How to Settle the ReDoS Problem: Back to the Classical Automata Theory

Sicheol Sung; Hyunjoon Cheon; Yo Sub Han

doi:10.1007/978-3-031-07469-1_3

How to Settle the ReDoS Problem: Back to the Classical Automata Theory

Sicheol Sung, Hyunjoon Cheon, Yo Sub Han

College of Computing

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

3 Citations (Scopus)

Abstract

Most regular-expression matching engines in practice are based on the Thompson construction and the Spencer matching algorithm. While these engines work fast and efficiently, a serious problem, the regular expression denial-of-service (ReDoS), has been reported recently. ReDoS is an algorithm complexity attack, which exploits the backtracking feature of the engine, and makes the service unresponsive indefinitely. Researchers suggested a few remedies to cope with the ReDoS problem, yet they are often ad-hoc or undesirable in practice. We instead propose a hybrid matching scheme that selects between the Thompson and the Spencer matching algorithms depending on the needed features. We also suggest to use the position construction for its intrinsic characteristics for fast matching. We evaluate the proposed approach using a benchmark dataset collected from various open-source projects, and compare the performance with the current approach. The experimental results show that a hybrid matcher reduces the ReDoS-vulnerability by 96% and 99.98% in full and partial matching, respectively. Moreover, 55% of the most problematic regular expressions become invulnerable to ReDoS by the position construction.

Original language	English
Title of host publication	Implementation and Application of Automata - 26th International Conference, CIAA 2022, Proceedings
Editors	Pascal Caron, Ludovic Mignot
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	34-49
Number of pages	16
ISBN (Print)	9783031074684
DOIs	https://doi.org/10.1007/978-3-031-07469-1_3
Publication status	Published - 2022
Event	26th International Conference on Implementation and Application of Automata, CIAA 2022 - Rouen, France Duration: 2022 Jun 28 → 2022 Jul 1

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	13266 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	26th International Conference on Implementation and Application of Automata, CIAA 2022
Country/Territory	France
City	Rouen
Period	22/6/28 → 22/7/1

Bibliographical note

Publisher Copyright:
© 2022, Springer Nature Switzerland AG.

All Science Journal Classification (ASJC) codes

Theoretical Computer Science
General Computer Science

Access to Document

10.1007/978-3-031-07469-1_3

Cite this

Sung, S., Cheon, H., & Han, Y. S. (2022). How to Settle the ReDoS Problem: Back to the Classical Automata Theory. In P. Caron, & L. Mignot (Eds.), Implementation and Application of Automata - 26th International Conference, CIAA 2022, Proceedings (pp. 34-49). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 13266 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-031-07469-1_3

Sung, Sicheol ; Cheon, Hyunjoon ; Han, Yo Sub. / How to Settle the ReDoS Problem : Back to the Classical Automata Theory. Implementation and Application of Automata - 26th International Conference, CIAA 2022, Proceedings. editor / Pascal Caron ; Ludovic Mignot. Springer Science and Business Media Deutschland GmbH, 2022. pp. 34-49 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{4cf6e8d9255046ec88ffe19db34db142,

title = "How to Settle the ReDoS Problem: Back to the Classical Automata Theory",

abstract = "Most regular-expression matching engines in practice are based on the Thompson construction and the Spencer matching algorithm. While these engines work fast and efficiently, a serious problem, the regular expression denial-of-service (ReDoS), has been reported recently. ReDoS is an algorithm complexity attack, which exploits the backtracking feature of the engine, and makes the service unresponsive indefinitely. Researchers suggested a few remedies to cope with the ReDoS problem, yet they are often ad-hoc or undesirable in practice. We instead propose a hybrid matching scheme that selects between the Thompson and the Spencer matching algorithms depending on the needed features. We also suggest to use the position construction for its intrinsic characteristics for fast matching. We evaluate the proposed approach using a benchmark dataset collected from various open-source projects, and compare the performance with the current approach. The experimental results show that a hybrid matcher reduces the ReDoS-vulnerability by 96% and 99.98% in full and partial matching, respectively. Moreover, 55% of the most problematic regular expressions become invulnerable to ReDoS by the position construction.",

keywords = "Denial of service, Position automata, ReDoS, Regular expressions",

author = "Sicheol Sung and Hyunjoon Cheon and Han, {Yo Sub}",

note = "Publisher Copyright: {\textcopyright} 2022, Springer Nature Switzerland AG.; 26th International Conference on Implementation and Application of Automata, CIAA 2022 ; Conference date: 28-06-2022 Through 01-07-2022",

