As I discussed previously, parser
are an underappreciated class of vulnerabilities. In that post I
described what they are and showcased a few examples, but today I'd
like to talk about what to do about them.
I'll present a few options, with advice on when to use each technique.
Yesterday I got inspired to start playing around with Fourier
transforms of images, and I'd like to share some of the results. Most
are intended to just be artistic, although playing around has also
given me a little more insight into how the frequency domain relates
to to the spatial domain. There's also a git repo
so that you can reproduce these images and video yourself, and for
many of the images I'll link to the version of the code that produced
In many of these, I've transformed a grayscale image to the frequency
domain, messed around with the amplitude or phase information, and
then transformed it back into spatial. In others, I've just plotted
the amplitude or phase, and then sometimes post-processed the plots in
I'll start off with one of my favorites so far; many more explorations
under the cut.
Warning: This is sort of a stream-of-consciousness post. Feel free to
just look at the pretty pictures and skim the text.
There's a class of security vulnerabilities that has gotten very
little attention until recently but shows up everywhere. In the past I
called these dueling parser vulnerabilities, but recently
there has been more recognition of this vulnerability class, and the
terms parser confusion and parser mismatch have
come into use. In this post I'll be using "parser mismatch" because it
is the clearest and most descriptive.
A parser mismatch occurs when you have:
Two code locations
...each of which tries to parse the same thing
...but where the parsers disagree on what some inputs mean.
In general, you'll see two kinds of behavior:
For "normal" inputs they'll almost always agree
For malformed inputs, they'll often disagree, creating the
possibility of a vulnerability
This is a recipe for a 100% whole wheat sourdough with no extraneous
ingredients: Just flour, water, salt, and starter. It does not require
any kneading, and instead relies on a low-effort series of tensioning
steps over the course of an evening, followed by an overnight proof
rise. In the morning it is baked in a Dutch oven.
By the numbers:
Active work time is about 30 minutes including all prep and cleanup,
assuming a practiced hand. (On top of that, starter maintenance
totals about 10 minutes per week.)
Start to finish is about 18 hours, but varies based on ambient
15% of the total flour is prefermented (that is, is contributed by
This recipe is best for winter; in a 55–65°F kitchen, a dough
started in the afternoon will be ready to proof by bedtime but will
not be overproofed by morning. In summer, a different recipe may work
I am not a professional baker, and I'm sure this recipe could stand to
be improved. (Suggestions welcome, especially if you end up making
it!) But this has been my weekly bread for a year now, and I've been
quite pleased with the results.