The Impact of Programming Language Theory on Computer Security Drew Dean Computer Science Laboratory SRI International.

Slides:



Advertisements
Similar presentations
The ideal of program correctness Tony Hoare CAVSeattleAugust 2006.
Advertisements

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
Current Techniques in Language-based Security David Walker COS 597B With slides stolen from: Steve Zdancewic University of Pennsylvania.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Annoucements  Next labs 9 and 10 are paired for everyone. So don’t miss the lab.  There is a review session for the quiz on Monday, November 4, at 8:00.
The ideal of program correctness Tony Hoare BudapestSeptember 2006.
Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.
CS 326 Programming Languages, Concepts and Implementation Instructor: Mircea Nicolescu Lecture 18.
Course Summary. © Katz, 2003 Formal Specifications of Complex Systems-- Real-time 2 Topics (1) Families of specification methods, evaluation criteria.
Anomaly Detection Using Call Stack Information Security Reading Group July 2, 2004 Henry Feng, Oleg Kolesnikov, Prahlad Fogla, Wenke Lee, Weibo Gong Presenter:
/191 Typed Compilation of Objects Andrew McCreight and Zhong Shao FLINT Project Yale University.
1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.
Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.
Software Security David Wagner University of California at Berkeley.
A Type System for Expressive Security Policies David Walker Cornell University.
In vfprintf(), if (fmt points to “%n”) then **ap = (character count) Achieving Trusted Systems by Providing Security and Reliability FORMAL REASONING ON.
Stacks and HeapsCS-502 Fall A Short Digression Stacks and Heaps CS-502, Operating Systems Fall 2007 (Slides include materials from Operating System.
1 setuid Demystified -- Examining the API of Security Operation in OS using Formal Models Hao Chen, David Wagner UC Berkeley Drew Dean SRI International.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 2: Operating-System Structures Modified from the text book.
Methods For The Prevention, Detection And Removal Of Software Security Vulnerabilities Jay-Evan J. Tevis Department of Computer Science and Software Engineering.
Stack Management Each process/thread has two stacks  Kernel stack  User stack Stack pointer changes when exiting/entering the kernel Q: Why is this necessary?
CS252: Systems Programming Ninghui Li Final Exam Review.
Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.
Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.
1 Setuid Demystified Hao Chen David Wagner UC Berkeley Drew Dean SRI International.
Eric Keller, Evan Green Princeton University PRESTO /22/08 Virtualizing the Data Plane Through Source Code Merging.
KGuard: Lightweight Kernel Protection against Return-to-User Attacks Authors: Vasileios P. Kemerlis Georgios Portokalidis Angelos D. Keromytis Presenter:
Announcements Assignment 3 due. Invite friends, co-workers to your presentations. Course evaluations on Friday.
Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.
Java Security Nathan Moore CS 665. Overview Survey of Java Inherent Security Properties Java Runtime Environment Java Virtual Machine Java Security Model.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 10 “Buffer Overflow”.
SWE 619 © Paul Ammann Procedural Abstraction and Design by Contract Paul Ammann Information & Software Engineering SWE 619 Software Construction cs.gmu.edu/~pammann/
Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Buffer Overflow Defenses Author:
SAFKASI: A Security Mechanism for Language-based Systems Dan S. Wallach Rice University Andrew W. Appel and Edward W. Felten Princeton University Excerpt.
Linux Security. Authors:- Advanced Linux Programming by Mark Mitchell, Jeffrey Oldham, and Alex Samuel, of CodeSourcery LLC published by New Riders Publishing.
Overview Multithreading Models Threading Issues Pthreads Solaris 2 Threads Windows 2000 Threads Linux Threads Java Threads.
1 A Secure Access Control Mechanism against Internet Crackers Kenichi Kourai* Shigeru Chiba** *University of Tokyo **University of Tsukuba.
Operating Systems Security
MK++ A High Assurance Operating System Kernel Shai Guday David Black.
Department of Computer Science and Software Engineering
Protecting C Programs from Attacks via Invalid Pointer Dereferences Suan Hsi Yong, Susan Horwitz University of Wisconsin – Madison.
1 Setuid Demystified Hao Chen David Wagner UC Berkeley Drew Dean SRI International Proceedings of the 11th USENIX Security Symposium San Francisco, California,
SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U.
CS533 Concepts of Operating Systems Jonathan Walpole.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.
1 Model Checking One Million Lines of C Code Hao Chen, UC Berkeley Drew Dean, SRI International David Wagner, UC Berkeley.
MOPS: an Infrastructure for Examining Security Properties of Software Authors Hao Chen and David Wagner Appears in ACM Conference on Computer and Communications.
VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.
Language-Based Information- Flow Security (Sabelfeld and Myers) “Practical methods for controlling information flow have eluded researchers for some time.”
1 Chapter 5: Threads Overview Multithreading Models & Issues Read Chapter 5 pages
Buffer Overflow Defenses
CMSC 345 Defensive Programming Practices from Software Engineering 6th Edition by Ian Sommerville.
Types for Programs and Proofs
Secure Programming Dr. X
Chapter 5: Threads Overview Multithreading Models Threading Issues
Chapter 5: Threads Overview Multithreading Models Threading Issues
Chapter 5: Threads Overview Multithreading Models Threading Issues
Chapter 4: Threads.
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Security in Java Real or Decaf? cs205: engineering software
OPERATING SYSTEMS Threads
Improving Security Using Extensible Lightweight Static Analysis
All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis.
Chapter 5: Threads Overview Multithreading Models Threading Issues
MOPS: an Infrastructure for Examining Security Properties of Software
Presentation transcript:

The Impact of Programming Language Theory on Computer Security Drew Dean Computer Science Laboratory SRI International

2 What I’m not Talking About Cryptographic Protocol Verification  See, e.g., Computer Security Foundations Workshop Type Systems for Non-Interference  See, e.g., POPL

3 Much of security is: “Program P exactly implements Specification S and no more.” For this talk, we assume that the specification is correct

4 Security Tripos No undefined user mode behavior Proper system call use Correctness wrt critical requirements

5 Correctness wrt Security No system that misses security checks can be secure  Program Verification  Architectural Support Stack inspection Security Passing Style [WAF]

6 Program Verification Obvious connections  Lambda calculus, Curry-Howard  Hoare Logic  …

7 Architectural Support Stack Inspection  Access control based on endorsement of code: answers “Who called me?”  Designed to prevent untrusted code from bypassing access controls, while allowing higher level code to assert that it knows what it’s doing

8 Stack Inspection Example Applet wants to use the Helvetica font May require JVM to read a file Solution:  Font handling code checks arguments  If successful, asserts privilege  Attempts to read file Which notes that font code (privileged) has asserted everything’s OK

9 Stack Inspection: Critique Exposes call stack  Tail call elimination painful  Function inlining also painful  Goodbye, Church-Rosser, goodbye!

10 Security Passing Style Wallach, Appel, Felten, TOSEM 9/00 A la CPS, pass security context as an extra (implicit) argument Restores tail call elimination and function inlining Doesn’t restore Church-Rosser

11 Observation SPS is in closer analogy to CPS than its authors say Shivers: “Threads are paths through continuation space” Continuations are the right semantic object to attach permissions to Would a dependent type system work out?

12 Properly Using System Calls If a program handles its own security, e.g., ftpd, it better use system calls correctly Many programs don’t  Wu-ftpd  Sendmail  …

13 How Can PLT help? Joint work with David Wagner and Hao Chen, UC Berkeley Given a program, morph control flow graph into an automaton that accepts language of system calls

14 IEEE S&P 2001 Take automaton, check runtime trace of system calls for anomaly detection (Most of) Benefits of specification- based intrusion detection without needing the non-existent spec

15 Current Work Take abstracted specification, throw it and library of security “best practices” (and known attacks) at (custom) model checker But this requires understanding system calls Usually the POSIX spec is reasonable But not for set*uid()

16 Understanding set*uid Absolutely necessary for writing secure setuid Unix programs Linux, FreeBSD, Solaris all subtly different  Even if all POSIX compliant Kernel code unreadable Reverse engineer formal model Will appear at USENIX Security 2002

17 No Undefined User-mode Behavior Buffer overflows are still a problem in 2002 PL people think this is stupid  It is Like it or not, most of the world codes in C or unsafe C++

18 Not Just Buffer Overflows Any corruption of program state can cause vulnerability  Nearly science fiction attack based on a C program double freeing a pointer

19 Observation Memory comes in two colors  Storage of variables  Compiler/runtime support

20 Partition Property “All variables only refer to memory locations that the compiler has mapped to program variables, not compiler/runtime support (e.g., return addresses, temporaries for evaluating expressions, memory management overhead, etc.)”

21 Partition Properties Note that this is weaker than non- interference  Values obviously depend on program values Stronger than some forms of memory & type safety Should be a theorem of modern (safe) languages

22 Conclusions This was a brief survey of a wide field “and no more” is hard to implement Hopefully, breaking it down helps No undefined behavior Proper system call use Correctness wrt critical requirements

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.