Séminaire SoSySec : A formal study of injection-based attacks and some tools it will enable

Publié le mer 10/02/2021 - 14:20
Séminaire
Date de début
Date de fin
Lieu
Webminaire
Salle
BBB: https://bbb.irisa.fr/b/fil-2fk-vwv access code: 620416
Orateur
Pierre-François GIMENEZ (Inria Rennes, CentraleSupélec)

A formal study of injection-based attacks and some tools it will enable
==========================================================

Many systems work by receiving instructions and processing them: e.g., a browser receives and then displays an HTML page and executes Javascript scripts, a database receives a query and then applies it to its data, an embedded system controlled through a protocol receives and then processes a message. When such instructions depend on user input, one generally constructs them with concatenation or insertion. It can lead to injection-based attacks: when the user input modifies the query's intended semantics and leads to a security breach. Protections do exist but are not sufficient as they never tackle the origin of the problem: the language itself. We propose a new formal approach based on formal languages to assess risk, enhance static analysis, and enable new tools. This approach is general and can be applied to query, programming, and domain-specific languages as well as network protocols. We are setting up an ANR project to go into this subject in more depth.

--------------------------------------------------------------------
The presentation will be given in English and take place remotely, via Big Blue Button (BBB), in the following room https://bbb.irisa.fr/b/fil-2fk-vwv (Access Code: 620416). It will be recorded.

--------------------------------------------------------------------
To receive the SoSySec announcements, please subscribe to the SoSySec mailing list
https://sympa.inria.fr/sympa/subscribe/sosysec
All past and future SoSySec talks are listed at
https://seminaires-dga.inria.fr/en/seances-a-venir/