TRE Python binding — ReDoS robustness demo

2026-05-04 · Source: Simon Willison's Weblog · Field: Technology & Digital — Software Development & Engineering, Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy · Depth: Advanced, quick

Summary

A new project demonstrates the TRE regular expression library's robustness against Regular Expression Denial-of-Service (ReDoS) attacks, contrasting its performance with Python's built-in `re` module. This project provides a minimal Python `ctypes` binding for TRE, showcasing its linear scaling with input size, unlike the exponential scaling of `re`. Benchmarks reveal TRE efficiently processes "evil" regex patterns on inputs up to 10 million characters, significantly outperforming `re` on much smaller inputs. The library's resilience is attributed to its design, specifically its lack of support for backtracking, a common vulnerability in other regex engines.

Key takeaway

For Python developers building applications that process untrusted user input or complex regex patterns, you should consider integrating the TRE library. Its demonstrated immunity to ReDoS attacks and linear performance scaling offer a significant security and stability advantage over Python's default `re` module, preventing potential denial-of-service vulnerabilities in your systems.

Key insights

TRE regex library offers ReDoS immunity and linear scaling due to its non-backtracking design.

Principles

• Non-backtracking regex engines prevent ReDoS.
• Linear scaling is crucial for regex performance.

Method

The project uses Python's `ctypes` to create a minimal binding to the TRE library, then benchmarks its performance against malicious regex patterns.

In practice

• Integrate TRE for ReDoS-resistant regex.
• Use `ctypes` for Python bindings to C libraries.

Topics

• TRE Regex Library
• Python ctypes Binding
• ReDoS Attacks
• Regular Expressions
• Backtracking

Code references

• laurikari/tre

Best for: Machine Learning Engineer, NLP Engineer, CTO, Software Engineer, AI Engineer, AI Security Engineer

Related on AIssential

• A Good Part-of-Speech Tagger in about 200 Lines of Python — Practical NLP knowledge can be distilled into concise, confident, and accessible implementations.
• REDACT: A Systematically Controlled Multilingual Benchmark for Personal Information Detection — REDACT offers a controlled multilingual PII benchmark revealing LLMs outperform rule-based systems on high-sensitivity data.
• PUFFERDOS: Efficient and Effective Attack String Generation for Regular Expression Denial of Service Vulnerabilities — PufferDoS generates efficient, program-validated ReDoS attack strings using formal patterns and specialized concolic execution.
• When Search Goes Wrong: Red-Teaming Web-Augmented Large Language Models — CREST-Search effectively uncovers unique citation risks in web-search-augmented LLMs through specialized red-teaming strategies and a fine-tuned model.
• The Joy of Typing — Python type annotations and static checkers prevent runtime errors and improve code clarity in data-intensive workflows.
• Demystifying Bit Manipulation: The Ultimate Guide to Parity Checks in Python — This guide delves into bit manipulation, specifically focusing on the classic parity check problem, a critical skill for AI Engineers, low-level system optimization, custom CUDA kernels, and Data Stru…

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Simon Willison's Weblog.