Static Detection of DoS Vulnerabilities in Programs that use Regular Expressions (Extended Version)

In an algorithmic complexity attack, a malicious party takes advantage of the worst-case behavior of an algorithm to cause denial-of-service. A prominent algorithmic complexity attack is regular expression denial-of-service (ReDoS), in which the attacker exploits a vulnerable regular expression by p...

Full description

Saved in:
Bibliographic Details
Published inarXiv.org
Main Authors Wüstholz, Valentin, Olivo, Oswaldo, Heule, Marijn J H, Dillig, Isil
Format Paper
LanguageEnglish
Published Ithaca Cornell University Library, arXiv.org 15.01.2017
Subjects
Algorithms
Applications programs
Complexity
Cybersecurity
Software reviews
String matching
Text editing
Vulnerability
Online AccessGet full text

Cover

More Information
Summary:In an algorithmic complexity attack, a malicious party takes advantage of the worst-case behavior of an algorithm to cause denial-of-service. A prominent algorithmic complexity attack is regular expression denial-of-service (ReDoS), in which the attacker exploits a vulnerable regular expression by providing a carefully-crafted input string that triggers worst-case behavior of the matching algorithm. This paper proposes a technique for automatically finding ReDoS vulnerabilities in programs. Specifically, our approach automatically identifies vulnerable regular expressions in the program and determines whether an "evil" input string can be matched against a vulnerable regular expression. We have implemented our proposed approach in a tool called REXPLOITER and found 41 exploitable security vulnerabilities in Java web applications.
ISSN:2331-8422