Why Your Last Server Sucks and How Language Theory Can Help Your Next One Suck Less
You'd never execute code sent to you over the internet...or would you? Every server is mathematically equivalent to an interpreter that executes the language defined by the inputs it accepts and can be attacked as such. Ignoring this fact has led to programs which give attackers access to more computational power than their protocols require, systems whose parts speak exploitably different dialects, and protocols which make such vulnerabilities unavoidable. I've written systems that have those flaws, and you probably have
too, but there are principles that can make our next systems better. By systematically analyzing protocols and servers as languages and interpreters, Language-theoretic Security (LangSec) offers very practical guidance in writing precisely specified, predictable networking code that minimizes the computational power and expressiveness that it exposes to the world. The emphasis will be on the simplest possible presentation of the theory and on the most useful practical results.