i read there are upwards to the order of "millions" of shotgun parsers in the wild (#langsec said it!). imagine that, a million monkeys with shotguns

What's going on with the Chinese Smart Court System of Systems?

(◕ᴗ◕)

@melaniemitchell
@timnitGebru @emilymbender
@rodneyabrooks @analogist
@Iris
@mmasnick @ncweaver
@abebab
@garymarcus
@FrankPasquale @jfpuget @alex
@DMerigoux
@basus
@dwaynemonroe

#langsec #RulesAsCode #AIhype

Deadlin for the upcoming LangSec workshop has been extended to January 28. #langsec https://langsec.social/objects/e854a730-b6ec-465f-badf-e743d147ae5e

Slow but steady: Achieving real security within two decades

Love this talk. #langsec
https://youtu.be/zTeq_r4kJYA

@alexfrudolph @billrobinson

💯

Meanwhile actual defensive work like #langsec, formal verification and memory safety is weirdly absent.

https://www.quantamagazine.org/formal-verification-creates-hacker-proof-code-20160920

Also this is about #langsec not because "security of a programming language" (actually this is about platform or runtime security), but because "security of processing an input language, #JSON".

https://www.php.net/manual/en/function.json-decode.php sayeth:

"null is returned if the json cannot be decoded or if the encoded data is deeper than the nesting limit."

No! No! The right answer is to throw an exception here!

#php #langsec

Users are STRONGLY discouraged from using the lookups option

RT @andreasdotorg@twitter.com

In which the #log4j maintainers do the only sensible thing and nuke the entire feature from orbit.

Manul, the #langsec cat, purrs approvingly.

https://github.com/apache/logging-log4j2/commit/27972043b76c9645476f561c5adc483dec6d3f5d

🐦🔗: https://twitter.com/andreasdotorg/status/1470406202962104320

This week's project at work was to learn how to use a parser-generator and apply it to my URL library. It was a little frustrating at first, but fun!

Now I have 120 KB of switch statements that perfectly capture RFCs 3986, 5234, and 6874, and it's pretty much guaranteed to parse URIs in the exact same way as any *other* program that generates a parser from that grammar.

Mismatched parsers cause untold numbers of security holes. Parser generators are a great way to prevent them.

#LANGSEC

^LB: In my CS education, we learned about regular grammars and context-free grammars. We even learned how to write parsers for them. They may have even mentioned parser-generators that will turn a grammar into code for you.

What they failed to mention, as far as I can recall, is that writing custom parsers can be *dangerous*.

Computer Science != Software Development, and I think that needs to be emphasized in school.

#LangSec