The LangSec IEEE Security & Privacy workshop is pleased to announce the second year of the LangSec Bug of the Year Discovery awards, generously sponsored by Binarly.io.
Nominations in the following categories will be accepted via email at bug-of-the-year@langsec.net and will be voted on by a panel of judges who include LangSec program committee members as well as BlackHat Pwnie winners and former judges.
Awards from 2024 can be found here.
Nominations will be accepted through May 10. Awards will be announced at the workshop.
The award categories are as follows:
Discovery of The Most Impactful Parser Bug of the Year.
Can a parser bug threaten the world's computing infrastructure as we know it? Exploitable parser bugs are everywhere, from personal devices to critical infrastructure. The same parser bug can exist in millions of devices and can be unwittingly replicated by dozens of vendors. This award will go to the researchers who discover, disclose, and explain the exploitable parser bug of the year that, if maliciously exploited, could compromise, render untrustworthy, or disrupt the most systems, or have the worst consequences for trusted and critical systems. The judges may decide to go by the quantitative measure of the biggest number of affected systems or weigh it by potential damage.
This bug would join the long list of distinguished examples of why "Thou shalt not roll thy own parser" needs to join "Thou shalt not roll thy own crypto[graphic algorithms]".
Discovery of The Parser Differential of the Year.
When two systems disagree about the contents of the same message, how bad can the consequences be? These disagreements, known as parser differentials, are getting increasingly common as we get more and more systems on the path of processing the same data item. This award will go to the researchers who discover, disclose, and explain an exploitable parser differential of the year that leads to the qualitatively strangest system consequences.
This bug would join the long list of distinguished examples of why "Ambiguity is insecurity" must become the foremost concern for designers of distributed systems data interchange formats, alongside with "Thou shalt not roll your own parser".
Discovery of The Hardest to Fix Parser Bug of the Year.
How much cybersecurity cost and effort could be saved by getting the data formats and their parsers right from the get-go? The accepted answers vary from "a lot" to "fixing defects in maintenance costs 100x more than in design", but somehow this doesn't dissuade the world's developers from writing vague format specifications and rolling their own parsers. This award will go to the researchers who discover, disclose, and explain the costliest parser bug that was made possible by an ambiguous or incomplete specification and is hard to fix without changing the standard or creating a new one---but would have been avoided if proper LangSec data format and parser creation practices had been followed.
This bug would help illustrate the LangSec insight that "A data format's design is the parser's doom", and that the stories of continual vulnerabilities start neither with the implementation nor with a programming language's gotchas, but with the RFC's unwitting complexities and ambiguities.
Discovery of The Weirdest Machine of the Year.
How much leverage is given away to the attackers by ad hoc parsers exposed at the communication boundary, a.k.a. the attack surface? Time and time again, attackers have shown that a hand-coded parser for a complex data format is indistinguishable from an execution engine for the exploits coded in the bytes of the inputs, as if they were bytecode instructions for a weird but effective virtual machine. This award will go to the researchers who discover, disclose, and explain the strangest and least expected re-uses of data intake and data processing code to execute unintended and unexpected computations.
No actual bug is necessary for this category, but rather a creative adversarial reuse of system, language, or hardware mechanisms to build the richest emergent computation.
This finding will underscore the LangSec maxim "Any input is a program", and encourage systems engineers to treat inputs as potentially hostile programs looking to exploit unintended properties of code exposed to them. See weird machine and Weird Machines HQ for more context.
Nominations will be accepted for discoveries made since May 2024. In addition, the judges may select historic bugs of the past for the honorary mentions in each category, and would appreciate well-founded arguments as to why these bugs are worthy of their places in the parser bug history halls of fame.