[langsec-discuss] WYSINWYG - a (mostly) langsec vulnerability category

travis+ml-langsec at subspacefield.org travis+ml-langsec at subspacefield.org
Tue Dec 2 19:36:37 UTC 2014


On Tue, Dec 02, 2014 at 11:05:00AM -0800, Will Sargent wrote:
> Would "parse tree differential attack" overlap with this category as well?
> 
> http://ieeexplore.ieee.org/xpls/icp.jsp?arnumber=6553401

Full Text Here?
http://langsec.org/papers/langsec-tr.pdf

Almost certainly there is a large overlap there.

BTW, what do you & langsec think of this?

Using parse tree validation to prevent SQL injection attacks (2005)
http://citeseer.ist.psu.edu/viewdoc/summary?doi=10.1.1.120.9618

I'm not sure I'm comfortable with the solution since it involves
making assumptions about how the database engine parses SQL.  E.G. all
the weird divergences... for example, some SQL engines treat Unicode
half-quote as a quote.  My thinking is that any minor discrepancy in
the PEP and the SQL engine is a parse tree differential.

Also I'm curious if one could simultaneously break out of one atom and
into another, so that that parse tree has the same number of nodes
and/or the same structure.  My insticts tell me this is possible and
useful, though not clear how or when.

I would love some examples. That might even be a clever
counter-countermeasure paper.  If someone is so inclined, I'll happily
review your drafts :-)
-- 
http://www.subspacefield.org/~travis/
Split a packed field and I am there; parse a line of text and you will find me.






-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 834 bytes
Desc: not available
URL: <https://mail.langsec.org/pipermail/langsec-discuss/attachments/20141202/578e6e47/attachment-0001.sig>


More information about the langsec-discuss mailing list