[langsec-discuss] 2nd LangSec IEEE S&P workshop announcement
sergey at cs.dartmouth.edu
Mon Dec 29 07:22:09 UTC 2014
Here is the updated announcement for the 2nd LangSec Workshop,
to be held in San Jose, Thu May 21, 2015; http://spw15.langsec.org/
Please feel free to spread it around!
The Second IEEE S&P workshop in Language-theoretic security (LangSec)
will take place on Thursday, May 21st 2015 in San Jose, CA, co-located
with the IEEE Security & Privacy Symposium.
LangSec is a mission assurance approach for software that applies
formal language analysis to the design and implementation of
input-handling code (parsers across all layers of executable code used
for operating system composition, messaging, protocol implementations,
and any code at communication boundaries of software components)
and---most importantly---of input data formats handled by such code.
LangSec asserts that inputs and the code that handles them must be
*co-designed* for easier verification and maintainability. In a
nutshell, LangSec models consumption of any input as computation; once
we see any input as a program driving the system, the only effective
defense against exploitation (unexpected computation) by crafted input
is to co-design the input language and its handling code based on
well-known models (regular expressions, pushdown automata, etc.) of
recognizing valid or expected inputs as a language, defined by an
appropriate unambiguous grammar, and discarding all other inputs. In
practice, the security game is already lost when the input data format
is complex, ambiguous, or when input validation is handled ad-hoc,
without regard to the grammar class of the input language and the
appropriate computation model for recognition of that language. We
also note that some input formats in fact pose undecidable recognition
problems, and thus their security cannot be assured by any amount of
testing or analysis; they are insecure by design and must be reduced
or replaced for any infrastructure that contains them to be
The LangSec IEEE S&P workshop brings together academics, hackers, and
industry programmers and architects; it seeks to cast long-standing
intuitions of offensive security into a methodology for effective
defense against currently ubiquitous exploitation by crafted inputs.
The workshop welcomes academic papers, security practitioner research
reports, and industry case studies.
LangSec2015 Call-for-Papers can be found at http://spw15.langsec.org/.
Last year's LangSec IEEE SPW program and all presented papers and
materials can be found at http://spw14.langsec.org/
Paper submissions due: 15 January 2015, 11:59 PM PST
Research Reports, Panels, and Proof-of-concept submissions due: 30 January 2015, 11:59 PM PST
Notification to authors: 15 February 2015
More information about the langsec-discuss