Suppose you need to incorporate crypto into your application. Or you need to write a regex to validate some user input. You might end up on Stack Overflow, where you find a code snippet that you can paste into your application. And even better, it works on the first try! But is the code correct, and is the code secure? In this talk, Jamie and Sazzadur will talk about the potential hazards of copy/pasting crypto and regexes into your software.
Resources mentioned in this session:
Slides: Coming soon
- Jamie is the maintainer of the safe-regex module on npm. More accurate super-linear regex detectors are available through the vuln-regex-detector project.
- His regex portability tools can be found in the LinguaFranca project.
- He posts “reader’s digest” summaries of his work on Medium. Here are the posts for his work on regex security and regex portability
- Sazzadur’s application-level cryptographic misuse detection paper can be found here.
- You can scan your Java code for cryptographic misuse using his CryptoGuard project.
If any of these tools or resources are helpful, please let us know!
Jamie Davis and Sazzadur Rahaman
Jamie Davis and Sazzadur Rahaman are 5th-year PhD students in Computer Science at Virginia Tech. They both spent a few years in industry before heading back to school. They both study software correctness and security. Jamie focuses on regular expressions and Node.js, while Sazzadur’s interests lie in application-level cryptographic vulnerabilities. Jamie’s research has led to changes in the core libraries of Python and Node.js, and Sazzadur has caused changes in projects like Apache Spark and Apache Ranger.