Presentation Material

Abstract

Language-theoretic security is the approach of recognizing and handling all input before processing it. Traditionally, almost every software development project mixes this recognition of input and processing of the input. If the recognition wasn’t done right, then poor input can be processed and lead to exploits. Language-theoretic security suggests, that the recognition is separated from the processing making it easier to audit the code, and fundamentally prevent parser bugs from recurring. In this talk, we present an overview of Language-theoretic security, describe the parser combinator library hammer and go over building such applications. We would then switch gears, and take a glimpse at generating test cases from parser combinator inputs which represent regular expressions and context-free grammars to exhaustively test the correctness of the implementations.

The AMQP protocol is widely used in modern industrial IoT systems. We would also demonstrate our technique on an implementation of the AMQP protocol, and demonstrate its efficacy against state-of-the-art fuzzers like AFL and libfuzzer.