CS655: Programming Languages - PowerPoint PPT Presentation

About This Presentation
Title:

CS655: Programming Languages

Description:

Type checking rules vs. Environment updating rules. 5/1/2000. 6. CS655: Programming Languages ... Languages. Environment Updating Rules. var = Expression ... – PowerPoint PPT presentation

Number of Views:12
Avg rating:3.0/5.0
Slides: 14
Provided by: mes69
Category:

less

Transcript and Presenter's Notes

Title: CS655: Programming Languages


1
Tabasco
A Static Security Checking Tool for Python
  • Group 5
  • Yu Lin
  • Yiting Nan
  • Mike Smoot
  • Jianrong Zhang

2
Example Goes First
  • !/usr/cs/contrib/bin/python
  • import os
  • name raw_input("Please enter you first name ")
  • command '/bin/echo ' name
  • os.system(command)

Let name be homer rm rf /
3
Motivation
Design Goal Used by programmers to check their
programs for potential security risks.
  • Design Principles
  • Flexible
  • Standalone
  • Static checking
  • Report potential security violations.

4
Related Work
JFLOW
Tabasco
Rexec Bastion JPython
5
Solution
  • How? Check security information flow!
  • Security type environment
  • Security policy
  • Defines insecure function calls
  • Configurable by the user flexibility!
  • Type checking rules vs. Environment updating
    rules

6
Type Checking Rules
true --------------------- literal A
- literal secure
true ---------------------------
----- input A -raw_input(S)
insecure
A -ExpA insecure ? A -ExpB
insecure oper ? ,-,,/,,,,,,ltlt,gtgt,lt
,,lt,gt,! -------------------------------
---------------------------------- expr
A - (ExpA oper ExpB) insecure
7
Type Checking Function Calls
A -arg1 secure ? ... ? A -argn
secure --------------------------------
----------------- secure-fun A
-fun(arg1,...,argn) secure
A -arg1 insecure ? .... ? A -argn
insecure A -fun is allowed
--------------------------------------------------
--- insecure-fun A
-fun(arg1,...,argn) insecure
8
Environment Updating Rules
var
Expression ---------------------------------------
-----------------------------assign Avar
Expression Avar ? typeof(A, Expression)
  • Also
  • if-else rule
  • while rule
  • for rule

9
If-Else Rule
z insecure if z lt 1 x Hello!
x secure else x z
x insecure
A S1 A1
A S2 A2
-------------------------------------------------
if-else A if exp1 S1
else S2 A1? A2 What is A1? A2?
(A1?A2) - var secure iff A1-var secure and
A2-var secure
10
Implementation
  • Lex Yacc
  • Use symbol table to keep track of variables and
    their security information
  • Construct parse trees to propagate security
    information

11
Implementation (cont)
cmd bin/echo name
12
Evaluation
  • Our Goal
  • Tested against many simple programs
  • All succeeded
  • Real World
  • Not yet
  • Need complete grammar

13
Conclusion
  • Succeeded in meeting our design goals
  • ( Standalone, Flexible, Conservative)
  • Can be used to help programmers find potential
    security flaws
  • Can be used to help train programmers to be more
    aware of security threats.

SPICY!
Make programming
Write a Comment
User Comments (0)
About PowerShow.com