Here from LiveOverflow :)

Thank you. This has really opened my eyes. I'll never look at a parser the same way again.

who else here from live overflow xD

19:32 "If you are into that kind of type theory" - where do I sign?

This is a fantastic talk. ( I heard it when it came out and couldn't find it again until recently.)

Totally phenomenal talk. The presenter is awesome.

I can't quite see the problem with length fields. Suppose the sender wants to send 42 and 69 bytes of arbitrary data: Using delimiters they have to escape any bytes that look like delimiters; and any that look like escapes..? or use something like Rust's r## technique. Using length fields the first byte is how many length fields, then the length fields, which describe the data fields that follow in order. What's the problem? Or are they talking about streams which can't have prior knowledge of their field lengths?

RIP Len.

S-expressions don't need to use brackets. She specifically suggests using wrapping characters *that wont exist in the sub-language of the value*.

Superb talk. Spot on.

6:25 not capabilities issues? Just lost my coffee! 2012 may have been before many of the Java deserialisation issues that plagued the decade, but 8 of the OWASP top 10 that year are capabilities issues, that is, they go away or become obvious the moment you phrase them in ocap terms. Not that parsing isn't a deeply interesting field, but it seems a stretch to speak of it as the most foundational security discipline.

@Shorttail Did I miss an MLP reference?

break all the things for all the things are broken

Glad I’m learning rust

i came here about being insecure in public.

Did anyone catch what was going on with the lab coat in the end? I can't really make out anything :)

Uhm, a fixed width length field most certainly does not make a protocol context sensitive, but only blows up the (D)FA needed to recognize it. On the other hand I'm reasonably sure context sensitive grammars won't cut something like Elias codes. Otherwise, Patterson's ideas are a beautiful formalization of what I've been saying for the longest time: validate first, then compute with minimal checks. Kudos!

No cap rustlang mitigates a lot of this... hell yeah

Link to the blackhat conference talk full of lulz is where?

Anyone else here because they wanted extra credit for Dr. Winter's class?

This is fucking awesome. Rainbow Dash agrees.

@GIMBLUTAXT LOL Me too!

"Blackhat 2010 Exploiting the forest with trees" Same BS talk just from last year and at blackhat Who let this academic talk at a hacker con ? She doesn't get it