Talks
Speakers
Events
Topics
Sign in
Home
Talks
Speakers
Events
Topics
Leaderboard
Use
Analytics
Sign in
Suggest modification to this talk
Title
Description
Help us caption & translate this video! http://amara.org/v/FG7A/
Date
Summarized using AI?
If this talk's summary was generated by AI, please check this box. A "Summarized using AI" badge will be displayed in the summary tab to indicate that the summary was generated using AI.
Show "Summarized using AI" badge on summary page
Summary
Markdown supported
In this lightning talk titled "Muskox," presented at the Rocky Mountain Ruby 2013 event, speaker Nick Howard introduces his new parser generator named Muskox, which aims to enhance security in parsing various input formats. Howard begins by discussing the utility of parser generators, mentioning well-known examples like Yacc and Bison. He highlights critical security concerns, particularly in frameworks like Rails, which have faced vulnerabilities due to unusual input scenarios. Throughout the talk, Howard addresses specific security issues, providing notable examples: - **YAML Embedded in XML**: This situation can lead to the evaluation of unsafe expressions, posing significant risks. - **Billion Laughs Attack on XML**: This attack exploits XML parsing by creating input that leads to an arbitrary expansion of expressions, resulting in out-of-memory errors. These examples emphasize the necessity for frameworks to take a cautious approach to input handling. Howard then introduces Muskox as a schema-based solution that leverages JSON schemas to define valid input structures, including typing information and validation rules. Key features of Muskox include: - ***Schema-based validation***: Input that does not conform to the defined JSON schema will trigger an error, preventing potentially harmful input from being processed. - ***Conservative output policy***: By rigorously defining acceptable inputs, applications can avoid inadvertently executing harmful code. Howard elaborates on the principle from language security theory—"be liberal in what you accept but conservative in what you output." This principle is vital in ensuring that only safe, defined inputs are accepted, effectively reducing the risk of attacks. For additional insights and resources, Howard invites the audience to visit his GitHub page for Muskox and to explore the broader context of language security at langsec.org. The talk concludes with an encouraging note for developers to prioritize security in their input management processes, endorsing the proactive use of schema validation as a powerful method to combat vulnerabilities.
Suggest modifications
Cancel
