Language-theoretic security

Language-theoretic security, or LangSec, is the emerging field of digital security that treats code patterns and data formats as languages and their grammars for the purpose of preventing the introduction of malicious code into software.

Description

Developed by Dr Sergey Bratus, Meredith L. Patterson, and the late Len Sassaman, LangSec theory seeks to address these and other problems:

• Every piece of software has a way to recognize valid requests and reject invalid or malicious ones. The problem is that the way the software does this is often has no internal logic, spread throughout the program, and interspersed with processing logic (a “shotgun parser”). This lends the processing logic to exploitation and programmers to false assumptions of data safety.
• When a piece of software accepts imprecise requests, it require the allocation of more computing power. This unneeded computing power is a gift to attackers looking to inject bad code. Precise language parsing reduces the computing power needed. The power that is not there cannot be hijacked.
• Hard-to-parse protocols require complex parsers. Complex, buggy parsers become weird machines for exploits to run on.
• Software protocols and file formats that can be mimicked by an attacker are the worst offenders because it is impossible for them to draw a distinction between a valid and malicious code. Such Turing-complete input languages destroy security for generations of users.

See also

• Formal verification

External links

• LangSec
• Hacker-Proof Code Confirmed - "Computer scientists can prove certain programs to be error-free with the same certainty that mathematicians prove theorems. The advances are being used to secure everything from unmanned drones to the internet."