LangSec Revisited: Input Security Flaws of the Second Kind

Poll, Erik

doi:10.1109/spw.2018.00051

Cited by 8 publications

(5 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…This might not be the case for an internal market that is seen as an add-on with limited importance to the divisions that share the data-especially in cases where there is no monetary reward for the division sharing the data. Thus, the providers of an internal data market might need to develop their own interfaces to the (proprietary) data interfaces, potentially introducing the whole set of security issues surrounding data parsing [29]. On the other hand, depending on the data market use case, the data interfaces might be far simpler than the general-purpose interfaces required in global models, thus making it possible to apply such security measures as Language Security [30].…”

Section: Interfacesmentioning

confidence: 99%

Secure Internal Data Markets

2021

View full text Add to dashboard Cite

The data market concept has gained a lot of momentum in recent years, fuelled by initiatives to set up such markets, e.g., on the European level. Still, the typical data market concept aims at providing a centralised platform with all of its positive and negative side effects. Internal data markets, also called local or on-premise data markets, on the other hand, are set up to allow data trade inside an institution (e.g., between divisions of a large company) or between members of a small, well-defined consortium, thus allowing the remuneration of providing data inside these structures. Still, while research on securing global data markets has garnered some attention throughout recent years, the internal data markets have been treated as being more or less similar in this respect. In this paper, we outline the major differences between global and internal data markets with respect to security and why further research is required. Furthermore, we provide a fundamental model for a secure internal data market that can be used as a starting point for the generation of concrete internal data market models. Finally, we provide an overview on the research questions we deem most pressing in order to make the internal data market concept work securely, thus allowing for more widespread adoption.

show abstract

Section: Interfacesmentioning

confidence: 99%

Secure Internal Data Markets

2021

View full text Add to dashboard Cite

show abstract

“…These example components illustrate several benefits of our proposed approach. For example, parsers are a significant source of security vulnerabilities in programs [53,61]; and database interfaces are known sources of development and maintenance cost. Our regenerated programs can be safe-by-construction-automatically augmented with security checks-while significantly simplifying the development process.…”

Section: Structure Of the Papermentioning

confidence: 99%

“…Often this logic is scattered throughout a program, yielding what is commonly termed a "shotgun" parser, a known source of security vulnerabilities [53]. Other times, the input validation performed is insufficient to remove vulnerabilities [61].…”

Section: Inferring Binary Data Parsersmentioning

confidence: 99%

Active learning for software engineering

Cambronero

Dang

Vasilakis

et al. 2019

Proceedings of the 2019 ACM SIGPLAN International Symposium on New Ideas, New Paradigms, and Reflections on Programming and Sof

View full text Add to dashboard Cite

Software applications have grown increasingly complex to deliver the features desired by users. Software modularity has been used as a way to mitigate the costs of developing such complex software. Active learning-based program inference provides an elegant framework that exploits this modularity to tackle development correctness, performance and cost in large applications. Inferred programs can be used for many purposes, including generation of secure code, code re-use through automatic encapsulation, adaptation to new platforms or languages, and optimization. We show through detailed examples how our approach can infer three modules in a representative application. Finally, we outline the broader paradigm and open research questions. CCS Concepts • Software and its engineering → Software development techniques.

show abstract

“…Решения данной задачи позволяет обнаруживать отклонения исследуемого протокола от эталона, выявлять отличия, возникшие в ходе реализации различных программных средств, сравнивать версионные изменения, оценивать совместимость программ, обнаруживать проблемные места. Восстановление спецификаций недокументированных протоколов и протокольных автоматов путем анализа исходных текстов программ задача весьма трудоемкая, требующая значительного времени [1][2][3], кроме того, исходные тексты не всегда доступны. Это подталкивает исследователей выбирать другие способы получения информации, позволяющей восстанавливать спецификации протоколов и протокольные автоматы, и создавать автоматизированные средства для решения проблемы.…”

Section: Introductionunclassified

“…Аналогичный обзор, представленный в источнике[5] в начале 2021 года, позволяет расширить список результатами, полученными после 2017 года, среди которых, в контексте задачи восстановления протокольных автоматов, можно выделить 2 работы[6,7]. Наиболее свежие результаты были представлены в августе 2021 года в статье[2], при этом применяется метод восстановления форматов сообщений, описанный в работе[8] тех т.пр. -текстовые протоколы, б.пр.…”

unclassified

Protocol automata recovery method using binary code

Sharkov¹

2022

Proceedings of ISP RAS

View full text Add to dashboard Cite

Security analysis of network programs includes set of reverse engineering tasks of network protocols. Data formats restoring and implemented protocol automaton are the previous task issues. Unlike quite researched problem of formats restoring where there are lots of scientist’s papers, finding out the protocol's automaton program implementation looks like terra incognita and the cornerstone is a protocol state description currently undefined. There are two general ways to retrieve the implemented protocol automaton: an analysis of the network traces and looking into binary trace of the target application. This article offers a second one method. The first aim of the paper is the way to describe a mathematical model of a protocol automaton and a method for projecting it onto an executing application binary code. The second is concept of the protocol state definition and a principle to detect the states transitions based on some "global" binary trace objects, are described. Thirdly, there is suggested a protocol automaton precising manner by in-memory fuzzing based on a "floating" fork-server to manage states transitions. Finally, developed toolset's scheme and experiments on its using with a real VPN client, are shown.

show abstract

LangSec Revisited: Input Security Flaws of the Second Kind

Cited by 8 publications

References 16 publications

Secure Internal Data Markets

Secure Internal Data Markets

Active learning for software engineering

Protocol automata recovery method using binary code

Contact Info

Product

Resources

About