboard Cite

show abstract

“…Li et al [19] and Pan et al [23] put forward techniques for automatic regex repair based on examples. In [13] the authors introduce a matching algorithm that leverages selective memoization to mitigate ReDoS attacks while supporting advanced regex features. Sophisticated techniques based on GPU matching [20,34] and state-merging algorithms [6] have also been proposed to speedup the matching.…”

Section: Related Workmentioning

confidence: 99%

Sound Static Analysis of Regular Expressions for Vulnerabilities to Denial of Service Attacks

Parolini

Miné

2022

Theoretical Aspects of Software Engineering

View full text Add to dashboard Cite

Modern programming languages often provide functions to manipulate regular expressions in standard libraries. If they offer support for advanced features, the matching algorithm has an exponential worstcase time complexity: for some so-called vulnerable regular expressions, an attacker can craft ad hoc strings to force the matcher to exhibit an exponential behaviour and perform a Regular Expression Denial of Service (ReDoS) attack. In this paper, we introduce a framework based on a tree semantics to statically identify ReDoS vulnerabilities. In particular, we put forward an algorithm to extract an overapproximation of the set of words that are dangerous for a regular expression, effectively catching all possible attacks. We have implemented the analysis in a tool called rat, and testing it on a dataset of 74,670 regular expressions, we observed that in 99.47% of the instances the analysis terminates in less than one second. We compared rat to four other ReDoS detectors, and we found that our tool is faster, often by orders of magnitude, than most other tools. While raising a low number of false positives, rat is the only ReDoS detector that does not report false negatives.

show abstract

“…There is an increasing interest in studying the security of Node.js, both in academia and in industry. Most prior work has concentrated on so-called soft-ware supply chain security, i.e., studying security problems that are prevalent in libraries: injections [22,32,44], hidden property abuse [49], prototype pollution [31,32], malicious packages [19,50], running untrusted code [10,47,48], Re-DoS [17,18,33,43], code debloating [28]. There is also initial evidence that these problems in libraries affect websites in production [31,43].…”

Section: Nodejs Ecosystem Securitymentioning

confidence: 99%

Silent Spring: Prototype Pollution Leads to Remote Code Execution in Node.js

Shcherbakov¹,

Balliu²,

Staicu³

2022

Preprint

View full text Add to dashboard Cite

Prototype pollution is a dangerous vulnerability affecting prototype-based languages like JavaScript and the Node.js platform. It refers to the ability of an attacker to inject properties into an object's root prototype at runtime and subsequently trigger the execution of legitimate code gadgets that access these properties on the object's prototype, leading to attacks such as DoS, privilege escalation, and remote code execution (RCE). While there is anecdotal evidence that prototype pollution leads to RCE, current research does not tackle the challenge of gadget detection, thus only showing feasibility of DoS attacks against Node.js libraries.In this paper, we set out to study the problem in a holistic way, from the detection of prototype pollution to detection of gadgets, with the ambitious goal of finding end-to-end exploits beyond DoS, in full-fledged Node.js applications. We build the first multi-staged framework that uses multi-label static taint analysis to identify prototype pollution in Node.js libraries and applications, as well as a hybrid approach to detect universal gadgets, notably, by analyzing the Node.js source code. We implement our framework on top of GitHub's static analysis framework CodeQL to find 11 universal gadgets in core Node.js APIs, leading to code execution. Furthermore, we use our methodology in a study of 15 popular Node.js applications to identify prototype pollutions and gadgets. We manually exploit RCE in two high-profile applications. Our results provide alarming evidence that prototype pollution in combination with powerful universal gadgets lead to RCE in Node.js.

show abstract

Using Selective Memoization to Defeat Regular Expression Denial of Service (ReDoS)

Cited by 15 publications

References 60 publications

Demystifying regular expression bugs

Demystifying regular expression bugs

Sound Static Analysis of Regular Expressions for Vulnerabilities to Denial of Service Attacks

Silent Spring: Prototype Pollution Leads to Remote Code Execution in Node.js

Contact Info

Product

Resources

About