~?~

~?~

~?~

~?~

LANGSEC Let our friends from Occupy Babel explain it in a few simple slogans! Every piece of software that takes inputs contains a de facto recognizer for accepting valid or expected inputs and rejecting invalid or malicious ones. This recognizer code is often ad hoc , spread throughout the program, and interspersed with processing logic (a "shotgun parser"). This lends the processing logic to exploitation and programmers to false assumptions of data safety. Apply full recognition to inputs before processing them! Unneeded computing power in input handling code is a hand-out to attackers. Reduce computing power needed for your protocols, reduce parsing exposure to the necessary minimum! The power that is not there cannot be hijacked. Once created, the glut of computing power cannot be destroyed, because of backward compatibility; repackaging of insecurity goes on fo...

The Second Language-theoretic Security (LangSec) IEEE S&P Workshop at the IEEE Security & Privacy Symposium 2015 spw15.langsec.org We are looking for submissions, help with getting the word out, and sponsors The First Language-theoretic Security (LangSec) IEEE S&P Workshop at the IEEE Security & Privacy Symposium 2014 took place in San Jose, May 18, 2014. Workshop program and all presented papers are now posted. The Language-theoretic approach (LANGSEC) regards the Internet insecurity epidemic as a consequence of ad hoc programming of input handling at all layers of network stacks, and in other kinds of software stacks. LANGSEC posits that the only path to trustworthy software that takes untrusted inputs is treating all valid or expected inputs as a formal language, and the respective input-handling routines as a recognizer for that language. The recognition must be feasible...