Language-based Security

Slides:



Advertisements
Similar presentations
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Advertisements

.NET Technology. Introduction Overview of.NET What.NET means for Developers, Users and Businesses Two.NET Research Projects:.NET Generics AsmL.
Computational Models The exam. Models of computation. –The Turing machine. –The Von Neumann machine. –The calculus. –The predicate calculus. Turing.
- Vasvi Kakkad.  Formal -  Tool for mathematical analysis of language  Method for precisely designing language  Well formed model for describing and.
The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 24 Slide 1 Critical Systems Validation 2.
INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI
Denotational Semantics Syntax-directed approach, generalization of attribute grammars: –Define context-free abstract syntax –Specify syntactic categories.
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Semantics with Applications Mooly Sagiv Schrirber html:// Textbooks:Winskel The.
1 The Problem o Fluid software cannot be trusted to behave as advertised unknown origin (must be assumed to be malicious) known origin (can be erroneous.
Cormac Flanagan University of California, Santa Cruz Hybrid Type Checking.
Programming in Java; Instructor:Moorthy Introduction, Objects, Classes, Libraries1 Programming in Java Introduction.
Chapter 1 Algorithm Analysis
CS 3305 Course Overview. Introduction r Instructor: Dr Hanan Lutfiyya r Office: MC 355 r hanan at csd dot uwo ca r Office Hours: m Drop-by m Appointment.
Cs3102: Theory of Computation Class 18: Proving Undecidability Spring 2010 University of Virginia David Evans.
Types for Programs and Proofs Lecture 1. What are types? int, float, char, …, arrays types of procedures, functions, references, records, objects,...
Introduction to Java CSIS 3701: Advanced Object Oriented Programming.
Section 3.1: Proof Strategy Now that we have a fair amount of experience with proofs, we will start to prove more difficult theorems. Our experience so.
Unit Testing 101 Black Box v. White Box. Definition of V&V Verification - is the product correct Validation - is it the correct product.
Computer Science School of Computing Clemson University Discrete Math and Reasoning about Software Correctness Joseph E. Hollingsworth
Recursion. What is recursion? Rules of recursion Mathematical induction The Fibonacci sequence Summary Outline.
Looping and Counting Lecture 3 Hartmut Kaiser
Types and Programming Languages Lecture 12 Simon Gay Department of Computing Science University of Glasgow 2006/07.
Semantic Analysis II Type Checking EECS 483 – Lecture 12 University of Michigan Wednesday, October 18, 2006.
CMPSC 16 Problem Solving with Computers I Spring 2014 Instructor: Tevfik Bultan Lecture 4: Introduction to C: Control Flow.
Chapter 15 Running Time Analysis. Topics Orders of Magnitude and Big-Oh Notation Running Time Analysis of Algorithms –Counting Statements –Evaluating.
Windows Programming Lecture 03. Pointers and Arrays.
Arvind Computer Science and Artificial Intelligence Laboratory M.I.T. L05-1 September 21, 2006http:// Types and Simple Type.
Module 7 Halting Problem –Fundamental program behavior problem –A specific unsolvable problem –Diagonalization technique revisited Proof more complex 1.
1 Jay Ligatti (Princeton University); joint work with: Lujo Bauer (Carnegie Mellon University), David Walker (Princeton University) Enforcing Non-safety.
Language-Based Security: Overview of Types Deepak Garg Foundations of Security and Privacy October 27, 2009.
CS314 – Section 5 Recitation 9
Structured Programming The Basics
Secure Coding Rules for C++ Copyright © 2016 Curt Hill
Functional Programming
Chapter 13 Recursion Copyright © 2016 Pearson, Inc. All rights reserved.
Chapter 10 Programming Fundamentals with JavaScript
CMSC 345 Defensive Programming Practices from Software Engineering 6th Edition by Ian Sommerville.
Introduction to Computing Science and Programming I
Type Checking and Type Inference
Programming Languages and Compilers (CS 421)
EECE 310: Software Engineering
Types CSCE 314 Spring 2016.
Lecture 14 Throwing Custom Exceptions
CSE-321 Programming Languages Simply Typed -Calculus
Types for Programs and Proofs
CSE 374 Programming Concepts & Tools
Semantic Analysis Type Checking
Expressions and Assignment
Principles of programming languages 8: Types
Algorithm Analysis CSE 2011 Winter September 2018.
Type Systems Terms to learn about types: Related concepts: Type
Stateful Manifest Contracts
Chapter 10 Programming Fundamentals with JavaScript
Security in Java Real or Decaf? cs205: engineering software
Programming Languages 2nd edition Tucker and Noonan
Enforcing Non-safety Security Policies with Program Monitors
Threads and Memory Models Hal Perkins Autumn 2009
NASA Secure Coding Rules
A Refinement Calculus for Promela
Declarative Computation Model Single assignment store (VRH 2
CSE 153 Design of Operating Systems Winter 19
Introduction to Programming
Algorithms CSCI 235, Spring 2019 Lecture 37 The Halting Problem
Programming Languages Dan Grossman 2013
Programming Languages 2nd edition Tucker and Noonan
Lecture 7 – Unit 1 – Chatbots Python – For loops + Robustness
Presentation transcript:

Language-based Security Jay Ligatti University of South Florida 2/17/2019

Outline Introduction to software security Constructing secure languages Typing rules Execution rules Type safety Extensions Summary 2/17/2019

