Security Applications of Formal Language Theory

We present a formal language theory approach to improving the security aspects of protocol design and message-based interactions in complex composed systems. We argue that these aspects are responsible for a large share of modern computing systems' insecurity. We show how our approach leads to...

Ausführliche Beschreibung

Gespeichert in:

Bibliographische Detailangaben
Veröffentlicht in:	IEEE systems journal 2013-09, Vol.7 (3), p.489-500
Hauptverfasser:	Sassaman, Len, Patterson, Meredith L., Bratus, Sergey, Locasto, Michael E.
Format:	Artikel
Sprache:	eng
Schlagworte:	Automata Complexity Computer information security Computer programs Design engineering Formal languages Grammar Language-theoretic security Protocol Protocols Reduction secure composition secure protocol design Security Semantics Software State of the art
Online-Zugang:	Volltext bestellen
Tags:	Tag hinzufügen Keine Tags, Fügen Sie den ersten Tag hinzu!

container_end_page	500
container_issue	3
container_start_page	489
container_title	IEEE systems journal
container_volume	7
creator	Sassaman, Len Patterson, Meredith L. Bratus, Sergey Locasto, Michael E.
description	We present a formal language theory approach to improving the security aspects of protocol design and message-based interactions in complex composed systems. We argue that these aspects are responsible for a large share of modern computing systems' insecurity. We show how our approach leads to advances in input validation, security modeling, attack surface reduction, and ultimately, software design and programming methodology. We cite examples based on real-world security flaws in common protocols, representing different classes of protocol complexity. We also introduce a formalization of an exploit development technique, the parse tree differential attack, made possible by our conception of the role of formal grammars in security. We also discuss the negative impact unnecessarily increased protocol complexity has on security. This paper provides a foundation for designing verifiable critical implementation components with considerably less burden to developers than is offered by the current state of the art. In addition, it offers a rich basis for further exploration in the areas of offensive analysis and, conversely, automated defense tools, and techniques.
doi_str_mv	10.1109/JSYST.2012.2222000
format	Article
fullrecord	<record><control><sourceid>proquest_RIE</sourceid><recordid>TN_cdi_ieee_primary_6553401</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>6553401</ieee_id><sourcerecordid>1429849425</sourcerecordid><originalsourceid>FETCH-LOGICAL-c328t-ecc03d45733211405ff9aa7e87f32b13690c29005f70d47a33a8886fb1721fce3</originalsourceid><addsrcrecordid>eNpdkD1PwzAQhi0EEqXwB2CJxMKS1udzanusKsqHKjG0DEyW69olVRoHuxn670k_xMAtd8Pznl49hNwDHQBQNXyff80XA0aBDVg3lNIL0gOFIlcM-eXxZrkEya_JTUobSgtZCNUjw7mzbSx3-2zcNFVpza4MdcqCz6Yhbk2VzUy9bs3aZYtvF-L-llx5UyV3d9598jl9Xkxe89nHy9tkPMstMrnLnbUUV7wQiAyA08J7ZYxwUnhkS8CRopaproUXdMWFQTRSypFfgmDgrcM-eTr9bWL4aV3a6W2ZrKsqU7vQJg2cKckVZ0WHPv5DN6GNdddOAyrFleDIOoqdKBtDStF53cRya-JeA9UHh_roUB8c6rPDLvRwCpXOub_AqCiQU8BfoKRrDw</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>1399497432</pqid></control><display><type>article</type><title>Security Applications of Formal Language Theory</title><source>IEEE Electronic Library (IEL)</source><creator>Sassaman, Len ; Patterson, Meredith L. ; Bratus, Sergey ; Locasto, Michael E.</creator><creatorcontrib>Sassaman, Len ; Patterson, Meredith L. ; Bratus, Sergey ; Locasto, Michael E.</creatorcontrib><description>We present a formal language theory approach to improving the security aspects of protocol design and message-based interactions in complex composed systems. We argue that these aspects are responsible for a large share of modern computing systems' insecurity. We show how our approach leads to advances in input validation, security modeling, attack surface reduction, and ultimately, software design and programming methodology. We cite examples based on real-world security flaws in common protocols, representing different classes of protocol complexity. We also introduce a formalization of an exploit development technique, the parse tree differential attack, made possible by our conception of the role of formal grammars in security. We also discuss the negative impact unnecessarily increased protocol complexity has on security. This paper provides a foundation for designing verifiable critical implementation components with considerably less burden to developers than is offered by the current state of the art. In addition, it offers a rich basis for further exploration in the areas of offensive analysis and, conversely, automated defense tools, and techniques.