Abstract:

Regular expressions (regexes) are a widely used string manipulation tool. Regexes bring order to unstructured text, and are commonly applied in web services to sanitize untrusted input. Unfortunately, regexes are risky in most mainstream programming languages: many regex engines have worst-case exponential matching behavior, leading to Regex Denial of Service (ReDoS). In this talk, I will present the first large-scale empirical studies of super-linear regex use, and I report that ReDoS is a real-world problem: up to 10% of regexes may comprise ReDoS vectors. I then discuss how we should defeat the ReDoS problem.

Bio:
Dongyoon Lee received the Ph.D. (2013) and M.S. (2009) degrees in Computer Science and Engineering at the University of Michigan, Ann Arbor, and the B.S. (2004) degree in Electrical Engineering at Seoul National University, South Korea. He is now an assistant professor in the Computer Science Department at Stony Brook University. Before joining Stony Brook University, he worked as an assistant professor at Virginia Tech (2014-2019) and as an academic visitor in the next-generation middleware platforms department at IBM T. J. Watson Research Center (Fall 2013). His co-authored papers won the distinguished paper awards at ASE 2019 and ESEC/FSE 2018, the best student paper finalist at SC 2016, and the best paper award at ASPLOS 2011.