Eliminating Input-Based Attacks by Deriving Encoders and Decoders from CFGs





The interactive transcript could not be loaded.


Rating is available when the video has been rented.
This feature is not available right now. Please try again later.
Published on May 27, 2017

Eliminating Input-Based Attacks by Deriving Automated Encoders and Decoders from Context-free Grammars

Lars Hermerschmidt
Presented at the 2017 LangSec Workshop
at the IEEE Symposium on Security & Privacy Workshops
May 25, 2016
San Jose, CA

Software systems nowadays communicate via a number of complex languages. This is often the cause of security vulnerabilities like arbitrary code execution, or injections. Whereby injections such as cross-site scripting are widely known from textual languages such as HTML and JSON that constantly gain more popularity. These systems use parsers to read input and unparsers write output, where these security vulnerabilities arise. Therefore correct parsing and unparsing of messages is of the utmost importance when developing secure and reliable systems. Part of the challenge developers face is to correctly encode data during unparsing and decode it during parsing.

This paper presents McHammerCoder, an (un)parser and encoding generator supporting textual and binary languages. Those (un)parsers automatically apply the generated encoding, that is derived from the language's grammar. Therefore manually defining and applying encoding is not required to effectively prevent injections when using McHammerCoder. By specifying the communication language within a grammar, McHammerCoder provides developers with correct input and output handling code for their custom language.


to add this to Watch Later

Add to

Loading playlists...