I am a langsec skeptic.
-
-
Replying to @fugueish
I think a lot of good work gets done by people working in the rubric but the overall idea isn’t coherent and that “langsec” isn’t a super productive lens through which to look at systems security.
1 reply 0 retweets 0 likes -
This Tweet is unavailable.
-
What are the big ideas of langsec? Formally-verified parsers as first layer of input acceptance, and unexpected computation/weird machines.
4 replies 0 retweets 3 likes -
Formally verified parsers are a good thing but address a limited number of real vulnerabilities. Weird machines seems like more of an observational/phenomenological thing than a design principle you can follow to get secure systems.
1 reply 0 retweets 0 likes -
Moreover, I think both weird machines and formally verified parsers predate langsec and remain a component of more general systems security, so ¯\_(ツ)_/¯
2 replies 0 retweets 1 like -
I know this isn’t fair but I often get the sense that langsec addresses a vision of Internet software security that is pretty firmly dated in the very early 2000s.
2 replies 0 retweets 6 likes -
… like, the bugs you get when you write an ASN.1 parser in C.
1 reply 0 retweets 1 like
Yes, this drives me crazy about a lot of static analysis papers too. They go to absurd lengths to solve problems that would be solved much more easily by just not writing in C. I think a lot of researchers think that C is a lot more commonly used in new software than it is.
-
-
I think it's more that they assume that existing C programs will not be replaced or rewritten in a comprehensive way.
0 replies 0 retweets 1 likeThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.