Description
Many systems work by receiving instructions and processing them: e.g., a browser receives and then displays an HTML page and executes Javascript scripts, a database receives a query and then applies it to its data, an embedded system controlled through a protocol receives and then processes a message. When such instructions depend on user input, one generally constructs them with concatenation or insertion. It can lead to injection-based attacks: when the user input modifies the query’s intended semantics and leads to a security breach. Protections do exist but are not sufficient as they never tackle the origin of the problem: the language itself. We propose a new formal approach based on formal languages to assess risk, enhance static analysis, and enable new tools. This approach is general and can be applied to query, programming, and domain-specific languages as well as network protocols. We are setting up an ANR project to go into this subject in more depth.
Infos pratiques
Prochains exposés
-
Should I trust or should I go? A deep dive into the (not so reliable) web PKI trust model
Orateur : Romain Laborde - University of Toulouse
The padlock shown in the URL bar of our favorite web browser indicates that we are connected using a secure HTTPS connection and providing some sense of security. Unfortunately, the reality is slightly more complex. The trust model of the underlying Web PKI is invalid, making TLS a colossus with feet of clay. In this talk, we will dive into the trust model of the web PKI ecosystem to understand[…]-
SoSysec
-
Protocols
-
Network
-