The Second IEEE S&P workshop in Language-theoretic security (LangSec) will take place on Thursday, May 21st 2015 in San Jose, CA, co-located with the IEEE Security & Privacy Symposium.
LangSec is a mission assurance approach for software that applies formal language analysis to the design and implementation of input-handling code (parsers across all layers of executable code used for operating system composition, messaging, protocol implementations, and any code at communication boundaries of software components) and---most importantly---of input data formats handled by such code. LangSec asserts that inputs and the code that handles them must be *co-designed* for easier verification and maintainability. In a nutshell, LangSec models consumption of any input as computation; once we see any input as a program driving the system, the only effective defense against exploitation (unexpected computation) by crafted input is to co-design the input language and its handling code based on well-known models (regular expressions, pushdown automata, etc.) of recognizing valid or expected inputs as a language, defined by an appropriate unambiguous grammar, and discarding all other inputs. In practice, the security game is already lost when the input data format is complex, ambiguous, or when input validation is handled ad-hoc, without regard to the grammar class of the input language and the appropriate computation model for recognition of that language. We also note that some input formats in fact pose undecidable recognition problems, and thus their security cannot be assured by any amount of testing or analysis; they are insecure by design and must be reduced or replaced for any infrastructure that contains them to be trustworthy. The LangSec IEEE S&P workshop brings together academics, hackers, and industry programmers and architects; it seeks to cast long-standing intuitions of offensive security into a methodology for effective defense against currently ubiquitous exploitation by crafted inputs. The workshop welcomes academic papers, security practitioner research reports, and industry case studies. LangSec2015 Call-for-Papers can be found at http://spw15.langsec.org/. Last year's LangSec IEEE SPW program and all presented papers and materials can be found at http://spw14.langsec.org/ Important dates: Paper submissions due: 15 January 2015, 11:59 PM PST Research Reports, Panels, and Proof-of-concept submissions due: 30 January 2015, 11:59 PM PST Notification to authors: 15 February 2015 -- Cordiali saluti, Stefano Zanero Politecnico di Milano - Dip. Elettronica, Informazione e Bioingegneria Via Ponzio, 34/5 I-20133 Milano - ITALY Tel. +39 02 2399-4017 Fax. +39 02 2399-3411 E-mail: [email protected] Web: http://home.dei.polimi.it/zanero/ ________________________________________________________ http://www.sikurezza.org - Italian Security Mailing List
