This work sounds like, in 5 years, after they're finished understanding the last 30 years of parser research, they'll discover the subsequent explosion of type system and model checking research, and move on to that for whitelisting.<p>Extra oddity: language-based security is an entire field.<p>Edit: I'm happy that they're advocating the <i>application</i> of these techniques, and especially helping implementors pin-point where it's needed, I'm just confused at their <i>selection</i> of techniques.
A paper earlier this year at Usenix entitled "The Bugs We Have to Kill" takes a similar position: <a href="https://www.usenix.org/system/files/login/articles/login_aug15_02_bratus.pdf" rel="nofollow">https://www.usenix.org/system/files/login/articles/login_aug...</a><p>In fact, djb quite famously identified parsing as one of the major sources of vulnerabilities, hence his devotion to formats like TAI64, netstrings, cdb and use of the file system namespace where sufficient.<p>(See #5: <a href="http://cr.yp.to/qmail/guarantee.html" rel="nofollow">http://cr.yp.to/qmail/guarantee.html</a>)