Papers by Meredith L. Patterson
IEEE Systems Journal, Sep 1, 2013
Bookmarks Related papers MentionsView impact
ieeexplore.ieee.org
Riham Hassan Abdel-Moneim David R. Albrecht Yudistira Asnar Yan Bai Rainer Boehme Katrin Borcea-P... more Riham Hassan Abdel-Moneim David R. Albrecht Yudistira Asnar Yan Bai Rainer Boehme Katrin Borcea-Pfitzmann Sebastian Clauss Mustafa Canim Pern Hui Chia Melissa Dark Dipankar Dasgupta Stelios Dritsas Rachida Dssouli Orr Dunkelman Elke Franz Meng Ge Kambiz Ghazinour ...
Bookmarks Related papers MentionsView impact
login - The Usenix Magazine, 2015
The code that parses inputs is the first and often the only protection for the rest of a program ... more The code that parses inputs is the first and often the only protection for the rest of a program from malicious inputs. No programmer can afford to verify every implied condition on every line of code—even if this were possible to implement without slowing execution to a crawl. The parser is the part that is supposed to create a world for the rest of the program where all these implied conditions are true and need not be explicitly checked at every turn. Sadly, this is exactly where most parsers fail, and the rest of the program fails with them. In this article, we explain why parsers continue to be such a problem, as well as point to potential solutions that can kill large classes of bugs.
Bookmarks Related papers MentionsView impact
Additional Information and Declarations can be found on page 13 DOI 10.7717/peerj-cs.2 Copyright
Bookmarks Related papers MentionsView impact
Input validation has long been recognized as an essen-tial part of a well–designed system, yet ex... more Input validation has long been recognized as an essen-tial part of a well–designed system, yet existing liter-ature gives very little in the way of formal axioms for input validation or guidance on how to put in practice what few recommendations exist. We present basic formal axioms for input validation and apply them to sql, where we demonstrate enhanced resistance to injection attacks.
Bookmarks Related papers MentionsView impact
In this paper, we discuss Bitfrost, the security model developed by the One Laptop Per Child proj... more In this paper, we discuss Bitfrost, the security model developed by the One Laptop Per Child project for its XO laptop computers. Bitfrost implements a number of security measures intended primarily to deter theft and malware, but which also introduce severe threats to data security and individual privacy. We describe several of the technical provisions in Bitfrost, outline the risks they enable, and consider their legal ramifications and the psychological impact posed for children and society. 1
Bookmarks Related papers MentionsView impact
Bookmarks Related papers MentionsView impact
2017 IEEE Cybersecurity Development (SecDev), 2017
Input-handling vulnerabilities have been a constant source of security problems for decades. Many... more Input-handling vulnerabilities have been a constant source of security problems for decades. Many famous recent bugs are in fact input-handling bugs. We argue that the techniques for writing parsers in its present form are insufficient, and hence we propose a new pattern. In this tutorial, we will show participants a new design pattern for designing and implementing parsers using this new method. Participants will witness how this new method leads to more readable code that is easier to audit - while also inherently preventing many input-handling mistakes and having a small CPU footprint.
Bookmarks Related papers MentionsView impact
Research unveiled in December of 2008 [15] showed how MD5’s long-known flaws could be actively ex... more Research unveiled in December of 2008 [15] showed how MD5’s long-known flaws could be actively exploited to attack the real-world Certification Author-ity infrastructure. In this paper, we demonstrate two new classes of collision, which will be somewhat trickier to address than previous attacks against X.509:
Bookmarks Related papers MentionsView impact
work with the Cypherpunks on the Mixmaster anonymous remailer system and the Tor Project helped e... more work with the Cypherpunks on the Mixmaster anonymous remailer system and the Tor Project helped establish the field of anonymity research, and in 2009 he and Meredith began formalizing the foundations of languagetheoretic security, which he was working on at the time of his death in July 2011. He was 31. Meredith L. Patterson is a software engineer at Red
Bookmarks Related papers MentionsView impact
Information-theoretic private information retrieval (PIR) protocols, such as those described by C... more Information-theoretic private information retrieval (PIR) protocols, such as those described by Chor et al. [5], provide a mechanism by which users can retrieve information from a database distributed across multiple servers in such a way that neither the servers nor an outside observer can determine the contents of the data being retrieved. More recent PIR protocols also provide protection against Byzantine servers, such that a user can detect when one or more servers have attempted to tamper with the data he has requested. In some cases (as in the protocols presented by Beimel and Stahl [1]), the user can still recover his data and protect the contents of his query if the number of Byzantine servers is below a certain threshold; this property is referred to as Byzantine-recovery. However, tampering with a user’s data is not the only goal a Byzantine server might have. We present a scenario in which an arbitrarily sized coalition of Byzantine servers transforms the userbase of a PI...
