Static Analysis for Regular Expression Exponential Runtime via Substructural Logics

Regular expression matching using backtracking can have exponential runtime, leading to an algorithmic complexity attack known as REDoS in the systems security literature. In this paper, we build on a recently published static analysis that detects whether a given regular expression can have exponential runtime for some inputs. We systematically construct a more accurate analysis by forming powers and products of transition relations and thereby reducing the REDoS problem to reachability. The correctness of the analysis is proved using a substructural calculus of search trees, where the branching of the tree causing exponential blowup is characterized as a form of non-linearity.

[1]  M. W. Shields An Introduction to Automata Theory , 1988 .

[2]  Peter W. O'Hearn,et al.  BI as an assertion language for mutable data structures , 2001, POPL '01.

[3]  Fritz Henglein,et al.  Regular expression containment: coinductive axiomatization and computational interpretation , 2011, POPL '11.

[4]  Alfred V. Aho,et al.  Compilers: Principles, Techniques, and Tools , 1986, Addison-Wesley series in computer science / World student series edition.

[5]  Jeffrey D. Ullman,et al.  Introduction to Automata Theory, Languages and Computation , 1979 .

[6]  Philippa Gardner,et al.  Context logic and tree update , 2005, POPL '05.

[7]  Harry G. Mairson Deciding ML typability is complete for deterministic exponential time , 1989, POPL '90.

[8]  Jean-Yves Girard,et al.  Linear Logic , 1987, Theor. Comput. Sci..

[9]  P ? ? ? ? ? ? ? % ? ? ? ? , 1991 .

[10]  守屋 悦朗,et al.  J.E.Hopcroft, J.D. Ullman 著, "Introduction to Automata Theory, Languages, and Computation", Addison-Wesley, A5変形版, X+418, \6,670, 1979 , 1980 .

[11]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[12]  Bryan Ford,et al.  Parsing expression grammars: a recognition-based syntactic foundation , 2004, POPL '04.

[13]  Yasuhiko Minamide,et al.  Checking Time Linearity of Regular Expression Matching Based on Backtracking , 2014 .

[14]  J. Lambek The Mathematics of Sentence Structure , 1958 .

[15]  Ken Thompson,et al.  Programming Techniques: Regular expression search algorithm , 1968, Commun. ACM.

[16]  Robert Harper,et al.  Proof-directed debugging , 1999, Journal of Functional Programming.

[17]  Gary McGraw,et al.  Static Analysis for Security , 2004, IEEE Secur. Priv..

[18]  Somesh Jha,et al.  Backtracking Algorithmic Complexity Attacks against a NIDS , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[19]  Janusz A. Brzozowski,et al.  Derivatives of Regular Expressions , 1964, JACM.

[20]  Helmut Seidl,et al.  Haskell Overloading is DEXPTIME-Complete , 1994, Inf. Process. Lett..

[21]  Hayo Thielecke,et al.  On the semantics of parsing actions , 2014, Sci. Comput. Program..

[22]  Dan S. Wallach,et al.  Denial of Service via Algorithmic Complexity Attacks , 2003, USENIX Security Symposium.

[23]  Olivier Danvy,et al.  Defunctionalization at work , 2001, PPDP '01.

[24]  Andrew W. Appel,et al.  Modern Compiler Implementation in Java , 1997 .

[25]  Martin Sulzmann,et al.  Regular expression sub-matching using partial derivatives , 2012, PPDP.

[26]  Alfred V. Aho,et al.  Algorithms for Finding Patterns in Strings , 1991, Handbook of Theoretical Computer Science, Volume A: Algorithms and Complexity.

[27]  Niccolo Cascarano,et al.  iNFAnt: NFA pattern matching on GPGPU devices , 2010, CCRV.

[28]  Robin Milner,et al.  On Observing Nondeterminism and Concurrency , 1980, ICALP.

[29]  Luca Cardelli,et al.  Greedy Regular Expression Matching , 2004, ICALP.

[30]  Hayo Thielecke,et al.  Static Analysis for Regular Expression Denial-of-Service Attacks , 2013, NSS.