Shotgun Parsers in the Crosshairs presented at BruCON 2012

by Sergey Bratus, Meredith L. Patterson,

Summary : Any code that transforms data has to make some assumptions about what it receives; it\'s up to some other code to recognize if the data is as it expects. The sole purpose of this recognizer is to protect subsequent innocent code from being lured into memory corruption or from otherwise aiding and abetting pwnage.
Sadly, a lot of actual input handling code is a mixture of data processing and recognition, scattered throughout a codebase. Its "sanity checking" is neither strong enough to verify all the implicit assumptions, nor written with these assumptions in mind. We call such input handling code "shotgun parsers" and argue that it\'s the number 1 reason for the ubiquitous insecurity of programs facing the internet.
In this talk, we will discuss examples of shotgun parsers across the layers of a TCP/IP stack (and well-attested exploits for them, drawn from the pages of Phrack) and show how to rein them in with a principled approach to building recognizers. From digital radio physical layer frames to SQL injection, shotgun parsers sow distraction and must be eliminated if we are to trust how programs process input.
Our previous talks (see concentrated on theory; in this talk, we take the practical software-engineering view. We\'ll demonstrate how to apply our axiom of "full recognition before processing" in practice, using the Hammer parsing library ( to implement protocol message formats and the Ragel state machine compiler ( to implement protocol internals.

Sergey Bratus: Sergey Bratus is a Research Assistant Professor of Computer Science at Dartmouth College. He enjoys wireless and wired network hacking and tries to help fellow academics to understand its value and relevance. Before coming to Dartmouth, he worked on machine learning for natural text processing at BBN Technologies. He has a Ph.D. In Mathematics from Northeastern University.