Bookmarks Related papers MentionsView impact
Bookmarks Related papers MentionsView impact
... Title: Exploiting the Forest with Trees. Authors: Patterson, Meredith Sassaman, Len. Issue Da... more ... Title: Exploiting the Forest with Trees. Authors: Patterson, Meredith Sassaman, Len. Issue Date: 2010. Conference: Black Hat Briefings location:Las Vegas USA date:July 28-29, 2010. URI: https://www.cosic.esat.kuleuven.be/publications/talk-157.pdf. Publication status: published ...
Bookmarks Related papers MentionsView impact
login Usenix Mag., 2011
13 Hacker-driven exploitation research has developed into a discipline of its own, concerned with... more 13 Hacker-driven exploitation research has developed into a discipline of its own, concerned with practical exploration of how unexpected computational properties arise in actual multi-layered, multi-component computing systems, and of what these systems could and could not compute as a result. The staple of this research is describing unexpected (and unexpectedly powerful) computational models inside targeted systems, which turn a part of the target into a so-called " weird machine " programmable by the attacker via crafted inputs (a .k .a. " exploits "). Exploits came to be understood and written as programs for these " weird machines " and served as constructive proofs that a computation considered impossible could actually be performed by the targeted environment. This research defined and fulfilled the need of such practical exploration in real systems that we must trust. Hacker research has also dominated this area, while academic analysis of the ...
Bookmarks Related papers MentionsView impact
login Usenix Mag., 2017
Dartmouth College. He sees state-of-the-art hacking as a distinct research and engineering discip... more Dartmouth College. He sees state-of-the-art hacking as a distinct research and engineering discipline that, although not yet recognized as such, harbors deep insights into the nature of computing. He has a PhD in mathematics from Northeastern University and worked at BBN Technologies on natural-language processing research before coming to Dartmouth. Lars Hermerschmidt is currently working as Information Security Officer at AXA Konzern AG, where he is leading software security activities. He is a PhD candidate in software engineering at RWTH Aachen University, where he started to work on correct unparsers to prevent injections and on automated security architecture analysis. programmer by passion, a mathematician by training, and calls himself an applied scientist of insecurity by profession. He contributed large parts to the Hammer parser library and wrote the DNP3 parser based on it. where he tries to further apply LangSec principles to cybernetic systems. pesco@khjk.org P rograms...
Bookmarks Related papers MentionsView impact
Input validation has long been recognized as an essential part of a well–designed system, yet exi... more Input validation has long been recognized as an essential part of a well–designed system, yet existing literature gives very little in the way of formal axioms for input validation or guidance on how to put in practice what few recommendations exist. We present basic formal axioms for input validation and apply them to sql, where we demonstrate enhanced resistance to injection attacks.
Bookmarks Related papers MentionsView impact
Sergey Bratus is a Research Associate Professor of computer science at Dartmouth College. He sees... more Sergey Bratus is a Research Associate Professor of computer science at Dartmouth College. He sees state-of-the-art hacking as a distinct research and engineering discipline that, although not yet recognized as such, harbors deep insights into the nature of computing. He has a PhD in mathematics from Northeastern University and worked at BBN Technologies on natural language processing research before coming to Dartmouth. the founder of Upstanding Hackers. She developed the first language-theoretic defense against SQL injection in 2005 as a PhD student at the University of Iowa and has continued expanding the technique ever since. She lives in Brussels, Belgium. Technology, and Society and maintains the CRAWDAD.org repository of traces and data for all kinds of wireless and sensor network research. She was the operator of Dartmouth's Tor node when the Tor network had about 30 nodes total. T he code that parses inputs is the first and often the only protection for the rest of a pro...
Bookmarks Related papers MentionsView impact
login Usenix Mag., 2015
The code that parses inputs is the first and often the only protection for the rest of a program ... more The code that parses inputs is the first and often the only protection for the rest of a program from malicious inputs. No programmer can afford to verify every implied condition on every line of code—even if this were possible to implement without slowing execution to a crawl. The parser is the part that is supposed to create a world for the rest of the program where all these implied conditions are true and need not be explicitly checked at every turn. Sadly, this is exactly where most parsers fail, and the rest of the program fails with them. In this article, we explain why parsers continue to be such a problem, as well as point to potential solutions that can kill large classes of bugs.
Bookmarks Related papers MentionsView impact
In this paper, we discuss Bitfrost, the security model developed by the One Laptop Per Child proj... more In this paper, we discuss Bitfrost, the security model developed by the One Laptop Per Child project for its XO laptop computers. Bitfrost implements a number of security measures intended primarily to deter theft and malware, but which also introduce severe threats to data security and individual privacy. We describe several of the technical provisions in Bitfrost, outline the risks they enable, and consider their legal ramifications and the psychological impact posed for children and society.
Bookmarks Related papers MentionsView impact
Bookmarks Related papers MentionsView impact
Uploads
Papers by Meredith L. Patterson