Re: [langsec-discuss] CVEs from inappropriate use of regular expressions

Mon, 27 Nov 2017 22:17:28 -0800 

Hello Frithjof,

I think this sounds more like a CWE than a CVE; CVE descriptions generally don't
go to the root cause of the vulnerability, and the specific explanation is usually one layer removed from the understanding of how the vuln could have 
been avoided. The CWEs, on the other hand, cover the root causes.

We tried to formulate some in the Turrets paper, but a lot more work needs
to be done there before it sees adoption. Great to know you are interested!

Thanks,

--Sergey

On Tue, 28 Nov 2017, Frithjof Schulze wrote:



Hi all,

is anybody aware of some recent CVEs that are the direct result of the attempt 
to parse a non-regular grammar with regular expressions? I expected to find 
something like this on cve.mitre.org/find, but didn’t. I expected at least a 
case where regex were used to do „input sanitization“ but found nothing good.

Why am I looking for such a CVE? When talking about LangSec-ideas with (mostly 
web) developers I regularly have the problem that I either have to explain a 
lot of theory (that few people are really interested in) or have to go „thou 
shall not ….“ to argue against „but this is easy and works in practice!“.

The best solution for me so far is similar to the approach suggested in the 
"Seven Turrents of Babel“: Show people examples of the bugs they are up against 
if they use certain antipatterns. I am now compiling a list of educational and 
„realistic“ bugs in the sense, that the most more popular bugs like string 
terminators in X.509/ASN.1, Heartbleed and the Android Master Key are great examples 
for LangSec in general, but are not the kind of bugs many developers have to 
actually deal with.

Most people I am talking to actually know that they „shouldn’t“ use regex to do 
certain things, because of the Lovecraftian post on Stack Overflow[1], but that 
post also just repeatedly mentions the impossibility of a suggested solution 
without giving any examples of negative consequences of trying.

[1|  https://stackoverflow.com/a/1732454

Cheers,
Frithjof
_______________________________________________
langsec-discuss mailing list
langsec-discuss@mail.langsec.org
https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss

_______________________________________________
langsec-discuss mailing list
langsec-discuss@mail.langsec.org
https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss

Reply via email to