Regular expressions (regexes) are widely used in different fields of computer science such as programming languages, string processing and databases. However, existing tools for synthesizing or repairing regexes were not designed to be resilient to Regex Denial of Service (ReDoS) attacks. Specifically, if a regex has super-linear (SL) worst-case complexity, an attacker could provide carefully-crafted inputs to launch ReDoS attacks. Therefore, in this paper, we propose a programming-by-example framework, FlashRegex, for generating anti-ReDoS regexes by either synthesizing or repairing from given examples. It is the first framework that integrates regex synthesis and repair with the awareness of ReDoS-vulnerabilities.We present novel algorithms to deduce anti-ReDoS regexes by reducing the ambiguity of these regexes and by using Boolean Satisfiability (SAT) or Neighborhood Search (NS) techniques. We evaluate FlashRegex with five related state-of-the-art tools. The evaluation results show that our work can effectively and efficiently generate anti-ReDoS regexes from given examples, and also reveal that existing synthesis and repair tools have neglected ReDoS-vulnerabilities of regexes. Specifically, the existing synthesis and repair tools generated up to 394 ReDoS-vulnerable regex within few seconds to more than one hours, while FlashRegex generated no SL regex within around five seconds. Furthermore, the evaluation results on ReDoS-vulnerable regex repair also show that FlashRegex has better capability than existing repair tools and even human experts, achieving 4 more ReDoS-invulnerable regex after repair without trimming and resorting, highlighting the usefulness of FlashRegex in terms of generality, automation and user-friendliness.
Institute of Software, Chinese Academy of Sciences; University of Chinese Academy of Sciences
Department of Computer Science and Engineering, The Hong Kong University of Science and Technology
Wed 23 Sep Times are displayed in time zone: (UTC) Coordinated Universal Time change
|09:10 - 09:30|
|09:30 - 09:50|
|09:50 - 10:10|
Yeting LiInstitute of Software, Chinese Academy of Sciences; University of Chinese Academy of Sciences, Zhiwu XuShenzhen University, Jialun CaoDepartment of Computer Science and Engineering, The Hong Kong University of Science and Technology, Haiming ChenInstitute of Software, Chinese Academy of Sciences, Tingjian GeUniversity of Massachusetts, Lowell, Shing-Chi CheungHong Kong University of Science and Technology, China, Haoren ZhaoShaanxi Normal University, Xi'an, China