How to Settle the ReDoS Problem: Back to the Classical Automata Theory

Sicheol Sung, Hyunjoon Cheon, Yo Sub Han

Research output: Chapter in Book/Report/Conference proceedingConference contribution


Most regular-expression matching engines in practice are based on the Thompson construction and the Spencer matching algorithm. While these engines work fast and efficiently, a serious problem, the regular expression denial-of-service (ReDoS), has been reported recently. ReDoS is an algorithm complexity attack, which exploits the backtracking feature of the engine, and makes the service unresponsive indefinitely. Researchers suggested a few remedies to cope with the ReDoS problem, yet they are often ad-hoc or undesirable in practice. We instead propose a hybrid matching scheme that selects between the Thompson and the Spencer matching algorithms depending on the needed features. We also suggest to use the position construction for its intrinsic characteristics for fast matching. We evaluate the proposed approach using a benchmark dataset collected from various open-source projects, and compare the performance with the current approach. The experimental results show that a hybrid matcher reduces the ReDoS-vulnerability by 96% and 99.98% in full and partial matching, respectively. Moreover, 55% of the most problematic regular expressions become invulnerable to ReDoS by the position construction.

Original languageEnglish
Title of host publicationImplementation and Application of Automata - 26th International Conference, CIAA 2022, Proceedings
EditorsPascal Caron, Ludovic Mignot
PublisherSpringer Science and Business Media Deutschland GmbH
Number of pages16
ISBN (Print)9783031074684
Publication statusPublished - 2022
Event26th International Conference on Implementation and Application of Automata, CIAA 2022 - Rouen, France
Duration: 2022 Jun 282022 Jul 1

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume13266 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Conference26th International Conference on Implementation and Application of Automata, CIAA 2022

Bibliographical note

Funding Information:
2020R1A4A3079947) funded by MIST.

Funding Information:
by the NRF grant (NRF-

Publisher Copyright:
© 2022, Springer Nature Switzerland AG.

All Science Journal Classification (ASJC) codes

  • Theoretical Computer Science
  • Computer Science(all)


Dive into the research topics of 'How to Settle the ReDoS Problem: Back to the Classical Automata Theory'. Together they form a unique fingerprint.

Cite this