{"id":"https://openalex.org/W4399632242","doi":"https://doi.org/10.1145/3643916.3644424","title":"Understanding Regular Expression Denial of Service (ReDoS): Insights from LLM-Generated Regexes and Developer Forums","display_name":"Understanding Regular Expression Denial of Service (ReDoS): Insights from LLM-Generated Regexes and Developer Forums","publication_year":2024,"publication_date":"2024-04-15","ids":{"openalex":"https://openalex.org/W4399632242","doi":"https://doi.org/10.1145/3643916.3644424"},"language":"en","primary_location":{"id":"doi:10.1145/3643916.3644424","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3643916.3644424","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3643916.3644424","source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 32nd IEEE/ACM International Conference on Program Comprehension","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://dl.acm.org/doi/pdf/10.1145/3643916.3644424","any_repository_has_fulltext":null},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5083926745","display_name":"Mohammed Latif Siddiq","orcid":"https://orcid.org/0000-0002-7984-3611"},"institutions":[{"id":"https://openalex.org/I107639228","display_name":"University of Notre Dame","ror":"https://ror.org/00mkhxb43","country_code":"US","type":"education","lineage":["https://openalex.org/I107639228"]}],"countries":["US"],"is_corresponding":true,"raw_author_name":"Mohammed Latif Siddiq","raw_affiliation_strings":["University of Notre Dame, Notre Dame, Indiana, USA"],"affiliations":[{"raw_affiliation_string":"University of Notre Dame, Notre Dame, Indiana, USA","institution_ids":["https://openalex.org/I107639228"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5013039901","display_name":"Jiahao Zhang","orcid":"https://orcid.org/0009-0008-8379-6871"},"institutions":[{"id":"https://openalex.org/I107639228","display_name":"University of Notre Dame","ror":"https://ror.org/00mkhxb43","country_code":"US","type":"education","lineage":["https://openalex.org/I107639228"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Jiahao Zhang","raw_affiliation_strings":["University of Notre Dame, Notre Dame, Indiana, USA"],"affiliations":[{"raw_affiliation_string":"University of Notre Dame, Notre Dame, Indiana, USA","institution_ids":["https://openalex.org/I107639228"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5043541139","display_name":"Joanna C. S. Santos","orcid":"https://orcid.org/0000-0001-8743-2516"},"institutions":[{"id":"https://openalex.org/I107639228","display_name":"University of Notre Dame","ror":"https://ror.org/00mkhxb43","country_code":"US","type":"education","lineage":["https://openalex.org/I107639228"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Joanna Cecilia Da Silva Santos","raw_affiliation_strings":["University of Notre Dame, Notre Dame, Indiana, USA"],"affiliations":[{"raw_affiliation_string":"University of Notre Dame, Notre Dame, Indiana, USA","institution_ids":["https://openalex.org/I107639228"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":3,"corresponding_author_ids":["https://openalex.org/A5083926745"],"corresponding_institution_ids":["https://openalex.org/I107639228"],"apc_list":null,"apc_paid":null,"fwci":5.1553,"has_fulltext":true,"cited_by_count":7,"citation_normalized_percentile":{"value":0.95460952,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":89,"max":97},"biblio":{"volume":null,"issue":null,"first_page":"190","last_page":"201"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9997000098228455,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9997000098228455,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9979000091552734,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.9878000020980835,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.7659010887145996},{"id":"https://openalex.org/keywords/correctness","display_name":"Correctness","score":0.7230948805809021},{"id":"https://openalex.org/keywords/regular-expression","display_name":"Regular expression","score":0.6420053839683533},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.5173860788345337},{"id":"https://openalex.org/keywords/denial-of-service-attack","display_name":"Denial-of-service attack","score":0.5081586837768555},{"id":"https://openalex.org/keywords/vulnerability","display_name":"Vulnerability (computing)","score":0.479096919298172},{"id":"https://openalex.org/keywords/equivalence","display_name":"Equivalence (formal languages)","score":0.4618280231952667},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.45818865299224854},{"id":"https://openalex.org/keywords/programming-language","display_name":"Programming language","score":0.3734115958213806},{"id":"https://openalex.org/keywords/world-wide-web","display_name":"World Wide Web","score":0.3488847017288208},{"id":"https://openalex.org/keywords/the-internet","display_name":"The Internet","score":0.2026018500328064}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7659010887145996},{"id":"https://openalex.org/C55439883","wikidata":"https://www.wikidata.org/wiki/Q360812","display_name":"Correctness","level":2,"score":0.7230948805809021},{"id":"https://openalex.org/C121329065","wikidata":"https://www.wikidata.org/wiki/Q185612","display_name":"Regular expression","level":2,"score":0.6420053839683533},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.5173860788345337},{"id":"https://openalex.org/C38822068","wikidata":"https://www.wikidata.org/wiki/Q131406","display_name":"Denial-of-service attack","level":3,"score":0.5081586837768555},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.479096919298172},{"id":"https://openalex.org/C2780069185","wikidata":"https://www.wikidata.org/wiki/Q7977945","display_name":"Equivalence (formal