#LangSec Bugs of the Year Awards results are in (still from X :P)!
“The Most Impactful Parser Bug Of The Year Award is given to the WebP 0day” - awarded to @benhawkes
“The hardest to fix parser bug goes to the http://Binarly.io team for the LogoFAIL bugs.”
“The Best Parser Differential Awards goes to the inconsistent interpretation of YAML foods between Go and Rust.” - There is a link on the captured slide, and I’m pretty sure it’s @joern ‘s bug, but I can’t find a proper CVE anywhere…seriously people, references!
At the #langsec conference, "Universe of PCX 1700 PCX files" from the Internet Archive credited by the discoverers of the logofail EFI firmware security bug, via Alex Matrosov, because it was their only effective way to get a fuzzing corpus for the PCX parser in most EFI firmware. Bravo (and cc @textfiles).
Sitting in the #langsec workshop, "Towards Language-Theoretic Security for Dynamic Documents", Will Crichton and Shriram Krishnamurthi.
The authors are essentially proposing Android-style capabilities permissions with user prompts, except that you can mark individual classes as needing the capability. The point is to make rich documents without creating extra data flows, but it can be bypassed.
It does, however, pose a good threat model base for documents.
The paper submission deadline for the 10th LangSec IEEE Security & Privacy workshop https://langsec.org/spw24/ has been extended to January 30, 2024. Please submit your work and join us in San Francisco or online on May 23, 2024!
"During the boot process, vulnerable firmware will load the malicious logo from the ESP and parse it with a vulnerable image parser, thus the attacker can hijack the execution flow by exploiting a vulnerability in the parser itself. By exploiting this threat, the attacker can achieve arbitrary code execution during the DXE phase, which means complete game-over for platform security."