Static Analysis for Regular Expression Denial-of-Service Attacks
作者: James Kirrage , Asiri Rathnayake , Hayo Thielecke
DOI: 10.1007/978-3-642-38631-2_11
关键词:
摘要: Regular expressions are a concise yet expressive language for expressing patterns. For instance, in networked software, they used input validation and intrusion detection. Yet some widely deployed regular expression matchers based on backtracking themselves vulnerable to denial-of-service attacks, since their runtime can be exponential certain strings. This paper presents static analysis detecting such expressions. The running time of the compares favourably with tools fuzzing, that is, randomly generating inputs measuring how long matching them takes. Unlike fuzzers, pinpoints source vulnerability generates possible malicious programmers use security testing. Moreover, has firm theoretical foundation abstract machines. Testing two large repositories shows is able find significant numbers matter seconds.
springer.com
arxiv.org
harvard.edu
core.ac.uk
sci-hub.st 参考文章(21)
悦朗 守屋, J.E.Hopcroft, J.D. Ullman 著, "Introduction to Automata Theory, Languages, and Computation", Addison-Wesley, A5変形版, X+418, \6,670, 1979 情報処理. ,vol. 21, pp. 802- 803 ,(1980)
Ravi Sethi, Jeffrey D. Ullman, Alfred V. Aho, Compilers: Principles, Techniques, and Tools ,(1986)
V. Benjamin Livshits, Monica S. Lam, Finding security vulnerabilities in java applications with static analysis usenix security symposium. pp. 18- 18 ,(2005)
Scott A. Crosby, Dan S. Wallach, Denial of service via algorithmic complexity attacks usenix security symposium. pp. 3- 3 ,(2003)
Alfred V. AHO, Algorithms for finding patterns in strings Handbook of theoretical computer science (vol. A). pp. 255- 300 ,(1991) , 10.1016/B978-0-444-88071-0.50010-2
Justin Schuh, Mark Dowd, John McDonald, The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities ,(2006)
Monica S. Lam, Ravi Sethi, Jeffrey D. Ullman, Alfred V. Aho, Compilers: Principles, Techniques, and Tools (2nd Edition) Addison-Wesley Longman Publishing Co., Inc.. ,(2006)
David Maier, Review of "Introduction to automata theory, languages and computation" by John E. Hopcroft and Jeffrey D. Ullman. Addison-Wesley 1979. ACM SIGACT News. ,vol. 12, pp. 13- 14 ,(1980) , 10.1145/1008861.1008863
Regular Expression Matching and Operational Semantics Proceedings of the Eighth Workshop on Structural Operational Semantics 2011(SOS 2011). ,vol. 62, pp. 31- 45 ,(2011) , 10.4204/EPTCS.62
Helmut Seidl, Haskell overloading is DEXPTIME-complete Information Processing Letters. ,vol. 52, pp. 57- 60 ,(1994) , 10.1016/0020-0190(94)00130-8