Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Impact of Programming Language Theory on Computer Security Drew Dean Computer Science Laboratory SRI International.

Published byNathaniel Sanders Modified over 8 years ago

Similar presentations

Presentation on theme: "The Impact of Programming Language Theory on Computer Security Drew Dean Computer Science Laboratory SRI International."— Presentation transcript:

1 The Impact of Programming Language Theory on Computer Security Drew Dean Computer Science Laboratory SRI International

2 2 What I’m not Talking About Cryptographic Protocol Verification  See, e.g., Computer Security Foundations Workshop Type Systems for Non-Interference  See, e.g., POPL

3 3 Much of security is: “Program P exactly implements Specification S and no more.” For this talk, we assume that the specification is correct

4 4 Security Tripos No undefined user mode behavior Proper system call use Correctness wrt critical requirements

5 5 Correctness wrt Security No system that misses security checks can be secure  Program Verification  Architectural Support Stack inspection Security Passing Style [WAF]

6 6 Program Verification Obvious connections  Lambda calculus, Curry-Howard  Hoare Logic  …

7 7 Architectural Support Stack Inspection  Access control based on endorsement of code: answers “Who called me?”  Designed to prevent untrusted code from bypassing access controls, while allowing higher level code to assert that it knows what it’s doing

8 8 Stack Inspection Example Applet wants to use the Helvetica font May require JVM to read a file Solution:  Font handling code checks arguments  If successful, asserts privilege  Attempts to read file Which notes that font code (privileged) has asserted everything’s OK

9 9 Stack Inspection: Critique Exposes call stack  Tail call elimination painful  Function inlining also painful  Goodbye, Church-Rosser, goodbye!

10 10 Security Passing Style Wallach, Appel, Felten, TOSEM 9/00 A la CPS, pass security context as an extra (implicit) argument Restores tail call elimination and function inlining Doesn’t restore Church-Rosser

11 11 Observation SPS is in closer analogy to CPS than its authors say Shivers: “Threads are paths through continuation space” Continuations are the right semantic object to attach permissions to Would a dependent type system work out?

12 12 Properly Using System Calls If a program handles its own security, e.g., ftpd, it better use system calls correctly Many programs don’t  Wu-ftpd  Sendmail  …

13 13 How Can PLT help? Joint work with David Wagner and Hao Chen, UC Berkeley Given a program, morph control flow graph into an automaton that accepts language of system calls

14 14 IEEE S&P 2001 Take automaton, check runtime trace of system calls for anomaly detection (Most of) Benefits of specification- based intrusion detection without needing the non-existent spec

15 15 Current Work Take abstracted specification, throw it and library of security “best practices” (and known attacks) at (custom) model checker But this requires understanding system calls Usually the POSIX spec is reasonable But not for set*uid()

16 16 Understanding set*uid Absolutely necessary for writing secure setuid Unix programs Linux, FreeBSD, Solaris all subtly different  Even if all POSIX compliant Kernel code unreadable Reverse engineer formal model Will appear at USENIX Security 2002

17 17 No Undefined User-mode Behavior Buffer overflows are still a problem in 2002 PL people think this is stupid  It is Like it or not, most of the world codes in C or unsafe C++

18 18 Not Just Buffer Overflows Any corruption of program state can cause vulnerability  Nearly science fiction attack based on a C program double freeing a pointer

19 19 Observation Memory comes in two colors  Storage of variables  Compiler/runtime support

20 20 Partition Property “All variables only refer to memory locations that the compiler has mapped to program variables, not compiler/runtime support (e.g., return addresses, temporaries for evaluating expressions, memory management overhead, etc.)”

21 21 Partition Properties Note that this is weaker than non- interference  Values obviously depend on program values Stronger than some forms of memory & type safety Should be a theorem of modern (safe) languages

22 22 Conclusions This was a brief survey of a wide field “and no more” is hard to implement Hopefully, breaking it down helps No undefined behavior Proper system call use Correctness wrt critical requirements

Download ppt "The Impact of Programming Language Theory on Computer Security Drew Dean Computer Science Laboratory SRI International."

Similar presentations

The ideal of program correctness Tony Hoare CAVSeattleAugust 2006.

The ideal of program correctness Tony Hoare CAVSeattleAugust 2006.
ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
Current Techniques in Language-based Security David Walker COS 597B With slides stolen from: Steve Zdancewic University of Pennsylvania.

Current Techniques in Language-based Security David Walker COS 597B With slides stolen from: Steve Zdancewic University of Pennsylvania.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Annoucements  Next labs 9 and 10 are paired for everyone. So don’t miss the lab.  There is a review session for the quiz on Monday, November 4, at 8:00.

Annoucements  Next labs 9 and 10 are paired for everyone. So don’t miss the lab.  There is a review session for the quiz on Monday, November 4, at 8:00.
The ideal of program correctness Tony Hoare BudapestSeptember 2006.

The ideal of program correctness Tony Hoare BudapestSeptember 2006.
Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu

Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.

Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.
CS 326 Programming Languages, Concepts and Implementation Instructor: Mircea Nicolescu Lecture 18.

CS 326 Programming Languages, Concepts and Implementation Instructor: Mircea Nicolescu Lecture 18.
Course Summary. © Katz, 2003 Formal Specifications of Complex Systems-- Real-time 2 Topics (1) Families of specification methods, evaluation criteria.

Course Summary. © Katz, 2003 Formal Specifications of Complex Systems-- Real-time 2 Topics (1) Families of specification methods, evaluation criteria.
Anomaly Detection Using Call Stack Information Security Reading Group July 2, 2004 Henry Feng, Oleg Kolesnikov, Prahlad Fogla, Wenke Lee, Weibo Gong Presenter:

Anomaly Detection Using Call Stack Information Security Reading Group July 2, 2004 Henry Feng, Oleg Kolesnikov, Prahlad Fogla, Wenke Lee, Weibo Gong Presenter:
/191 Typed Compilation of Objects Andrew McCreight and Zhong Shao FLINT Project Yale University.

/191 Typed Compilation of Objects Andrew McCreight and Zhong Shao FLINT Project Yale University.
1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.

1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.
Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.

Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.
Software Security David Wagner University of California at Berkeley.

Software Security David Wagner University of California at Berkeley.
A Type System for Expressive Security Policies David Walker Cornell University.

A Type System for Expressive Security Policies David Walker Cornell University.
In vfprintf(), if (fmt points to “%n”) then **ap = (character count) Achieving Trusted Systems by Providing Security and Reliability FORMAL REASONING ON.

In vfprintf(), if (fmt points to “%n”) then **ap = (character count) Achieving Trusted Systems by Providing Security and Reliability FORMAL REASONING ON.
Stacks and HeapsCS-502 Fall 20071 A Short Digression Stacks and Heaps CS-502, Operating Systems Fall 2007 (Slides include materials from Operating System.

Stacks and HeapsCS-502 Fall A Short Digression Stacks and Heaps CS-502, Operating Systems Fall 2007 (Slides include materials from Operating System.

Similar presentations

Ads by Google