Prashant Anantharaman

Talk Title

Building Hardened IoT Implementations with LangSec

Abstract:

Language-theoretic security is the approach of recognizing and handling all input before processing it. Traditionally, almost every software development project mixes this recognition of input and processing of the input. If the recognition wasn’t done right, then poor input can be processed and lead to exploits. Language-theoretic security suggests, that the recognition is separated from the processing making it easier to audit the code, and fundamentally prevent parser bugs from recurring. In this talk, we present an overview of Language-theoretic security, describe the parser combinator library hammer and go over building such applications. We would then switch gears, and take a glimpse at generating test cases from parser combinator inputs which represent regular expressions and context-free grammars to exhaustively test the correctness of the implementations.

The AMQP protocol is widely used in modern industrial IoT systems. We would also demonstrate our technique on an implementation of the AMQP protocol, and demonstrate its efficacy against state-of-the-art fuzzers like AFL and libfuzzer.

Bio:

Prashant Anantharaman is a Ph.D. student at Dartmouth College working with Sean Smith and Sergey Bratus. Prashant's research ranges from Language-Theoretic Security to Applied Cryptography and Internet-of-Things Security. His previous work includes analyzing input-handling methodologies and parsers for both documented and undocumented protocol implementations in the wild. Prashant is also a Free Software evangelist.