</description><identifier>ISSN: 1932-8184</identifier><identifier>EISSN: 1937-9234</identifier><identifier>DOI: 10.1109/JSYST.2012.2222000</identifier><identifier>CODEN: ISJEB2</identifier><language>eng</language><publisher>New York: IEEE</publisher><subject>Automata ; Complexity ; Computer information security ; Computer programs ; Design engineering ; Formal languages ; Grammar ; Language-theoretic security ; Protocol ; Protocols ; Reduction ; secure composition ; secure protocol design ; Security ; Semantics ; Software ; State of the art</subject><ispartof>IEEE systems journal, 2013-09, Vol.7 (3), p.489-500</ispartof><rights>Copyright The Institute of Electrical and Electronics Engineers, Inc. (IEEE) Sep 2013</rights><lds50>peer_reviewed</lds50><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c328t-ecc03d45733211405ff9aa7e87f32b13690c29005f70d47a33a8886fb1721fce3</citedby><cites>FETCH-LOGICAL-c328t-ecc03d45733211405ff9aa7e87f32b13690c29005f70d47a33a8886fb1721fce3</cites></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/6553401$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>314,780,784,796,27923,27924,54757</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/6553401$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Sassaman, Len</creatorcontrib><creatorcontrib>Patterson, Meredith L.</creatorcontrib><creatorcontrib>Bratus, Sergey</creatorcontrib><creatorcontrib>Locasto, Michael E.</creatorcontrib><title>Security Applications of Formal Language Theory</title><title>IEEE systems journal</title><addtitle>JSYST</addtitle><description>We present a formal language theory approach to improving the security aspects of protocol design and message-based interactions in complex composed systems. We argue that these aspects are responsible for a large share of modern computing systems' insecurity. We show how our approach leads to advances in input validation, security modeling, attack surface reduction, and ultimately, software design and programming methodology. We cite examples based on real-world security flaws in common protocols, representing different classes of protocol complexity. We also introduce a formalization of an exploit development technique, the parse tree differential attack, made possible by our conception of the role of formal grammars in security. We also discuss the negative impact unnecessarily increased protocol complexity has on security. This paper provides a foundation for designing verifiable critical implementation components with considerably less burden to developers than is offered by the current state of the art. In addition, it offers a rich basis for further exploration in the areas of offensive analysis and, conversely, automated defense tools, and techniques.</description><subject>Automata</subject><subject>Complexity</subject><subject>Computer information security</subject><subject>Computer programs</subject><subject>Design engineering</subject><subject>Formal languages</subject><subject>Grammar</subject><subject>Language-theoretic security</subject><subject>Protocol</subject><subject>Protocols</subject><subject>Reduction</subject><subject>secure composition</subject><subject>secure protocol design</subject><subject>Security</subject><subject>Semantics</subject><subject>Software</subject><subject>State of the art</subject><issn>1932-8184</issn><issn>1937-9234</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2013</creationdate><recordtype>article</recordtype><sourceid>RIE</sourceid><recordid>eNpdkD1PwzAQhi0EEqXwB2CJxMKS1udzanusKsqHKjG0DEyW69olVRoHuxn670k_xMAtd8Pznl49hNwDHQBQNXyff80XA0aBDVg3lNIL0gOFIlcM-eXxZrkEya_JTUobSgtZCNUjw7mzbSx3-2zcNFVpza4MdcqCz6Yhbk2VzUy9bs3aZYtvF-L-llx5UyV3d9598jl9Xkxe89nHy9tkPMstMrnLnbUUV7wQiAyA08J7ZYxwUnhkS8CRopaproUXdMWFQTRSypFfgmDgrcM-eTr9bWL4aV3a6W2ZrKsqU7vQJg2cKckVZ0WHPv5DN6GNdddOAyrFleDIOoqdKBtDStF53cRya-JeA9UHh_roUB8c6rPDLvRwCpXOub_AqCiQU8BfoKRrDw</recordid><startdate>20130901</startdate><enddate>20130901</enddate><creator>Sassaman, Len</creator><creator>Patterson, Meredith L.</creator><creator>Bratus, Sergey</creator><creator>Locasto, Michael E.</creator><general>IEEE</general><general>The Institute of Electrical and Electronics Engineers, Inc. (IEEE)</general><scope>97E</scope><scope>RIA</scope><scope>RIE</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>7SC</scope><scope>7TB</scope><scope>8FD</scope><scope>FR3</scope><scope>JQ2</scope><scope>KR7</scope><scope>L7M</scope><scope>L~C</scope><scope>L~D</scope></search><sort><creationdate>20130901</creationdate><title>Security Applications of Formal Language Theory</title><author>Sassaman, Len ; Patterson, Meredith L. ; Bratus, Sergey ; Locasto, Michael E.