[langsec-discuss] 2nd LangSec IEEE S&P workshop announcement

Sergey Bratus sergey at cs.dartmouth.edu
Mon Dec 29 07:22:09 UTC 2014


Dear All,

    Here is the updated announcement for the 2nd LangSec Workshop,
to be held in San Jose, Thu May 21, 2015; http://spw15.langsec.org/

    Please feel free to spread it around!

    Thank you,

--Sergey

----------------------------------------------------------------------

The Second IEEE S&P workshop in Language-theoretic security (LangSec) 
will take place on Thursday, May 21st 2015 in San Jose, CA, co-located 
with the IEEE Security & Privacy Symposium.

LangSec is a mission assurance approach for software that applies
formal language analysis to the design and implementation of
input-handling code (parsers across all layers of executable code used
for operating system composition, messaging, protocol implementations,
and any code at communication boundaries of software components)
and---most importantly---of input data formats handled by such code.

LangSec asserts that inputs and the code that handles them must be
*co-designed* for easier verification and maintainability. In a
nutshell, LangSec models consumption of any input as computation; once
we see any input as a program driving the system, the only effective
defense against exploitation (unexpected computation) by crafted input
is to co-design the input language and its handling code based on
well-known models (regular expressions, pushdown automata, etc.) of
recognizing valid or expected inputs as a language, defined by an
appropriate unambiguous grammar, and discarding all other inputs. In
practice, the security game is already lost when the input data format
is complex, ambiguous, or when input validation is handled ad-hoc,
without regard to the grammar class of the input language and the
appropriate computation model for recognition of that language. We
also note that some input formats in fact pose undecidable recognition
problems, and thus their security cannot be assured by any amount of
testing or analysis; they are insecure by design and must be reduced
or replaced for any infrastructure that contains them to be
trustworthy.

The LangSec IEEE S&P workshop brings together academics, hackers, and 
industry programmers and architects; it seeks to cast long-standing 
intuitions of offensive security into a methodology for effective 
defense against currently ubiquitous exploitation by crafted inputs. 
The workshop welcomes academic papers, security practitioner research 
reports, and industry case studies.

LangSec2015 Call-for-Papers can be found at http://spw15.langsec.org/. 
Last year's LangSec IEEE SPW program and all presented papers and 
materials can be found at http://spw14.langsec.org/

Important dates: 
Paper submissions due: 15 January 2015, 11:59 PM PST 
Research Reports, Panels, and Proof-of-concept submissions due: 30 January 2015, 11:59 PM PST 
Notification to authors: 15 February 2015


More information about the langsec-discuss mailing list