
Language-theoretic Security - gszr
http://langsec.org/
======
lmeyerov
This work sounds like, in 5 years, after they're finished understanding the
last 30 years of parser research, they'll discover the subsequent explosion of
type system and model checking research, and move on to that for whitelisting.

Extra oddity: language-based security is an entire field.

Edit: I'm happy that they're advocating the _application_ of these techniques,
and especially helping implementors pin-point where it's needed, I'm just
confused at their _selection_ of techniques.

~~~
noblethrasher
Langsec knows all about type theory:

See
[https://www.youtube.com/watch?v=3kEfedtQVOY&feature=youtu.be...](https://www.youtube.com/watch?v=3kEfedtQVOY&feature=youtu.be&t=1135)
(about 90 seconds)

n.b. that Merideth Patterson, the speaker in that video, is one of the
original authors of langsec.

~~~
lmeyerov
I think that clip supports my statement.

------
vezzy-fnord
A paper earlier this year at Usenix entitled "The Bugs We Have to Kill" takes
a similar position:
[https://www.usenix.org/system/files/login/articles/login_aug...](https://www.usenix.org/system/files/login/articles/login_aug15_02_bratus.pdf)

In fact, djb quite famously identified parsing as one of the major sources of
vulnerabilities, hence his devotion to formats like TAI64, netstrings, cdb and
use of the file system namespace where sufficient.

(See #5:
[http://cr.yp.to/qmail/guarantee.html](http://cr.yp.to/qmail/guarantee.html))

~~~
samuirai
The usenix paper you linked is from the langsec people

