6142009 - PowerPoint PPT Presentation

1 / 32
About This Presentation
Title:

6142009

Description:

... program must not send invitations to my drunken myspace page to my professors ... after failed logins, or to refuse to email myspace invitations to professors ... – PowerPoint PPT presentation

Number of Views:44
Avg rating:3.0/5.0
Slides: 33
Provided by: liga8
Learn more at: https://www.cse.usf.edu
Category:
Tags: my | space

less

Transcript and Presenter's Notes

Title: 6142009


1
Language-based Security
  • Jay LigattiUniversity of South Florida

2
Outline
  • Introduction to software security
  • Constructing secure languages
  • Typing rules
  • Execution rules
  • Type safety
  • Extensions
  • Summary

3
Software Security
  • How can we constrain the behavior of our software?

4
Software Security
  • How can we constrain the behavior of our
    software?
  • In the presence of (malicious) attackers
  • E.g. Log-in program must lock out users after
    three failed attempts

5
Software Security
  • How can we constrain the behavior of our
    software?
  • In the presence of (malicious) attackers
  • E.g. Log-in program must lock out users after
    three failed attempts
  • Even in the absence of attackers
  • E.g. Email program must not send invitations to
    my drunken myspace page to my professors (a
    privacy constraint)

6
Software Security
  • Obtaining these constraints requires first
    obtaining a more common constraint Memory
    access control (MAC)
  • Data in memory can only be read and written in
    authorized ways

7
Software Security
  • Memory access control (MAC)
  • Data in memory can only be read and written in
    authorized ways
  • Type checking provides MAC
  • Strong checking controls all memory accesses
  • ML, Java, C, Haskell, ...
  • Weak checking leaves holes open
  • C, C, machine code,

8
Type Checking
  • Well-typed programs provide proofs that programs
    are properly constrained (i.e., access memory
    correctly)
  • Type-checker verifies the proofs
  • Static analysis of code guarantees run-time
    constraints

9
Type Checking
  • A foundational security tool
  • Model of type checking is very general
  • Programs come with proofs of good behavior
    anyone can verify the proofs
  • Underappreciated security tool
  • Javas superior security over C/C is primarily
    due to type checking
  • But how does it work?

10
Outline
  • Introduction to software security
  • Constructing secure languages
  • Typing rules
  • Execution rules
  • Type safety
  • Extensions
  • Summary

11
A Simple Language
  • Consider a programming language with integers,
    booleans, and if-then-elses
  • Exampleif (if true then false else true) then 6
    else 8
  • Evaluates to?

12
Typing Rules
  • For every expression, whats its type?
  • true bool true has type bool
  • false bool
  • n int (when n is any integer)
  • if e1 then e2 else e3 ??

13
Typing Rules
  • 4) if e1 then e2 else e3 ??
  • Answer Whatever types e2 and e3 have

14
Typing Rules
  • 4) if e1 then e2 else e3 ??
  • Answer Whatever types e2 and e3 have
  • if true then true else false bool
  • if true then 4 else 5 int

15
Typing Rules
  • 4) If (e1bool and e2T and e3T)Then (if e1
    then e2 else e3T)

16
Typing Rules
  • 4) If (e1bool and e2T and e3T)Then (if e1
    then e2 else e3T)
  • if (if true then false else true) then 6 else 8
    ??

17
Typing Rules
  • 4) If (e1bool and e2T and e3T)Then (if e1
    then e2 else e3T)
  • if (if true then 6 else 8) then false else true
    ??

18
Execution Rules
  • For every expression, how does it execute (i.e.,
    take a step)?
  • 0) true, false, and integers are final answers
    and do not execute further
  • if true then e1 else e2 e1
  • if false then e1 else e2 e2
  • (assuming e1 is neither true nor false)if e1
    then e2 else e3 ??

19
Execution Rules
  • 3) (assuming e1 is neither true nor false)if e1
    then e2 else e3 ??
  • Answer Execute e1 first
  • if (if true then false else true) then 6 else 8
  • if (false) then 6 else 8

20
Execution Rules
  • 3) (assuming e1 is neither true nor false)
  • If (e1e1)
  • Then (if e1 then e2 else e3 if e1
    then e2 else e3)

21
Type Safety
  • With typing and execution rules defined, we can
    prove a type-safety theorem
  • Type safety Well-typed programs will only obey
    the safe and expected rules of execution

22
Type Safety
  • Well-typed programs are constrained by the rules
    of execution
  • How have we constrained well-typed programs in
    our simple language?

23
Type Safety in Simple Language
  • Programs that pass our type checker will only
    branch on a true or a false value
  • Will never try to execute anything likeif 5
    then 6 else 8Doing so would require an unsafe
    and unexpected execution rule

24
Type Safety in Simple Language
  • Programs that pass our type checker will only
    branch on a true or a false value
  • Memory access control (MAC)
  • A well-typed program will never read an int in
    memory when it should read a bool

bool
int
25
Type Safety in General
  • Well-typed programs will only read and write
    memory in appropriate ways
  • Appropriate means whatever is allowed by rules
    of execution

26
Outline
  • Introduction to software security
  • Constructing secure languages
  • Typing rules
  • Execution rules
  • Type safety
  • Extensions
  • Summary

27
Type Safety
  • Could add features to language and prove
  • Only memory containing code get executed
  • Only in-bounds array elements get read/written
  • Only correctly typed pointers get dereferenced
    (e.g., return addresses really are return
    addresses)
  • Only public methods in objects can be executed by
    other objects

28
Type Safety
  • Could add features to language and prove
  • Only memory containing code get executed
  • Only in-bounds array elements get read/written
  • Only correctly typed pointers get dereferenced
    (e.g., return addresses really are return
    addresses)
  • Only public methods in objects can be executed by
    other objects
  • Memory access is constrained by execution rules

29
Run-time-checks Extension
  • Type safety provides a foundation for
    higher-level constraints
  • Can add run-time checks to constrain software
    further
  • E.g., to lock out users after failed logins, or
    to refuse to email myspace invitations to
    professors
  • Type safety ensures that run-time checks always
    work correctly (cannot be attacked successfully)

30
Outline
  • Introduction to software security
  • Constructing secure languages
  • Typing rules
  • Execution rules
  • Type safety
  • Extensions
  • Summary

31
Summary
  • Well-typed programs have constrained run-time
    behaviors
  • Only execute according to safe and expected rules
  • Will never access memory inappropriately
  • Programming in strongly typed languages like ML
    and Java is a good basis for writing secure code

32
Thanks
  • Questions?
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "6142009" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!