Language-theoretic Security (opens in new tab)

(langsec.org)

26 pointsgszr10y ago6 comments

6 comments

6 comments · 2 top-level

lmeyerov10y ago· 3 in thread

This work sounds like, in 5 years, after they're finished understanding the last 30 years of parser research, they'll discover the subsequent explosion of type system and model checking research, and move on to that for whitelisting.

Extra oddity: language-based security is an entire field.

Edit: I'm happy that they're advocating the application of these techniques, and especially helping implementors pin-point where it's needed, I'm just confused at their selection of techniques.

noblethrasher10y ago

Langsec knows all about type theory:

See https://www.youtube.com/watch?v=3kEfedtQVOY&feature=youtu.be... (about 90 seconds)

n.b. that Merideth Patterson, the speaker in that video, is one of the original authors of langsec.

lmeyerov10y ago

I think that clip supports my statement.

munin10y ago

it's especially confusing since model checking and verification research has been lively for the past twenty years and recently produced some pretty good results (like bedrock and ironclad), but this is all willfully ignored by the langsec community...

vezzy-fnord10y ago· 1 in thread

A paper earlier this year at Usenix entitled "The Bugs We Have to Kill" takes a similar position: https://www.usenix.org/system/files/login/articles/login_aug...

In fact, djb quite famously identified parsing as one of the major sources of vulnerabilities, hence his devotion to formats like TAI64, netstrings, cdb and use of the file system namespace where sufficient.

(See #5: http://cr.yp.to/qmail/guarantee.html)

samuirai10y ago

The usenix paper you linked is from the langsec people

j / k navigate · click thread line to collapse