Parser Weakness Enumeration: Definition and Preliminary Assessment

Parsing structured data into meaningful content is fundamental in machine to human communication. However, this area persistently contains critical exploitable vulnerabilities directly controllable by an attacker. Developing secure parsers without security bugs are a significant concern. Language Theoretic Security (LangSec) has defined language formalisms in safeguarding untrusted input into parsers. Taking the safety lessons learned in designing specification compliant language grammar, we present a preliminary Parser Weakness Enumeration (PWE). We identify seven anti-patterns, which occur when modeling data or file formats into structured code during parser development. PWE describes the weakness in MITRE's Common Weakness Enumeration (CWE) terminology to encourage best practices when designing and developing parsers without the benefit of a strict language grammar. PWE captures parsing semantics not identified by current CWEs security semantics. PWE definitions are actionable, concise, and include potential mitigation guidelines to help securely model format specification with unsafe code. Our preliminary results include verifying one PWE on one vulnerability on a single program as a proof-of-concept through static analysis, showing the potential of the approach for automated analysis. Our list of weaknesses are a starting point for further experimentation. Writing secure parsers has unique insecurities captured by our PWE and their inclusion into the discussion of software weaknesses would benefit developers.