Trials and Tribulations in Applying Lang Sec

Presented at ToorCamp 2014, July 11, 2014, 3 p.m. (50 minutes).

The goal of Language-Theoretic Security, or Lang Sec, is to identify and stop security flaws that exist because of accepting invalid input and/or valid input that causes unexpected behavior in the host application. The former is nothing new and something we've seen for decades. The latter however is something more interesting and more difficult to detect completely. These occurrences have been dubbed weird machines by the language security community.

One common attack we've identified, that directly represent these two cases, is SQL injection. This attack can take advantage of host applications accepting invalid user data and applications accepting valid input that can be used to control the execution of the application in ways unexpected such as modifying a query to return a malicious result set or using boolean logic to extract data or information about the database. Through the use of syntactic and semantic analysis it is possible to ensure that all input adheres to a ruleset that the developer can define, fixing these problems.

The last segment will explore directly the implementation of our solution to this attack mentioned above and share some of the success and failures we've had along the way. We'll look at common tooling that exists and our experiences with it; explaining what we've found that works and what doesn't.


Presenters:

  • Joe Rozner
    An experienced software engineer and security researcher Joe has focused his career on rapid prototyping and exploring what the HTML5 additions have in store for browser based security. He's developed custom system call level sandboxes, rich web applications, and applications at all levels between. A strong interest in computer languages and implementation of them has led to a solid foundation and further cultivation in the area of language implementation and language security.
  • Stephen Weinberg
    As a software engineer at Prevoty, Stephen has been one of the driving forces in testing and creating parser technology for understanding and preventing SQL injections. Stephen developed the Go bindings for Hammer, a parsing library with a combinator interface, before implementing a native Go solution with a similar interface. Stephen has also evaluated and worked with many common parser generators including YACC and ANTLR.

Similar Presentations: