Static Analysis for Regular Expression Denial-of-Service Attacks

  • James Kirrage
  • Asiri Rathnayake
  • Hayo Thielecke
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7873)


Regular expressions are a concise yet expressive language for expressing patterns. For instance, in networked software, they are used for input validation and intrusion detection. Yet some widely deployed regular expression matchers based on backtracking are themselves vulnerable to denial-of-service attacks, since their runtime can be exponential for certain input strings. This paper presents a static analysis for detecting such vulnerable regular expressions. The running time of the analysis compares favourably with tools based on fuzzing, that is, randomly generating inputs and measuring how long matching them takes. Unlike fuzzers, the analysis pinpoints the source of the vulnerability and generates possible malicious inputs for programmers to use in security testing. Moreover, the analysis has a firm theoretical foundation in abstract machines. Testing the analysis on two large repositories of regular expressions shows that the analysis is able to find significant numbers of vulnerable regular expressions in a matter of seconds.


Intrusion Detection Regular Expression Input String Abstract Machine Deterministic Finite Automaton 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Aho, A.V.: Algorithms for Finding Patterns in Strings. In: van Leeuwen, J. (ed.) Handbook of Theoretical Computer Science, vol. A, pp. 255–300. MIT Press, Cambridge (1990)Google Scholar
  2. 2.
    Aho, A.V., Lam, M., Sethi, R., Ullman, J.D.: Compilers - Principles, Techniques and Tools, 2nd edn. Addison Wesley (2007)Google Scholar
  3. 3.
    Berdine, J., Cook, B., Distefano, D., O’Hearn, P.W.: Automatic termination proofs for programs with shape-shifting heaps. In: Ball, T., Jones, R.B. (eds.) CAV 2006. LNCS, vol. 4144, pp. 386–400. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  4. 4.
    Brzozowski, J.A.: Derivatives of Regular Expressions. J. ACM 11(4), 481–494 (1964)MathSciNetzbMATHCrossRefGoogle Scholar
  5. 5.
    Chess, B., McGraw, G.: Static analysis for security. IEEE Security & Privacy 2(6), 76–79 (2004)CrossRefGoogle Scholar
  6. 6.
    Cox, R.: Regular Expression Matching Can Be Simple and Fast (but is slow in Java, Perl, Php, Python, Ruby, ...) (January 2007),
  7. 7.
    Cox, R.: Regular expression matching: the virtual machine approach (December 2009),
  8. 8.
    Crosby, S.A., Wallach, D.S.: Denial of Service via Algorithmic Complexity Attacks. In: Proceedings of the 12th USENIX Security Symposium, Washington, DC (August 2003)Google Scholar
  9. 9.
    Danvy, O., Nielsen, L.R.: Defunctionalization at Work. In: Proceedings of the 3rd ACM SIGPLAN International Conference on Principles and Practice of Declarative Programming, PPDP 2001, pp. 162–174. ACM, New York (2001)CrossRefGoogle Scholar
  10. 10.
    Dowd, M., McDonald, J., Schuh, J.: The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities. Addison Wesley (2006)Google Scholar
  11. 11.
    Goyvaerts, J.: Runaway Regular Expressions: Catastrophic Backtracking (2009),
  12. 12.
    Harper, R.: Proof-Directed Debugging. J. Funct. Program. 9(4), 463–469 (1999)MathSciNetzbMATHCrossRefGoogle Scholar
  13. 13.
    Hopcroft, J.E., Ullman, J.D.: Introduction to Automata Theory, Languages and Computation. Addison-Wesley (1979)Google Scholar
  14. 14.
    Livshits, V.B., Lam, M.S.: Finding security vulnerabilities in java applications with static analysis. In: Proceedings of the 14th Conference on USENIX Security Symposium, vol. 14, p. 18 (2005)Google Scholar
  15. 15.
    Just Great Software Co. Ltd. RegexBuddy (2012),
  16. 16.
    Mairson, H.G.: Deciding ML typability is complete for deterministic exponential time. In: Proceedings of the 17th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 382–401. ACM (1989)Google Scholar
  17. 17.
  18. 18.
    Namjoshi, K., Narlikar, G.: Robust and Fast Pattern Matching for Intrusion Detection. In: Proceedings of the 29th Conference on Information Communications, INFOCOM 2010, pp. 740–748. IEEE Press, Piscataway (2010)Google Scholar
  19. 19.
    The Open Web Application Security Project (OWASP). Regular Expression Denial of Service - ReDoS (2012),
  20. 20.
    Rathnayake, A., Thielecke, H.: Regular Expression Matching and Operational Semantics. In: Structural Operational Semantics (SOS 2011). Electronic Proceedings in Theoretical Computer Science (2011)Google Scholar
  21. 21. Regular Expression Library (2012),
  22. 22.
    Roichman, A., Weidman, A.: Regular Expression Denial of Service (2012),
  23. 23.
    Seidl, H., et al.: Haskell overloading is DEXPTIME-complete. Information Processing Letters 52(2), 57–60 (1994)MathSciNetzbMATHCrossRefGoogle Scholar
  24. 24.
    Smith, R., Estan, C., Jha, S.: Backtracking Algorithmic Complexity Attacks Against a NIDS. In: Proceedings of the 22nd Annual Computer Security Applications Conference, ACSAC 2006, pp. 89–98. IEEE Computer Society, Washington, DC (2006)Google Scholar
  25. 25.
    Sourcefire. Snort, IDS/IPS (2012),
  26. 26.
    Thompson, K.: Programming Techniques: Regular Expression Search Algorithm. Communications of the ACM 11(6), 419–422 (1968)zbMATHCrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • James Kirrage
    • 1
  • Asiri Rathnayake
    • 1
  • Hayo Thielecke
    • 1
  1. 1.University of BirminghamUK

Personalised recommendations