Language-theoretic security, or LangSec, is the emerging field of digital security that treats code patterns and data formats as languages and their grammars for the purpose of preventing the introduction of malicious code into software.

Developed by Dr Sergey Bratus, Meredith L. Patterson, and the late Len Sassaman, LangSec theory seeks to address these and other problems:

1.  Every piece of software has a way to recognize valid requests and reject invalid or malicious ones.  The problem is that the way the software does this is often has no internal logic, spread throughout the program, and interspersed with processing logic (a “shotgun parser”). This lends the processing logic to exploitation and programmers to false assumptions of data safety.

2.  When a piece of software accepts imprecise requests, it require the allocation of more computing power.  This unneeded computing power is a gift to attackers looking to inject bad code.  Precise language parsing reduces the computing power needed.  The power that is not there cannot be hijacked.

3.  Hard-to-parse protocols require complex parsers. Complex, buggy parsers become weird machines for exploits to run on.  

4.  Software protocols and file formats that can be mimicked by an attacker are the worst offenders because it is impossible for them to draw a distinction between a valid and malicious code.  Such Turing-complete input languages destroy security for generations of users.

The end is where we start from. And every phrase
And sentence that is right (where every word is at home,
Taking its place to support the others,
The word neither diffident nor ostentatious,
An easy commerce of the old and the new,
The common word exact without vulgarity,
The formal word precise but not pedantic,
The complete consort dancing together)
Every phrase and every sentence is an end and a beginning, 
— T.S. Eliot, “Little Gidding”




Yay! Message sent. Should you need to speak immediately to an Upstanding Hacker, please call +1-650-787-8708.
Error! Please validate your fields.
© Copyright 2014 Upstanding Hackers, Inc.