NTT and Waseda University Develop "World's First" Technology to Automatically Fix ReDoS Vulnerabilities
NTT (holding company) and Waseda University announced on March 23 that they had developed the world's first technology to automatically fix the ReDoS vulnerability, one of program vulnerabilities. Even developers without specialized knowledge can easily fix ReDoS vulnerabilities. A regular expression is a method of simplifying and expressing specific character strings based on rules, and is built into most programming languages. It is used in a wide range of situations, such as verifying whether the user's input value is what was expected in web services. However, if the string to be verified is not strictly defined, it becomes vulnerable. This is because an attack that consumes computational resources by giving input that takes a long time to process and greatly increases the load becomes possible. Incidents in which commercial services have stopped due to ReDoS vulnerabilities have occurred frequently over the past few years. In order to ensure that there are no ReDoS vulnerabilities, the new technology eliminates ambiguity from the way regular expressions are written and defines conditions that uniquely determine the method of pattern matching for arbitrary character strings. By outputting a modified regular expression that matches it, we guarantee that the output result is theoretically free of ReDoS vulnerabilities. NTT devised a definition of ReDoS vulnerabilities in real-world regular expressions, a definition of correction problems, and a correction algorithm. The theoretical accuracy of the method was verified by Professor Tachihiro Terauchi of Waseda University's Faculty of Science and Engineering. The new technology will be announced at "IEEE S&P 2022," an international conference on security and privacy to be held from May 22 to 26, 2022.
ITmedia NEWS