Write a Blog >>
ASE 2020
Mon 21 - Fri 25 September 2020 Melbourne, Australia
Wed 23 Sep 2020 09:50 - 10:10 at Kangaroo - Synthesis Chair(s): Domenico Bianculli

Regular expressions (regexes) are widely used in different fields of computer science such as programming languages, string processing and databases. However, existing tools for synthesizing or repairing regexes were not designed to be resilient to Regex Denial of Service (ReDoS) attacks. Specifically, if a regex has super-linear (SL) worst-case complexity, an attacker could provide carefully-crafted inputs to launch ReDoS attacks. Therefore, in this paper, we propose a programming-by-example framework, FlashRegex, for generating anti-ReDoS regexes by either synthesizing or repairing from given examples. It is the first framework that integrates regex synthesis and repair with the awareness of ReDoS-vulnerabilities.We present novel algorithms to deduce anti-ReDoS regexes by reducing the ambiguity of these regexes and by using Boolean Satisfiability (SAT) or Neighborhood Search (NS) techniques. We evaluate FlashRegex with five related state-of-the-art tools. The evaluation results show that our work can effectively and efficiently generate anti-ReDoS regexes from given examples, and also reveal that existing synthesis and repair tools have neglected ReDoS-vulnerabilities of regexes. Specifically, the existing synthesis and repair tools generated up to 394 ReDoS-vulnerable regex within few seconds to more than one hours, while FlashRegex generated no SL regex within around five seconds. Furthermore, the evaluation results on ReDoS-vulnerable regex repair also show that FlashRegex has better capability than existing repair tools and even human experts, achieving 4 more ReDoS-invulnerable regex after repair without trimming and resorting, highlighting the usefulness of FlashRegex in terms of generality, automation and user-friendliness.

Wed 23 Sep
Times are displayed in time zone: (UTC) Coordinated Universal Time

09:10 - 10:10: SynthesisResearch Papers at Kangaroo
Chair(s): Domenico BianculliUniversity of Luxembourg
09:10 - 09:30
Just-In-Time Reactive Synthesis
Research Papers
Shahar MaozTel Aviv University, Israel, Ilia ShevrinTel Aviv University
09:30 - 09:50
JISET: JavaScript IR-based Semantics Extraction Toolchain
Research Papers
Jihyeok ParkKAIST, South Korea, Jihee ParkKAIST, Seungmin AnKAIST, Sukyoung RyuKAIST
09:50 - 10:10
FlashRegex: Deducing Anti-ReDoS Regexes from Examples
Research Papers
Yeting LiInstitute of Software, Chinese Academy of Sciences; University of Chinese Academy of Sciences, Zhiwu XuShenzhen University, Jialun CaoDepartment of Computer Science and Engineering, The Hong Kong University of Science and Technology, Haiming ChenInstitute of Software, Chinese Academy of Sciences, Tingjian GeUniversity of Massachusetts, Lowell, Shing-Chi CheungHong Kong University of Science and Technology, China, Haoren ZhaoShaanxi Normal University, Xi'an, China