[langsec-discuss] CVEs from inappropriate use of regular expressions

Sergey Bratus sergey at cs.dartmouth.edu
Tue Nov 28 06:16:49 UTC 2017


Hello Frithjof,

I think this sounds more like a CWE than a CVE; CVE descriptions generally don't
go to the root cause of the vulnerability, and the specific explanation is 
usually one layer removed from the understanding of how the vuln could have
been avoided. The CWEs, on the other hand, cover the root causes.

We tried to formulate some in the Turrets paper, but a lot more work needs
to be done there before it sees adoption. Great to know you are interested!

Thanks,

--Sergey

On Tue, 28 Nov 2017, Frithjof Schulze wrote:

>
> Hi all,
>
> is anybody aware of some recent CVEs that are the direct result of the attempt to parse a non-regular grammar with regular expressions? I expected to find something like this on cve.mitre.org/find, but didn’t. I expected at least a case where regex were used to do „input sanitization“ but found nothing good.
>
> Why am I looking for such a CVE? When talking about LangSec-ideas with (mostly web) developers I regularly have the problem that I either have to explain a lot of theory (that few people are really interested in) or have to go „thou shall not ….“ to argue against „but this is easy and works in practice!“.
>
> The best solution for me so far is similar to the approach suggested in the "Seven Turrents of Babel“: Show people examples of the bugs they are up against if they use certain antipatterns. I am now compiling a list of educational and „realistic“ bugs in the sense, that the most more popular bugs like string terminators in X.509/ASN.1, Heartbleed and the Android Master Key are great examples for LangSec in general, but are not the kind of bugs many developers have to actually deal with.
>
> Most people I am talking to actually know that they „shouldn’t“ use regex to do certain things, because of the Lovecraftian post on Stack Overflow[1], but that post also just repeatedly mentions the impossibility of a suggested solution without giving any examples of negative consequences of trying.
>
> [1|  https://stackoverflow.com/a/1732454
>
> Cheers,
> Frithjof
> _______________________________________________
> langsec-discuss mailing list
> langsec-discuss at mail.langsec.org
> https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss
>


More information about the langsec-discuss mailing list