Software Security How can we constrain the behavior of our software? 2/17/2019

Software Security How can we constrain the behavior of our software? In the presence of (malicious) attackers E.g.: Log-in program must lock out users after three failed attempts 2/17/2019

Software Security How can we constrain the behavior of our software? In the presence of (malicious) attackers E.g.: Log-in program must lock out users after three failed attempts Even in the absence of attackers E.g.: Email program must not send invitations to my drunken myspace page to my professors (a privacy constraint) it also must not enter an infinite loop (must stay available) 2/17/2019

Software Security Obtaining these constraints requires first obtaining a more common constraint: Memory access control (MAC) Data in memory can only be read and written in authorized ways 2/17/2019

Software Security Memory access control (MAC) Data in memory can only be read and written in authorized ways Type checking provides MAC Strong checking controls all memory accesses ML, Java, C#, Haskell, ... Weak checking leaves holes open C++, C, machine code, … 2/17/2019

Type Checking Well-typed programs provide proofs that programs are properly constrained (i.e., access memory correctly) Type-checker verifies the proofs Static analysis of code guarantees run-time constraints 2/17/2019

Type Checking A foundational security tool But how does it work? Model of type checking is very general Programs come with proofs of good behavior; anyone can verify the proofs Underappreciated security tool Java’s superior security over C/C++ is primarily due to type checking But how does it work? 2/17/2019

Outline Introduction to software security Constructing secure languages Typing rules Execution rules Type safety Extensions Summary 2/17/2019

A Simple Language Consider a programming language with integers, booleans, and if-then-else’s Example if (if true then false else true) then 6 else 8 Evaluates to? 2/17/2019

Typing Rules For every expression, what’s its type? true : bool [“true has type bool”] false : bool n : int (when n is any integer) if e1 then e2 else e3 : ?? 2/17/2019

Typing Rules 4) if e1 then e2 else e3 : ?? Answer: Whatever types e2 and e3 have 2/17/2019

Typing Rules 4) if e1 then e2 else e3 : ?? Answer: Whatever types e2 and e3 have if true then true else false : bool if true then 4 else 5 : int 2/17/2019

Typing Rules 4) If (e1:bool and e2:T and e3:T) Then (if e1 then e2 else e3:T) 2/17/2019

Typing Rules 4) If (e1:bool and e2:T and e3:T) Then (if e1 then e2 else e3:T) if (if true then false else true) then 6 else 8 : ?? 2/17/2019

Typing Rules 4) If (e1:bool and e2:T and e3:T) Then (if e1 then e2 else e3:T) if (if true then 6 else 8) then false else true : ?? 2/17/2019

Execution Rules For every expression, how does it execute (i.e., “take a step”)? 0) true, false, and integers are final answers and do not execute further if true then e1 else e2 => e1 if false then e1 else e2 => e2 (assuming e1 is neither true nor false) if e1 then e2 else e3 => ?? 2/17/2019

Execution Rules 3) (assuming e1 is neither true nor false) if e1 then e2 else e3 => ?? Answer: Execute e1 first if (if true then false else true) then 6 else 8 => if (false) then 6 else 8 2/17/2019

Execution Rules 3) (assuming e1 is neither true nor false) If (e1=>e1’) Then (if e1 then e2 else e3 => if e1’ then e2 else e3) 2/17/2019

Type Safety With typing and execution rules defined, we can prove a type-safety theorem Type safety: Well-typed programs will only obey the safe and expected rules of execution 2/17/2019

Type Safety Well-typed programs are constrained by the rules of execution How have we constrained well-typed programs in our simple language? 2/17/2019

Type Safety in Simple Language Programs that pass our type checker will only branch on a true or a false value Will never try to execute anything like: “if 5 then 6 else 8” Doing so would require an unsafe and unexpected execution rule 2/17/2019

Type Safety in Simple Language Programs that pass our type checker will only branch on a true or a false value Memory access control (MAC) A well-typed program will never read an int in memory when it should read a bool bool int 2/17/2019

Type Safety in General Well-typed programs will only read and write memory in “appropriate” ways “Appropriate” means whatever is allowed by rules of execution 2/17/2019

Outline Introduction to software security Constructing secure languages Typing rules Execution rules Type safety Extensions Summary 2/17/2019

Type Safety Could add features to language and prove: Only memory containing code get executed Only in-bounds array elements get read/written Only correctly typed pointers get dereferenced (e.g., return addresses really are return addresses) Only public methods in objects can be executed by other objects 2/17/2019

Type Safety Could add features to language and prove: Only memory containing code get executed Only in-bounds array elements get read/written Only correctly typed pointers get dereferenced (e.g., return addresses really are return addresses) Only public methods in objects can be executed by other objects Memory access is constrained by execution rules 2/17/2019

Run-time-checks Extension Type safety provides a foundation for higher-level constraints Can add run-time checks to constrain software further E.g., to lock out users after failed logins, or to refuse to email myspace invitations to professors Type safety ensures that run-time checks always work correctly (cannot be attacked successfully) 2/17/2019

Outline Introduction to software security Constructing secure languages Typing rules Execution rules Type safety Extensions Summary 2/17/2019

Summary Well-typed programs have constrained run-time behaviors Only execute according to safe and expected rules => Will never access memory inappropriately Programming in strongly typed languages like ML and Java is a good basis for writing secure code 2/17/2019

Thanks Questions? 2/17/2019