+1 to this. Formal type theory and strongly typed systems are very good at reducing "weird machines", alas the world is not formally typed. What we're hoping to emphasize is formal parsing should be the "bridge" from the messy unknown and untrusted world (files, user input, network input, etc.) and the formal typed code. Too often this parsing is strewn about (like blending MVC into one pile of spaghetti) willy-nilly and creates a host of issues.
Jacob On Fri, Nov 14, 2014 at 10:48 AM, Will Sargent <will.sarg...@gmail.com> wrote: > > On Friday, November 14, 2014 at 7:39 AM, > travis+ml-lang...@subspacefield.org wrote: > > Also, a few random thoughts on parsers, bugs, and security... I'm > afraid this is based on 15+ year old information, but here goes: > > Perl had a taint system built in until PERL 4 at least. We need a > system like type system for plangs but for source, category, and sink > access control, so my web parameters don't get sent to system(3) by > mistake. I think I wrote about this a while back, and if not, I can > dig up the email where I did (to another list). > > I've thought about this for a bit -- blacklisting, whitelisting, and > taints -- and I think the best way to enforce a taint is to say that all > raw types are tainted. if you have a String, an Int or an array of bytes, > all you can say is that you received some input. Until you recognize it as > an actual domain object -- Email, Amount, or Image -- it's insecure by > default because it hasn't been recognized. Most of the time this will be a > value object, which (if you're using a decent language) you can implement > with a value class that only enforces types at compile time, meaning that > you don't need to instantiate a wrapper object at run time for it. > > Needless to say, any methods you write should not take ints, Strings or > byte arrays in as input, only the domain objects. You can't create a > domain object without recognizing it first. And if you're doing any string > comparison or regex matching, you do that in a method on the domain object. > > Will. > > _______________________________________________ > langsec-discuss mailing list > langsec-discuss@mail.langsec.org > https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss > >
_______________________________________________ langsec-discuss mailing list langsec-discuss@mail.langsec.org https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss
