Presentation is loading. Please wait.

Presentation is loading. Please wait.

Language-based Security

Similar presentations


Presentation on theme: "Language-based Security"— Presentation transcript:

1 Language-based Security
Jay Ligatti University of South Florida 2/17/2019

2 Outline Introduction to software security
Constructing secure languages Typing rules Execution rules Type safety Extensions Summary 2/17/2019

3 Software Security How can we constrain the behavior of our software?
2/17/2019

4 Software Security How can we constrain the behavior of our software?
In the presence of (malicious) attackers E.g.: Log-in program must lock out users after three failed attempts 2/17/2019

5 Software Security How can we constrain the behavior of our software?
In the presence of (malicious) attackers E.g.: Log-in program must lock out users after three failed attempts Even in the absence of attackers E.g.: program must not send invitations to my drunken myspace page to my professors (a privacy constraint) it also must not enter an infinite loop (must stay available) 2/17/2019

6 Software Security Obtaining these constraints requires first obtaining a more common constraint: Memory access control (MAC) Data in memory can only be read and written in authorized ways 2/17/2019

7 Software Security Memory access control (MAC)
Data in memory can only be read and written in authorized ways Type checking provides MAC Strong checking controls all memory accesses ML, Java, C#, Haskell, ... Weak checking leaves holes open C++, C, machine code, … 2/17/2019

8 Type Checking Well-typed programs provide proofs that programs are properly constrained (i.e., access memory correctly) Type-checker verifies the proofs Static analysis of code guarantees run-time constraints 2/17/2019

9 Type Checking A foundational security tool But how does it work?
Model of type checking is very general Programs come with proofs of good behavior; anyone can verify the proofs Underappreciated security tool Java’s superior security over C/C++ is primarily due to type checking But how does it work? 2/17/2019

10 Outline Introduction to software security
Constructing secure languages Typing rules Execution rules Type safety Extensions Summary 2/17/2019

11 A Simple Language Consider a programming language with integers, booleans, and if-then-else’s Example if (if true then false else true) then 6 else 8 Evaluates to? 2/17/2019

12 Typing Rules For every expression, what’s its type?
true : bool [“true has type bool”] false : bool n : int (when n is any integer) if e1 then e2 else e3 : ?? 2/17/2019

13 Typing Rules 4) if e1 then e2 else e3 : ??
Answer: Whatever types e2 and e3 have 2/17/2019

14 Typing Rules 4) if e1 then e2 else e3 : ??
Answer: Whatever types e2 and e3 have if true then true else false : bool if true then 4 else 5 : int 2/17/2019

15 Typing Rules 4) If (e1:bool and e2:T and e3:T) Then (if e1 then e2 else e3:T) 2/17/2019

16 Typing Rules 4) If (e1:bool and e2:T and e3:T) Then (if e1 then e2 else e3:T) if (if true then false else true) then 6 else 8 : ?? 2/17/2019

17 Typing Rules 4) If (e1:bool and e2:T and e3:T) Then (if e1 then e2 else e3:T) if (if true then 6 else 8) then false else true : ?? 2/17/2019

18 Execution Rules For every expression, how does it execute (i.e., “take a step”)? 0) true, false, and integers are final answers and do not execute further if true then e1 else e2 => e1 if false then e1 else e2 => e2 (assuming e1 is neither true nor false) if e1 then e2 else e3 => ?? 2/17/2019

19 Execution Rules 3) (assuming e1 is neither true nor false) if e1 then e2 else e3 => ?? Answer: Execute e1 first if (if true then false else true) then 6 else 8 => if (false) then 6 else 8 2/17/2019

20 Execution Rules 3) (assuming e1 is neither true nor false)
If (e1=>e1’) Then (if e1 then e2 else e3 => if e1’ then e2 else e3) 2/17/2019

21 Type Safety With typing and execution rules defined, we can prove a type-safety theorem Type safety: Well-typed programs will only obey the safe and expected rules of execution 2/17/2019

22 Type Safety Well-typed programs are constrained by the rules of execution How have we constrained well-typed programs in our simple language? 2/17/2019

23 Type Safety in Simple Language
Programs that pass our type checker will only branch on a true or a false value Will never try to execute anything like: “if 5 then 6 else 8” Doing so would require an unsafe and unexpected execution rule 2/17/2019

24 Type Safety in Simple Language
Programs that pass our type checker will only branch on a true or a false value Memory access control (MAC) A well-typed program will never read an int in memory when it should read a bool bool int 2/17/2019

25 Type Safety in General Well-typed programs will only read and write memory in “appropriate” ways “Appropriate” means whatever is allowed by rules of execution 2/17/2019

26 Outline Introduction to software security
Constructing secure languages Typing rules Execution rules Type safety Extensions Summary 2/17/2019

27 Type Safety Could add features to language and prove:
Only memory containing code get executed Only in-bounds array elements get read/written Only correctly typed pointers get dereferenced (e.g., return addresses really are return addresses) Only public methods in objects can be executed by other objects 2/17/2019

28 Type Safety Could add features to language and prove:
Only memory containing code get executed Only in-bounds array elements get read/written Only correctly typed pointers get dereferenced (e.g., return addresses really are return addresses) Only public methods in objects can be executed by other objects Memory access is constrained by execution rules 2/17/2019

29 Run-time-checks Extension
Type safety provides a foundation for higher-level constraints Can add run-time checks to constrain software further E.g., to lock out users after failed logins, or to refuse to myspace invitations to professors Type safety ensures that run-time checks always work correctly (cannot be attacked successfully) 2/17/2019

30 Outline Introduction to software security
Constructing secure languages Typing rules Execution rules Type safety Extensions Summary 2/17/2019

31 Summary Well-typed programs have constrained run-time behaviors
Only execute according to safe and expected rules => Will never access memory inappropriately Programming in strongly typed languages like ML and Java is a good basis for writing secure code 2/17/2019

32 Thanks Questions? 2/17/2019


Download ppt "Language-based Security"

Similar presentations


Ads by Google