Regular Expression Denial of Service Induced by Backreferences

TL;DR

This paper systematically analyzes denial-of-service vulnerabilities caused by backreferences in regular expressions, introduces a new automaton model to detect such issues, and validates findings with real-world examples including Snort IDS.

Contribution

It introduces the Two-Phase Memory Automaton model for precise analysis of REwB vulnerabilities and provides algorithms to detect and exploit these vulnerabilities in practice.

Findings

Identified 45 previously unknown REwB vulnerabilities in Snort.

Demonstrated practical exploits that slow down or bypass IDS rules.

Developed detection algorithms for super-linear backtracking in REwB.

Abstract

This paper presents the first systematic study of denial-of-service vulnerabilities in Regular Expressions with Backreferences (REwB). We introduce the Two-Phase Memory Automaton (2PMFA), an automaton model that precisely captures REwB semantics. Using this model, we derive necessary conditions under which backreferences induce super-linear backtracking runtime, even when sink ambiguity is linear -- a regime where existing detectors report no vulnerability. Based on these conditions, we identify three vulnerability patterns, develop detection and attack-construction algorithms, and validate them in practice. Using the Snort intrusion detection ruleset, our evaluation identifies 45 previously unknown REwB vulnerabilities with quadratic or worse runtime. We further demonstrate practical exploits against Snort, including slowing rule evaluation by 0.6-1.2 seconds and bypassing alerts by triggering PCRE's matching limit.