Towards an Effective Method of ReDoS Detection for Non-backtracking Engines

Watch a 13-minute conference presentation from USENIX Security '24 exploring an innovative approach to detecting Regular expression Denial of Service (ReDoS) vulnerabilities in non-backtracking regex engines. Learn about EvilStrGen, a novel tool that generates attack strings using an incremental determinisation algorithm and heuristic strategies. Discover how researchers from the Chinese Academy of Sciences and University of Massachusetts systematically analyzed ReDoS vulnerability causes, introduced the concept of simple strings for attack generation, and evaluated their tool against existing approaches using over 736,000 unique regexes. Understand the practical impact of this research, which identified 34 previously unknown ReDoS vulnerabilities across 85 extensively tested projects.