For Want of a Nail (*): A LangSec look at parser bugs in the Pwnies

No ratings

Presented at Hacker2HackerCon 2014 by

Sergey Bratus

Meredith Patterson

Input parser bugs appear to be simple. For years, they've been among the best-understood bug kinds. Yet 2014 could be called The Year of Parser Bugs on account of Heartbleed alone, and there are more such bugs in the 2014 Pwnie Award nominations. In 2013, parser bugs were over a half of all nominated server-side bugs. When simple bugs account for most impactful vulnerabilities, perhaps they are not so simple after all. We take a look at the recent crop of famous bugs -- such as Heartbleed, Android Master Key, goto fail, Nginx chunked encoding, and others -- from the Language-theoretic security (LangSec) point of view. This talk continues our "Shotgun Parsers" examination of historic input-handling bugs from two years ago. (*) http://en.wikipedia.org/wiki/For_Want_of_a_Nail