LangSec for Penetration Testing: How and Why

Presented at ShmooCon XIII (2017), Jan. 14, 2017, 10 a.m. (60 minutes)

When reviewing code or protocol specifications, have you ever had a feeling that it might be a problem but couldn't quite prove it? LangSec can help you do that. LangSec, or language-theoretic security, is the idea that basic theory of computation (that is, reasoning about grammatical complexity and automata) can act as a guiding design principle for the construction of secure parsers, and thereby increase the security of programs in general. Until this point, it has been a somewhat theoretical discipline-aside from the Hammer framework, few industry tools make specific use of it.<br /><br />We discuss recent developments in LangSec and bring the community up to speed on our efforts to bridge the gap between theoretical and practical information security. We back-validated LangSec and found that it would have predicted a lot of bugs in commonly used software; we discuss these results. We'll contextualize several real examples in the LangSec framework and demonstrate a set of rules (and corresponding proposed CWE entries) designed to help programmers avoid writing insecure parsers. Then, we'll discuss how code reviewers can use this context to find bugs and what tooling can be constructed around LangSec principles in the future.


  • Sergey Bratus
    Sergey Bratus (@sergeybratus) is a research associate professor at Dartmouth College and has published many papers on LangSec since its beginning. His work is wide-ranging, from natural language processing to the suitability of software-generated evidence in legal proceedings.
  • Falcon Darkstar Momot
    Falcon Darkstar Momot (@FalconDarkstar) is a penetration tester at Leviathan Security Group and a grad student at Athabasca University. His prior work includes the Lotan crashdump security analysis tool and a method for generating stealth NOP slides using undefined behaviour and opcodes in x86. He also works with Shadytel on next-generation semi-electromechanical switch development and with Neg9 on getting the all-too-elusive flag.