Eliminating Input-Based Attacks by Deriving Automated Encoders and Decoders from Context-Free Grammars
2017 IEEE Security and Privacy Workshops (SPW) (2017)
San Jose, California, USA
May 25, 2017 to May 25, 2017
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/SPW.2017.32
Software systems nowadays communicate via a number of complex languages. This is often the cause of security vulnerabilities like arbitrary code execution, or injections. Whereby injections such as cross-site scripting are widely known from textual languages such as HTML and JSON that constantly gain more popularity. These systems use parsers to read input and unparsers write output, where these security vulnerabilities arise. Therefore correct parsing and unparsing of messages is of the utmost importance when developing secure and reliable systems. Part of the challenge developers face is to correctly encode data during unparsing and decode it during parsing. This paper presents McHammerCoder, an (un)parser and encoding generator supporting textual and binary languages. Those (un)parsers automatically apply the generated encoding, that is derived from the language's grammar. Therefore manually defining and applying encoding is not required to effectively prevent injections when using McHammerCoder. By specifying the communication language within a grammar, McHammerCoder provides developers with correct input and output handling code for their custom language.
context-free grammars, formal languages, grammars, security of data, SQL
T. Bieschke, L. Hermerschmidt, B. Rumpe and P. Stanchev, "Eliminating Input-Based Attacks by Deriving Automated Encoders and Decoders from Context-Free Grammars," 2017 IEEE Security and Privacy Workshops (SPW), San Jose, California, USA, 2018, pp. 93-101.