On May 24th Adam will present “LangSec for Critical Infrastructure: SSP21, a secure lightweight SCADA protocol” at the 5th LangSec workshop in San Francisco, CA. Language-theoretic security (LANGSEC) attempts to understand vulnerabilities in software by analyzing the grammars and machines that must operate on raw input to create well typed objects. It can be thought of as a disciplined approach to parsing.
A significant portion of implementation bugs we see today in network protocols can be attributed to an undisciplined approach to writing protocol message parsers. Frequently, the protocol messages themselves are so complex it’s hard to fault the implementer for missing a tiny corner case and creating a vulnerability. Parsing untrusted input requires a disciplined approach.