Abstract:Regular expression denial of service (ReDoS) is an asymmetric cyberattack that has become prominent in recent years. This attack exploits the slow worst-case matching time of regular expression (regex) engines. In the past, problematic regular expressions have led to outages at Cloudflare and Stack Overflow, showing the severity of the problem. While ReDoS has drawn significant research attention, there has been no systematization of knowledge to delineate the state of the art and identify opportunities for further research. In this paper, we describe the existing knowledge on ReDoS. We first provide a systematic literature review, dividing works into two classes: measurement studies and defenses. Then, our engineering review surveys the latest regex engines to examine whether and how ReDoS defenses have been realized. Combining our findings, we observe that (1) in the literature, almost no studies evaluate whether and how ReDoS vulnerabilities can be weaponized against real systems, making it difficult to assess their real-world impact; and (2) from an engineering view, many mainstream regex engines now have ReDoS defenses, rendering many threat models obsolete. The open challenges in ReDoS research are to evaluate the emerging defenses, and to support engineers in migrating to defended engines. To support these directions, we conclude by presenting the wrk-redos tool. This tool supports controlled measurements of ReDoS on a web service, and includes proof-of-concept Docker images that allow engineers to substitute different regex engines in their applications.

What problem does this paper attempt to address?

The problem that this paper attempts to solve is to systematically organize the knowledge of the research and engineering status quo of Regular Expression Denial of Service (ReDoS). Specifically, the paper aims to: 1. **Systematize existing knowledge**: Conduct a systematic review of academic literature related to ReDoS, and divide the research into two categories: measurement research and defense research. In this way, the author hopes to provide researchers with a comprehensive understanding framework, evaluate the current research progress, and identify future research opportunities. 2. **Evaluate existing defense measures**: Review from an engineering perspective how mainstream regular expression engines implement ReDoS defense measures. This helps to understand the effectiveness of these defense measures and point out which threat models are obsolete. 3. **Reveal deficiencies in research**: The paper points out that there are some problems in the existing literature, such as the lack of evaluation on whether ReDoS vulnerabilities can be exploited in actual systems, and there are inconsistencies and deficiencies in threat models, ReDoS definitions, and attack evaluations. 4. **Support engineers in migrating to more secure engines**: To help engineers evaluate the ReDoS risk of their systems and consider migrating to regular expression engines with better defense mechanisms, the author introduces a tool named `wrk - redos`. This tool can be used to measure the impact of ReDoS attacks on web services in a controlled environment and provides Docker images that can replace different regular expression engines. ### Main contributions of the paper - **Systematize academic literature**: Conduct a systematic review of top - conference papers published between 2015 and 2024, and summarize the research progress in the ReDoS field. - **Review the ReDoS defense status quo of mainstream regular expression engines**: Analyze how regular expression engines in mainstream programming language runtime environments respond to ReDoS attacks. - **Introduce the `wrk - redos` tool**: Provide a benchmarking tool to help application developers evaluate the ReDoS risk of their systems and test the potential benefits of replacing regular expression engines. ### Conclusion Through the above work, the paper not only provides a systematic review for the ReDoS research field, but also points out the direction of future research, especially how to evaluate emerging defense measures and support engineers to better deal with ReDoS threats.

SoK: A Literature and Engineering Review of Regular Expression Denial of Service

Regular Expression Attack Technique On ReDoS Vulnerability

Exploiting Input Sanitization for Regex Denial of Service

ReScue: Crafting Regular Expression DoS Attacks

Runtime Recovery of Web Applications under Zero-Day ReDoS Attacks

A systematic review on distributed denial of service attack defense mechanisms in programmable networks

A Comprehensive Survey on Ddos Defense Systems: New Trends and Challenges

DDoS Attack and Defense: Review of Some Traditional and Current Techniques

A Survey of Distributed Denial of Service Attacks and Defenses

ReDAN: An Empirical Study on Remote DoS Attacks against NAT Networks

A Review of Denial of Service Attack and Mitigation in the Smart Grid Using Reinforcement Learning

20 Years of DDoS: a Call to Action

DDoSMiner: an Automated Framework for DDoS Attack Characterization and Vulnerability Mining.

IXmon: Detecting and Analyzing DRDoS Attacks at Internet Exchange Points

The Age of DDoScovery: An Empirical Comparison of Industry and Academic DDoS Assessments

Regexes are Hard: Decision-making, Difficulties, and Risks in Programming Regular Expressions

A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks

SmartReco: Detecting Read-Only Reentrancy via Fine-Grained Cross-DApp Analysis

Towards Risk Evaluation of Denial-Of-Service Vulnerabilities in Security Protocols

Systematic Literature Review of IoT Botnet DDOS Attacks and Evaluation of Detection Techniques

A Review on Distributed Denial of Service Attack