Talks
Speakers
Events
Topics
Sign in
Home
Talks
Speakers
Events
Topics
Leaderboard
Use
Analytics
Sign in
Suggest modification to this talk
Title
Description
Exploits happen when attackers discover that your application is actually an interpreter for a weird programming language with operators like 'make admin', or 'consume all available memory'. Don't give them access to that kind of computational power! Stop them at the very boundaries of your application's input handling--the parser. By generating parsers tailored to the specific input formats of your app, you can prevent it from becoming a weird interpreter and make it harder to exploit. When you use a parser specific to your input format, it's not only more secure, it's better specified and definite. When you have a grammar for your inputs, you can give your API consumers better error messages and better documentation based on that grammar. Using Ruby's metaprogramming superpowers, doing this doesn't have to be a painful process. I've been working on a library called Muskox that aims to make generating parsers almost as simple as using Rails 4's Strong Parameters. Writing code to secure your app's inputs should be easy, fun and fast. Help us caption & translate this video! http://amara.org/v/FG2h/
Date
Summarized using AI?
If this talk's summary was generated by AI, please check this box. A "Summarized using AI" badge will be displayed in the summary tab to indicate that the summary was generated using AI.
Show "Summarized using AI" badge on summary page
Summary
Markdown supported
In the talk titled "Generate Parsers! Prevent Exploits!" presented by Nick Howard at MountainWest RubyConf 2014, the speaker explores the relationship between application exploits and formal language parsing, emphasizing the significance of generating specific parsers to enhance security. The main topic revolves around the vulnerabilities that arise from improper input handling in web applications, and how structured parsing can mitigate these risks. Key points discussed include: - **Definition of Exploits**: Howard outlines what exploits are, likening them to discovering vulnerabilities in a medieval fortress, which can lead to unauthorized access to sensitive data. - **Nature of Exploits**: He explains that exploits can manifest through various forms, including buffer overflows and SQL injection, which all exploit undefined behaviors within an application. - **LangSec Introduction**: The concept of Language-theoretic Security (LangSec) is introduced, which emphasizes the application of formal language theory to identify vulnerabilities in software systems. - **Input Validation Importance**: The speaker emphasizes rigorous validation of inputs as a preventative measure against exploits, stating that bad input should be rejected outright. - **Examples**: Howard provides an example of a past Rails vulnerability involving improper XML parsing that unwittingly allowed YAML execution, highlighting the perils of flawed input validation. - **Chomsky Hierarchy**: He briefly discusses the Chomsky hierarchy, explaining that lower-decision languages are safer than more complex, recursively enumerable languages, which can complicate input security. - **Best Practices**: Howard advises against using Turing complete inputs and recommends adopting strict schemas for parsing while leveraging robust language parsers to enhance security measures. - **Muskox Library**: He introduces Muskox, a Ruby library aimed at simplifying parser generation, ensuring secure application input handling by providing immediate feedback on parsing errors. - **Future Integration**: The intention to integrate Muskox into Rails applications for better form data processing is noted, promoting safer development practices. Concluding Remarks: Howard's presentation emphasizes that effective input handling and structured parsing are essential to prevent exploits in web applications. By applying principles of formal language theory, developers can significantly enhance the security of their applications while ensuring clearer documentation and error handling. For those interested in diving deeper into these subjects, Howard recommends exploring resources on langsec.org and the Muskox library on GitHub.
Suggest modifications
Cancel
