Research Report: The Parsley Data Format Definition Language

Abstract: Any program that reads formatted input relies on parsing software to check the input for validity and transform it into a representation suitable for further processing. Many security vulnerabilities can be attributed to poorly defined grammars, incorrect parsing, and sloppy input validation. In contrast to programming languages, grammars for even common data formats such as ELF and PDF are typically context-sensitive and heterogenous. However, as in programming languages, a standard notation or language to ex… Show more

“…The authors demonstrate the feasibility of format discovery supporting formal parser enforcement, but one finding is that the authors discover vulnerabilities in the formats in use. Analysis of format specifications in diverse fields such as industrial control system network protocols, PDF, Executable Linkable Format (ELF), and data description languages have found vulnerabilities or ambiguities in the specification [2,29]. The scope of program verification is generally limited to properties of the program, not the specification.…”

An analysis of how many undiscovered vulnerabilities remain in information systems

“…The authors demonstrate the feasibility of format discovery supporting formal parser enforcement, but one finding is that the authors discover vulnerabilities in the formats in use. Analysis of format specifications in diverse fields such as industrial control system network protocols, PDF, Executable Linkable Format (ELF), and data description languages have found vulnerabilities or ambiguities in the specification [2,29]. The scope of program verification is generally limited to properties of the program, not the specification.…”

An analysis of how many undiscovered vulnerabilities remain in information systems

Capturing the iccMAX calculatorElement: A Case Study on Format Design

Research Report: Strengthening Weak Links in the PDF Trust Chain