For Want of a Nail (*): A LangSec look at parser bugs in the Pwnies presented at Hacker2HackerCon 2014

by Sergey Bratus, Meredith L. Patterson,

Summary : Input parser bugs appear to be simple. For years, they've been among the best-understood bug kinds. Yet 2014 could be called The Year of Parser Bugs on account of Heartbleed alone, and there are more such bugs in the 2014 Pwnie Award nominations. In 2013, parser bugs were over a half of all nominated server-side bugs. When simple bugs account for most impactful vulnerabilities, perhaps they are not so simple after all.
We take a look at the recent crop of famous bugs -- such as Heartbleed, Android Master Key, goto fail, Nginx chunked encoding, and others -- from the Language-theoretic security (LangSec) point of view. This talk continues our "Shotgun Parsers" examination of historic input-handling bugs from two years ago.

Sergey Bratus: Sergey Bratus is a Research Assistant Professor of Computer Science at Dartmouth College. He enjoys wireless and wired network hacking and tries to help fellow academics to understand its value and relevance. Before coming to Dartmouth, he worked on machine learning for natural text processing at BBN Technologies. He has a Ph.D. In Mathematics from Northeastern University.