year = "2022",

doi = "10.1007/978-3-031-07469-1_3",

language = "English",

isbn = "9783031074684",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "34--49",

editor = "Pascal Caron and Ludovic Mignot",

booktitle = "Implementation and Application of Automata - 26th International Conference, CIAA 2022, Proceedings",

address = "Germany",

}

Sung, S, Cheon, H & Han, YS 2022, How to Settle the ReDoS Problem: Back to the Classical Automata Theory. in P Caron & L Mignot (eds), Implementation and Application of Automata - 26th International Conference, CIAA 2022, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 13266 LNCS, Springer Science and Business Media Deutschland GmbH, pp. 34-49, 26th International Conference on Implementation and Application of Automata, CIAA 2022, Rouen, France, 22/6/28. https://doi.org/10.1007/978-3-031-07469-1_3

How to Settle the ReDoS Problem: Back to the Classical Automata Theory. / Sung, Sicheol; Cheon, Hyunjoon; Han, Yo Sub.
Implementation and Application of Automata - 26th International Conference, CIAA 2022, Proceedings. ed. / Pascal Caron; Ludovic Mignot. Springer Science and Business Media Deutschland GmbH, 2022. p. 34-49 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 13266 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - How to Settle the ReDoS Problem

T2 - 26th International Conference on Implementation and Application of Automata, CIAA 2022

AU - Sung, Sicheol

AU - Cheon, Hyunjoon

AU - Han, Yo Sub

PY - 2022

Y1 - 2022

N2 - Most regular-expression matching engines in practice are based on the Thompson construction and the Spencer matching algorithm. While these engines work fast and efficiently, a serious problem, the regular expression denial-of-service (ReDoS), has been reported recently. ReDoS is an algorithm complexity attack, which exploits the backtracking feature of the engine, and makes the service unresponsive indefinitely. Researchers suggested a few remedies to cope with the ReDoS problem, yet they are often ad-hoc or undesirable in practice. We instead propose a hybrid matching scheme that selects between the Thompson and the Spencer matching algorithms depending on the needed features. We also suggest to use the position construction for its intrinsic characteristics for fast matching. We evaluate the proposed approach using a benchmark dataset collected from various open-source projects, and compare the performance with the current approach. The experimental results show that a hybrid matcher reduces the ReDoS-vulnerability by 96% and 99.98% in full and partial matching, respectively. Moreover, 55% of the most problematic regular expressions become invulnerable to ReDoS by the position construction.

AB - Most regular-expression matching engines in practice are based on the Thompson construction and the Spencer matching algorithm. While these engines work fast and efficiently, a serious problem, the regular expression denial-of-service (ReDoS), has been reported recently. ReDoS is an algorithm complexity attack, which exploits the backtracking feature of the engine, and makes the service unresponsive indefinitely. Researchers suggested a few remedies to cope with the ReDoS problem, yet they are often ad-hoc or undesirable in practice. We instead propose a hybrid matching scheme that selects between the Thompson and the Spencer matching algorithms depending on the needed features. We also suggest to use the position construction for its intrinsic characteristics for fast matching. We evaluate the proposed approach using a benchmark dataset collected from various open-source projects, and compare the performance with the current approach. The experimental results show that a hybrid matcher reduces the ReDoS-vulnerability by 96% and 99.98% in full and partial matching, respectively. Moreover, 55% of the most problematic regular expressions become invulnerable to ReDoS by the position construction.

KW - Denial of service

KW - Position automata

KW - ReDoS

KW - Regular expressions

UR - http://www.scopus.com/inward/record.url?scp=85131956563&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85131956563&partnerID=8YFLogxK

U2 - 10.1007/978-3-031-07469-1_3

DO - 10.1007/978-3-031-07469-1_3

M3 - Conference contribution

AN - SCOPUS:85131956563

SN - 9783031074684

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 34

EP - 49

BT - Implementation and Application of Automata - 26th International Conference, CIAA 2022, Proceedings

A2 - Caron, Pascal

A2 - Mignot, Ludovic

PB - Springer Science and Business Media Deutschland GmbH

Y2 - 28 June 2022 through 1 July 2022

ER -

Sung S, Cheon H, Han YS. How to Settle the ReDoS Problem: Back to the Classical Automata Theory. In Caron P, Mignot L, editors, Implementation and Application of Automata - 26th International Conference, CIAA 2022, Proceedings. Springer Science and Business Media Deutschland GmbH. 2022. p. 34-49. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-031-07469-1_3