Séminaire SoSySec : A formal study of injection-based attacks and some tools it will enable

Publié le mer 10/02/2021 - 14:20
Date de début
Date de fin
BBB: https://bbb.irisa.fr/b/fil-2fk-vwv access code: 620416
Pierre-François GIMENEZ (Inria Rennes, CentraleSupélec)

A formal study of injection-based attacks and some tools it will enable

Many systems work by receiving instructions and processing them: e.g., a browser receives and then displays an HTML page and executes Javascript scripts, a database receives a query and then applies it to its data, an embedded system controlled through a protocol receives and then processes a message. When such instructions depend on user input, one generally constructs them with concatenation or insertion. It can lead to injection-based attacks: when the user input modifies the query's intended semantics and leads to a security breach. Protections do exist but are not sufficient as they never tackle the origin of the problem: the language itself. We propose a new formal approach based on formal languages to assess risk, enhance static analysis, and enable new tools. This approach is general and can be applied to query, programming, and domain-specific languages as well as network protocols. We are setting up an ANR project to go into this subject in more depth.

The presentation will be given in English and take place remotely, via Big Blue Button (BBB), in the following room https://bbb.irisa.fr/b/fil-2fk-vwv (Access Code: 620416). It will be recorded.

To receive the SoSySec announcements, please subscribe to the SoSySec mailing list
All past and future SoSySec talks are listed at