In security research we are always trying to find interesting ways to poke at tech. in ways that’ll produce security bugs. Whilst there are lots of tools at our disposal, one that doesn’t always get enough attention, is reading specification documents. Often times these are designed by groups of people with different goals and can leave holes that make for interesting bugs.
This talk will try and get past all the SHOULDs and MUSTs and present a real-world case of how reading specs can lead to interesting research topics.
This talk was delivered for Securi-Tay 2023, there’s a recording from that event here