</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c328t-ecc03d45733211405ff9aa7e87f32b13690c29005f70d47a33a8886fb1721fce3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2013</creationdate><topic>Automata</topic><topic>Complexity</topic><topic>Computer information security</topic><topic>Computer programs</topic><topic>Design engineering</topic><topic>Formal languages</topic><topic>Grammar</topic><topic>Language-theoretic security</topic><topic>Protocol</topic><topic>Protocols</topic><topic>Reduction</topic><topic>secure composition</topic><topic>secure protocol design</topic><topic>Security</topic><topic>Semantics</topic><topic>Software</topic><topic>State of the art</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Sassaman, Len</creatorcontrib><creatorcontrib>Patterson, Meredith L.</creatorcontrib><creatorcontrib>Bratus, Sergey</creatorcontrib><creatorcontrib>Locasto, Michael E.</creatorcontrib><collection>IEEE All-Society Periodicals Package (ASPP) 2005-present</collection><collection>IEEE All-Society Periodicals Package (ASPP) 1998-Present</collection><collection>IEEE Electronic Library (IEL)</collection><collection>CrossRef</collection><collection>Computer and Information Systems Abstracts</collection><collection>Mechanical & Transportation Engineering Abstracts</collection><collection>Technology Research Database</collection><collection>Engineering Research Database</collection><collection>ProQuest Computer Science Collection</collection><collection>Civil Engineering Abstracts</collection><collection>Advanced Technologies Database with Aerospace</collection><collection>Computer and Information Systems Abstracts Academic</collection><collection>Computer and Information Systems Abstracts Professional</collection><jtitle>IEEE systems journal</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Sassaman, Len</au><au>Patterson, Meredith L.</au><au>Bratus, Sergey</au><au>Locasto, Michael E.</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Security Applications of Formal Language Theory</atitle><jtitle>IEEE systems journal</jtitle><stitle>JSYST</stitle><date>2013-09-01</date><risdate>2013</risdate><volume>7</volume><issue>3</issue><spage>489</spage><epage>500</epage><pages>489-500</pages><issn>1932-8184</issn><eissn>1937-9234</eissn><coden>ISJEB2</coden><abstract>We present a formal language theory approach to improving the security aspects of protocol design and message-based interactions in complex composed systems. We argue that these aspects are responsible for a large share of modern computing systems' insecurity. We show how our approach leads to advances in input validation, security modeling, attack surface reduction, and ultimately, software design and programming methodology. We cite examples based on real-world security flaws in common protocols, representing different classes of protocol complexity. We also introduce a formalization of an exploit development technique, the parse tree differential attack, made possible by our conception of the role of formal grammars in security. We also discuss the negative impact unnecessarily increased protocol complexity has on security. This paper provides a foundation for designing verifiable critical implementation components with considerably less burden to developers than is offered by the current state of the art. In addition, it offers a rich basis for further exploration in the areas of offensive analysis and, conversely, automated defense tools, and techniques.</abstract><cop>New York</cop><pub>IEEE</pub><doi>10.1109/JSYST.2012.2222000</doi><tpages>12</tpages></addata></record>
fulltext	fulltext_linktorsrc
identifier	ISSN: 1932-8184
ispartof	IEEE systems journal, 2013-09, Vol.7 (3), p.489-500
issn	1932-8184 1937-9234
language	eng
recordid	cdi_ieee_primary_6553401
source	IEEE Electronic Library (IEL)
subjects	Automata Complexity Computer information security Computer programs Design engineering Formal languages Grammar Language-theoretic security Protocol Protocols Reduction secure composition secure protocol design Security Semantics Software State of the art
title	Security Applications of Formal Language Theory
url	https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-08T20%3A59%3A39IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_RIE&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Security%20Applications%20of%20Formal%20Language%20Theory&rft.jtitle=IEEE%20systems%20journal&rft.au=Sassaman,%20Len&rft.date=2013-09-01&rft.volume=7&rft.issue=3&rft.spage=489&rft.epage=500&rft.pages=489-500&rft.issn=1932-8184&rft.eissn=1937-9234&rft.coden=ISJEB2&rft_id=info:doi/10.1109/JSYST.2012.2222000&rft_dat=%3Cproquest_RIE%3E1429849425%3C/proquest_RIE%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=1399497432&rft_id=info:pmid/&rft_ieee_id=6553401&rfr_iscdi=true