Credit: Pixabay/CC0 Public Domain
Regular expressions (regexes) are wide utilized successful antithetic fields of machine science. However, the Regular look Denial of Service (ReDoS) vulnerability forms a people of communal and superior algorithmic complexity attacks.
The existing ReDoS-vulnerability detection tools person defects of debased precision oregon debased callback complaint owed to the lacking of ceremonial and broad detection conditions of ReDoS-vulnerabilities.
A probe squad led by Prof. Chen Haiming from the Institute of Software of the Chinese Academy of Sciences developed high-performance detection instrumentality for ReDoS-vulnerability.
Their survey was issued astatine USENIX Security Symposium 2021.
Through examining monolithic ReDoS-vulnerable regexes, Chen's squad projected the ReDoS-vulnerability detection conditions, namely the ReDoS-vulnerability patterns, and gave the indispensable conditions for triggering these patterns formally.
Based connected this, they developed a static and dynamic combined ReDoS-vulnerability detection algorithm, and designed ReDoSHunter, the ReDoS-vulnerability detection tool.
ReDoSHunter tin pinpoint aggregate basal causes successful a susceptible regex, prescribe the grade of the vulnerability and make attack-triggering strings, etc. It has achieved 100% precision and callback ratio connected datasets of Corpus, RegExLib and Snort with 37,651 regexes.
In detecting the publicly-confirmed applicable vulnerabilities successful Common Vulnerabilities and Exposure (CVE), ReDoSHunter tin observe 100% ReDoS-related CVEs.
In their erstwhile study, Chen's squad projected a programming-by-example framework, FlashRegex, for generating anti-ReDoS regexes by either synthesizing oregon repairing from fixed examples. It is the archetypal model that integrates regex synthesis and repair with the consciousness of ReDoS-vulnerabilities.
FlashRegex tin efficiently make oregon repair regexes without ReDoS-vulnerabilities, and there're 0 ReDoS-vulnerabilities successful repaired regexes.
The study, titled "FlashRegex: deducing anti-ReDoS regexes from examples," was issued astatine ASE 2020.
More information: Yeting Li et al, FlashRegex, Proceedings of the 35th IEEE/ACM International Conference connected Automated Software Engineering (2021). DOI: 10.1145/3324884.3416556
Citation: High-performance detection instrumentality for ReDoS-vulnerability (2021, August 16) retrieved 16 August 2021 from https://techxplore.com/news/2021-08-high-performance-tool-redos-vulnerability.html
This papers is taxable to copyright. Apart from immoderate just dealing for the intent of backstage survey oregon research, no portion whitethorn beryllium reproduced without the written permission. The contented is provided for accusation purposes only.
English (US) ·