Seminar - Laughter in the Wild: A Study into DoS Vulnerabilities in YAML Libraries
School of Engineering and Computer Science Seminar
Speaker: Shawn Rasheed
Time:
Friday 26th July 2019 at 10:30 AM -
11:30 AM
Location:
Cotton Club,
Cotton 350
Abstract
YAML is a widely used serialisation language for data interchange and application configuration. Since its introduction, remote code execution vulnerabilities have been reported for YAML parsers, and countermeasures have been proposed. Even though denial-of-service (DoS) vulnerabilities affecting parsers for formats such as XML have been extensively studied, a similar investigation for YAML libraries is lacking. In this paper, we systematically study DoS vulnerabilities for 14 libraries for ten popular programming languages and as a result, we have discovered seven previously unknown vulnerabilities, which have been reported and are pending CVE identifiers.