Planned intervention: On Wednesday April 3rd 05:30 UTC Zenodo will be unavailable for up to 2-10 minutes to perform a storage cluster upgrade.
Published November 4, 2018 | Version 1.0.0
Software Open

Artifact (software + dataset) for "The Impact of Regular Expression Denial of Service (ReDoS) in Practice: an Empirical Study at the Ecosystem Scale"

Description

# Ecosystem-scale regexp study

Welcome to the FSE'18 artifact for the ESEC/FSE paper *"The Impact of Regular Expression Denial of Service (ReDoS) in Practice: an Empirical Study at the Ecosystem Scale"*, by J.C. Davis, C.A Coghlan, F. Servant, and D. Lee, all of Virginia Tech.

This paper describes a study in which we:
- extracted regular expressions (regexes, regexps) from npm and pypi modules
- analyzed the regexes along several dimensions

Our artifact consists of:
- Code to analyze a regex for super-linear performance (Table 1), degree of vulnerability (Table 2), semantic meaning (Table 3), and use of anti-patterns (Table 4).
- Unique regexes collected from npm and pypi modules. We are releasing these regexes raw (without analysis or source module(s)) due to security concerns.

In addition, we wrote code to statically extract regexes from npm and pypi modules.
We released this code as part of our `vuln-regex-detector` software, available [here](https://github.com/davisjam/vuln-regex-detector).
Regex extraction was uninteresting from a scientific perspective so we do not elaborate on it in this artifact.

In addition to this directory's `README.md`, each sub-tree comes with one or more READMEs describing the software and tests.

## Installation

### By hand

To install, execute the script `./configure` on an Ubuntu 16.04 machine with root privileges.
This will obtain and install the various dependencies (OS packages, REDOS detectors, npm modules, and pypi modules).
It will also initialize submodules.

The final line of this script is `echo "Configuration complete. I hope everything works!"`.
If you see this printed to the console, great!
Otherwise...alas.

### Container

To facilitate replication, we have published a [containerized version](https://hub.docker.com/r/jamiedavis/daviscoghlanservantlee-fse18-regexartifact/) of this project on hub.docker.com.
The container is based on an Ubuntu 16.04 image so it is fairly large.
 
For example, you might run:

```
docker pull jamiedavis/daviscoghlanservantlee-fse18-regexartifact
docker run -ti jamiedavis/daviscoghlanservantlee-fse18-regexartifact
> vim .env
# Set ECOSYSTEM_REGEXP_PROJECT_ROOT=/davis-fse18-artifact/EcosystemREDOS-FSE18
> . .env
> ./full-analysis/analyze-regexp.pl ./full-analysis/test/vuln-email.json
```

Files

FSE18Artifact-DavisCoghlanServantLee.zip

Files (15.5 MB)

Name Size Download all
md5:d7c664890d305d5b26b215e2ff022fc3
15.5 MB Preview Download