The Impact of Programming Language Theory on Computer Security
description
Transcript of The Impact of Programming Language Theory on Computer Security
![Page 1: The Impact of Programming Language Theory on Computer Security](https://reader035.fdocuments.net/reader035/viewer/2022062520/56815fe8550346895dceebab/html5/thumbnails/1.jpg)
The Impact of Programming Language Theory on Computer Security
Drew DeanComputer Science LaboratorySRI International
![Page 2: The Impact of Programming Language Theory on Computer Security](https://reader035.fdocuments.net/reader035/viewer/2022062520/56815fe8550346895dceebab/html5/thumbnails/2.jpg)
2
What I’m not Talking About
Cryptographic Protocol Verification See, e.g., Computer Security
Foundations Workshop Type Systems for Non-Interference
See, e.g., POPL
![Page 3: The Impact of Programming Language Theory on Computer Security](https://reader035.fdocuments.net/reader035/viewer/2022062520/56815fe8550346895dceebab/html5/thumbnails/3.jpg)
3
Much of security is:
“Program P exactly implements Specification S and no more.”
For this talk, we assume that the specification is correct
![Page 4: The Impact of Programming Language Theory on Computer Security](https://reader035.fdocuments.net/reader035/viewer/2022062520/56815fe8550346895dceebab/html5/thumbnails/4.jpg)
4
Security Tripos
No undefined usermode behavior
Proper system call use
Correctnesswrt criticalrequirements
![Page 5: The Impact of Programming Language Theory on Computer Security](https://reader035.fdocuments.net/reader035/viewer/2022062520/56815fe8550346895dceebab/html5/thumbnails/5.jpg)
5
Correctness wrt Security
No system that misses security checks can be secure Program Verification Architectural Support
Stack inspection Security Passing Style [WAF]
![Page 6: The Impact of Programming Language Theory on Computer Security](https://reader035.fdocuments.net/reader035/viewer/2022062520/56815fe8550346895dceebab/html5/thumbnails/6.jpg)
6
Program Verification
Obvious connections Lambda calculus, Curry-Howard Hoare Logic …
![Page 7: The Impact of Programming Language Theory on Computer Security](https://reader035.fdocuments.net/reader035/viewer/2022062520/56815fe8550346895dceebab/html5/thumbnails/7.jpg)
7
Architectural Support
Stack Inspection Access control based on endorsement of
code: answers “Who called me?” Designed to prevent untrusted code from
bypassing access controls, while allowing higher level code to assert that it knows what it’s doing
![Page 8: The Impact of Programming Language Theory on Computer Security](https://reader035.fdocuments.net/reader035/viewer/2022062520/56815fe8550346895dceebab/html5/thumbnails/8.jpg)
8
Stack Inspection Example
Applet wants to use the Helvetica font May require JVM to read a file Solution:
Font handling code checks arguments If successful, asserts privilege Attempts to read file
Which notes that font code (privileged) has asserted everything’s OK
![Page 9: The Impact of Programming Language Theory on Computer Security](https://reader035.fdocuments.net/reader035/viewer/2022062520/56815fe8550346895dceebab/html5/thumbnails/9.jpg)
9
Stack Inspection: Critique
Exposes call stack Tail call elimination painful Function inlining also painful Goodbye, Church-Rosser, goodbye!
![Page 10: The Impact of Programming Language Theory on Computer Security](https://reader035.fdocuments.net/reader035/viewer/2022062520/56815fe8550346895dceebab/html5/thumbnails/10.jpg)
10
Security Passing Style
Wallach, Appel, Felten, TOSEM 9/00 A la CPS, pass security context as an
extra (implicit) argument Restores tail call elimination and
function inlining Doesn’t restore Church-Rosser
![Page 11: The Impact of Programming Language Theory on Computer Security](https://reader035.fdocuments.net/reader035/viewer/2022062520/56815fe8550346895dceebab/html5/thumbnails/11.jpg)
11
Observation
SPS is in closer analogy to CPS than its authors say
Shivers: “Threads are paths through continuation space”
Continuations are the right semantic object to attach permissions to
Would a dependent type system work out?
