Skip to main content
USENIX
  • Conferences
  • Students
Sign in
  • LEET '12 Home
  • Registration Information
  • Organizers
  • Workshop Program
  • Hotel & Travel Information
  • Students
  • Questions?
  • For Participants
  • Call for Papers
  • Past Proceedings

sponsors

General Sponsor

twitter

Tweets by @usenix

usenix conference policies

  • Event Code of Conduct
  • Conference Network Policy
  • Statement on Environmental Responsibility Policy

You are here

Home » Let's Parse to Prevent Pwnage
Tweet

connect with us

http://twitter.com/usenix

Let's Parse to Prevent Pwnage

Authors: 

Mike Samuel and Ulfar Erlingsson, Google

Abstract: 

Software that processes rich content suffers from endemic security vulnerabilities. Frequently, these bugs are due to data confusion: discrepancies in how content data is parsed, composed, and otherwise processed by different applications, library frameworks, and language runtimes. Data confusion often enables code injection attacks, such as cross-site scripting or SQL injection, by leading to incorrect assumptions about the encodings and checks applied to rich content of uncertain provenance. However, even for well-structured, value-only content, data confusion can critically impact security, e.g., as shown by XML signature vulnerabilities. 

This paper advocates the position that data confusion can be effectively prevented through the use of simple mechanisms—such as parsing—that resolve ambiguities by fully resolving content data to canonical, clearly-understood formats. 

Using code injection on the Web as our motivation, we make the case that automatic defense mechanisms should be integrated with programming languages, application frameworks, and runtime libraries, and applied with little, or no, developer intervention. We outline a scalable, sustainable approach for developing and maintaining those types of mechanisms.  The resulting tools can offer comprehensive protection against data confusion, even when multiple types of rich content data are processed and composed in complex ways

Mike Samuel, Google, Inc.

Ulfar Erlingsson, Google, Inc.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {181287,
author = {Mike Samuel and {\'U}lfar Erlingsson},
title = {Let{\textquoteright}s Parse to Prevent Pwnage},
booktitle = {5th USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET 12)},
year = {2012},
address = {San Jose, CA},
url = {https://www.usenix.org/conference/leet12/workshop-program/presentation/samuel},
publisher = {USENIX Association},
month = apr,
}
Download
samuel.pdf

Presentation Video

Presentation Audio

MP3 Download OGG Download

Download Audio

  • Log in or    Register to post comments

General Sponsors

© USENIX

  • Privacy Policy
  • Contact Us