languages)","level":2,"score":0.4618280231952667},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.45818865299224854},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.3734115958213806},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.3488847017288208},{"id":"https://openalex.org/C110875604","wikidata":"https://www.wikidata.org/wiki/Q75","display_name":"The Internet","level":2,"score":0.2026018500328064},{"id":"https://openalex.org/C138885662","wikidata":"https://www.wikidata.org/wiki/Q5891","display_name":"Philosophy","level":0,"score":0.0},{"id":"https://openalex.org/C41895202","wikidata":"https://www.wikidata.org/wiki/Q8162","display_name":"Linguistics","level":1,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3643916.3644424","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3643916.3644424","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3643916.3644424","source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 32nd IEEE/ACM International Conference on Program Comprehension","raw_type":"proceedings-article"}],"best_oa_location":{"id":"doi:10.1145/3643916.3644424","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3643916.3644424","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3643916.3644424","source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 32nd IEEE/ACM International Conference on Program Comprehension","raw_type":"proceedings-article"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":true,"pdf":true},"content_urls":{"pdf":"https://content.openalex.org/works/W4399632242.pdf","grobid_xml":"https://content.openalex.org/works/W4399632242.grobid-xml"},"referenced_works_count":32,"referenced_works":["https://openalex.org/W2075079981","https://openalex.org/W2460699391","https://openalex.org/W2481472254","https://openalex.org/W2760683747","https://openalex.org/W2767914643","https://openalex.org/W2888047193","https://openalex.org/W2899462170","https://openalex.org/W2964284687","https://openalex.org/W2971034829","https://openalex.org/W2981852735","https://openalex.org/W2999135213","https://openalex.org/W3097665816","https://openalex.org/W3123705249","https://openalex.org/W3156471679","https://openalex.org/W3174432697","https://openalex.org/W4211263275","https://openalex.org/W4225108562","https://openalex.org/W4253103663","https://openalex.org/W4281669078","https://openalex.org/W4284670904","https://openalex.org/W4285734663","https://openalex.org/W4287634532","https://openalex.org/W4288057765","https://openalex.org/W4288089799","https://openalex.org/W4312438588","https://openalex.org/W4312558719","https://openalex.org/W4367672983","https://openalex.org/W4383555717","https://openalex.org/W4384890816","https://openalex.org/W4385080315","https://openalex.org/W4388483531","https://openalex.org/W4389162224"],"related_works":["https://openalex.org/W1667647204","https://openalex.org/W2404647514","https://openalex.org/W4247536566","https://openalex.org/W2018477250","https://openalex.org/W3119814709","https://openalex.org/W4241418540","https://openalex.org/W1508895727","https://openalex.org/W2054545183","https://openalex.org/W4224026286","https://openalex.org/W2366889814"],"abstract_inverted_index":{"Regular":[0],"expression":[1],"Denial":[2],"of":[3,15,47,56,89,99],"Service":[4],"(ReDoS)":[5],"represents":[6],"an":[7],"algorithmic":[8,121],"complexity":[9],"attack":[10,25],"that":[11,70,148,157,166,190],"exploits":[12],"the":[13,54,85,97,151],"processing":[14],"regular":[16],"expressions":[17],"(regexes)":[18],"to":[19,135,154,199,202],"produce":[20],"a":[21,28,133],"denial-of-service":[22],"attack.":[23],"This":[24],"occurs":[26],"when":[27],"regex's":[29],"evaluation":[30],"time":[31],"scales":[32],"polynomially":[33],"or":[34],"exponentially":[35],"with":[36,75,115,179],"input":[37],"length,":[38],"posing":[39],"significant":[40],"challenges":[41],"for":[42],"software":[43,111],"developers.":[44],"The":[45],"advent":[46],"Large":[48],"Language":[49],"Models":[50],"(LLMs)":[51],"has":[52],"revolutionized":[53],"generation":[55],"regexes":[57,90,156,168,181,196],"from":[58],"natural":[59],"language":[60],"prompts,":[61],"but":[62],"not":[63],"without":[64],"its":[65],"risks.":[66],"Prior":[67],"works":[68],"showed":[69],"LLMs":[71,93],"can":[72],"generate":[73,155],"code":[74],"vulnerabilities":[76],"and":[77,87,120,130,139,161,175],"security":[78,88],"smells.":[79],"In":[80,143],"this":[81,144],"paper,":[82],"we":[83,124,146],"examined":[84,106],"correctness":[86],"generated":[91],"by":[92],"as":[94,96],"well":[95],"characteristics":[98],"LLM-generated":[100,167],"vulnerable":[101,180,204],"regexes.":[102,205],"Our":[103],"study":[104],"also":[105,164,188],"ReDoS":[107,172],"patterns":[108],"in":[109,183],"actual":[110],"projects,":[112],"aligning":[113],"them":[114],"corresponding":[116],"regex":[117],"equivalence":[118],"classes":[119],"complexity.":[122],"Moreover,":[123],"analyzed":[125],"developer":[126],"discussions":[127,193],"on":[128,141],"GitHub":[129],"StackOverflow,":[131],"constructing":[132],"taxonomy":[134],"investigate":[136],"their":[137],"experiences":[138],"perspectives":[140],"ReDoS.":[142],"study,":[145],"found":[147,182,189],"GPT-3.5":[149],"was":[150],"best":[152],"LLM":[153],"are":[158],"both":[159],"correct":[160],"secure.":[162],"We":[163,187],"observed":[165],"mainly":[169],"have":[170],"polynomial":[171],"vulnerability":[173],"patterns,":[174],"it":[176],"is":[177,197],"consistent":[178],"open":[184],"source":[185],"projects.":[186],"developers'":[191],"main":[192],"around":[194],"insecure":[195],"related":[198],"mitigation":[200],"strategies":[201],"remove":[203]},"counts_by_year":[{"year":2025,"cited_by_count":3},{"year":2024,"cited_by_count":3},{"year":2023,"cited_by_count":1}],"updated_date":"2025-11-06T03:46:38.306776","created_date":"2025-10-10T00:00:00"}