![Page 12: The Impact of Programming Language Theory on Computer Security](https://reader035.fdocuments.net/reader035/viewer/2022062520/56815fe8550346895dceebab/html5/thumbnails/12.jpg)
12
Properly Using System Calls
If a program handles its own security, e.g., ftpd, it better use system calls correctly
Many programs don’t Wu-ftpd Sendmail …
![Page 13: The Impact of Programming Language Theory on Computer Security](https://reader035.fdocuments.net/reader035/viewer/2022062520/56815fe8550346895dceebab/html5/thumbnails/13.jpg)
13
How Can PLT help?
Joint work with David Wagner and Hao Chen, UC Berkeley
Given a program, morph control flow graph into an automaton that accepts language of system calls
![Page 14: The Impact of Programming Language Theory on Computer Security](https://reader035.fdocuments.net/reader035/viewer/2022062520/56815fe8550346895dceebab/html5/thumbnails/14.jpg)
14
IEEE S&P 2001
Take automaton, check runtime trace of system calls for anomaly detection
(Most of) Benefits of specification-based intrusion detection without needing the non-existent spec
![Page 15: The Impact of Programming Language Theory on Computer Security](https://reader035.fdocuments.net/reader035/viewer/2022062520/56815fe8550346895dceebab/html5/thumbnails/15.jpg)
15
Current Work
Take abstracted specification, throw it and library of security “best practices” (and known attacks) at (custom) model checker
But this requires understanding system calls
Usually the POSIX spec is reasonable But not for set*uid()
![Page 16: The Impact of Programming Language Theory on Computer Security](https://reader035.fdocuments.net/reader035/viewer/2022062520/56815fe8550346895dceebab/html5/thumbnails/16.jpg)
16
Understanding set*uid
Absolutely necessary for writing secure setuid Unix programs
Linux, FreeBSD, Solaris all subtly different Even if all POSIX compliant
Kernel code unreadable Reverse engineer formal model Will appear at USENIX Security 2002
![Page 17: The Impact of Programming Language Theory on Computer Security](https://reader035.fdocuments.net/reader035/viewer/2022062520/56815fe8550346895dceebab/html5/thumbnails/17.jpg)
17
No Undefined User-mode Behavior
Buffer overflows are still a problem in 2002
PL people think this is stupid It is
Like it or not, most of the world codes in C or unsafe C++
![Page 18: The Impact of Programming Language Theory on Computer Security](https://reader035.fdocuments.net/reader035/viewer/2022062520/56815fe8550346895dceebab/html5/thumbnails/18.jpg)
18
Not Just Buffer Overflows
Any corruption of program state can cause vulnerability Nearly science fiction attack based on a
C program double freeing a pointer
![Page 19: The Impact of Programming Language Theory on Computer Security](https://reader035.fdocuments.net/reader035/viewer/2022062520/56815fe8550346895dceebab/html5/thumbnails/19.jpg)
19
Observation
Memory comes in two colors Storage of variables Compiler/runtime support
![Page 20: The Impact of Programming Language Theory on Computer Security](https://reader035.fdocuments.net/reader035/viewer/2022062520/56815fe8550346895dceebab/html5/thumbnails/20.jpg)
20
Partition Property
“All variables only refer to memory locations that the compiler has mapped to program variables, not compiler/runtime support (e.g., return addresses, temporaries for evaluating expressions, memory management overhead, etc.)”
![Page 21: The Impact of Programming Language Theory on Computer Security](https://reader035.fdocuments.net/reader035/viewer/2022062520/56815fe8550346895dceebab/html5/thumbnails/21.jpg)
21
Partition Properties
Note that this is weaker than non-interference Values obviously depend on program
values Stronger than some forms of memory
& type safety Should be a theorem of modern (safe)
languages
![Page 22: The Impact of Programming Language Theory on Computer Security](https://reader035.fdocuments.net/reader035/viewer/2022062520/56815fe8550346895dceebab/html5/thumbnails/22.jpg)
22
Conclusions
This was a brief survey of a wide field
“and no more” is hard to implement
Hopefully, breaking it down helps
No undefined behavior
Proper system call use
Correctnesswrt criticalrequirements