gradual information flow typing
play

Gradual Information Flow Typing Tim Disney Cormac Flanagan - PowerPoint PPT Presentation

Jan 15, 2023 •275 likes •1.1k views

Gradual Information Flow Typing Tim Disney Cormac Flanagan University of California Santa Cruz January 29th, 2011 - STOP 2011 Combining gradual typing with information flow Gradual Information + Typing Flow = More secure software

  1. Gradual Information Flow Typing Tim Disney Cormac Flanagan University of California Santa Cruz January 29th, 2011 - STOP 2011

  2. Combining gradual typing with information flow Gradual Information + Typing Flow = More secure software

  3. Perfect world Security designed upfront

  4. Perfect world Security designed upfront vs. Broken world Security bolted on after the fact

  5. Requirements Design Implementation Verification Maintenance

  6. Finding security requirements upfront is often not economically feasible

  7. Perfect world Broken world

  8. Do not want Perfect world Broken world

  9. Does not exist Do not want Perfect world Broken world

  10. Real world Security evolves with program Does not exist Do not want Perfect world Broken world

  11. Information Flow Confidentiality: keeping sensitive data private & Integrity: protect against untrusted data

  12. Information Flow Confidentiality: keeping sensitive data private & Integrity: protect against untrusted data For this talk we focus on confidentiality

  13. Information Flow Labels H (private) L (public)

  14. Information Flow Labeled Values Labels H (private) 42 L 58,000 H “hello” L L (public)

  15. Gradual Typing Dynamically Statically typed program typed program Siek and Taha (2006), Findler and Felleisen (2002), Wadler and Findler (2009), Ahmed et al. (2011), etc.

  16. Gradual Typing Dynamically Mixed Statically typed program static/dynamic typed program Program fail with blame Casts Dynamically Statically typed modules typed modules Siek and Taha (2006), Findler and Felleisen (2002), Wadler and Findler (2009), Ahmed et al. (2011), etc.

  17. Gradual Typing Dynamically Statically Mixed typed program typed program static/dynamic Program fail with blame Casts Dynamically Statically typed modules typed modules Siek and Taha (2006), Findler and Felleisen (2002), Wadler and Findler (2009), Ahmed et al. (2011), etc.

  18. No security Gradual Security checks Static Dynamic security types security checks

  19. No security Gradual Security checks Mixed static/ Static Dynamic dynamic security security types security checks Program fail with blame Casts Dynamic Static security modules security modules

  20. No security Gradual Security rev 0 checks Mixed static/ Static Dynamic dynamic security security types security checks Program fail with blame Casts Dynamic Static security modules security modules

  21. No security Gradual Security rev 0 checks Mixed static/ Static Dynamic dynamic security security types security checks rev 1 Program fail with blame Casts Dynamic Static security modules security modules

  22. No security Gradual Security rev 0 checks Mixed static/ Static Dynamic dynamic security security types security checks rev 1 rev 2 Program fail with blame Casts Dynamic Static security modules security modules

  23. No security Gradual Security rev 0 checks Mixed static/ Static Dynamic dynamic security security types security checks rev 1 rev 2 rev 3 Program fail with blame Casts Dynamic Static security modules security modules

  24. A language for g radual i nformation f low

  25. The language Values (r): Labeled Values (v): 42 H , ( λ x : A. t ) L Types (a, b): Int , Bool , A → B Labeled Types (A, B): Int L , Bool L , ( A → B ) H

  26. The language Private types: Int H = { 0 L , 0 H , 1 L , 1 H , . . . } potentially private

  27. The language Private types: Int H = { 0 L , 0 H , 1 L , 1 H , . . . } potentially private Public types: Int L = { 0 L , 1 L , 2 L , . . . } definitely public

  28. The language Private types: Int H = { 0 L , 0 H , 1 L , 1 H , . . . } potentially private Public types: Int L = { 0 L , 1 L , 2 L , . . . } definitely public Subtypes

  29. The language Default labels are permissive

  30. The language Default labels are permissive 42 = 42 L

  31. The language Default labels are permissive 42 = 42 L Int = Int H

  32. The language Default labels are permissive 42 = 42 L Int = Int H

  33. The language Default labels are permissive 42 = 42 L Int = Int H

  34. Casting checks runtime labels t : A ⇒ p B Syntax similar to “Blame For All” by Ahmed et al.

  35. Casting checks runtime labels t : A ⇒ p B 42 L : Int H ⇒ p Int L 42 L Syntax similar to “Blame For All” by Ahmed et al.

  36. Casting checks runtime labels t : A ⇒ p B 42 L : Int H ⇒ p Int L 42 L 42 H : Int H ⇒ p Int L blame p Syntax similar to “Blame For All” by Ahmed et al.

  37. Higher-order casting: cast at fault ( fn ): ( Int L → Int H ) ⇒ p ( Int L → Int L ) wrap fn

  38. Higher-order casting: cast at fault ( fn ): ( Int L → Int H ) ⇒ p ( Int L → Int L ) wrap fn fn = λ x : Int L . x + 1 L ( wrap fn ) 42 L 43 L

  39. Higher-order casting: cast at fault ( fn ): ( Int L → Int H ) ⇒ p ( Int L → Int L ) wrap fn fn = λ x : Int L . x + 1 L ( wrap fn ) 42 L 43 L fn = λ x : Int L . x + 1 H cast blamed ( wrap fn ) 42 L blame p

  40. Higher-order casting: context at fault ( fn ): ( Int L → Int L ) ⇒ p ( Int H → Int L ) wrap fn

  41. Higher-order casting: context at fault ( fn ): ( Int L → Int L ) ⇒ p ( Int H → Int L ) wrap fn 24 L ( wrap fn ) 42 L

  42. Higher-order casting: context at fault ( fn ): ( Int L → Int L ) ⇒ p ( Int H → Int L ) wrap fn 24 L ( wrap fn ) 42 L ( wrap fn ) 42 H blame p context blamed

  43. Labeling adds runtime labels V (58000 L : Int L V Int H ) 58000 H

  44. Labeling adds runtime labels V (58000 L : Int L V Int H ) 58000 H disk read : ( Int L → Int L ) V ( Int L → Int H ) wrap fn

  45. Evolution Example

  46. Rev 0 (no security) let intToString : Int → Str = . . .

  47. Rev 0 (no security) let intToString : Int → Str = . . . let age : Int = 42

  48. Rev 0 (no security) let intToString : Int → Str = . . . let age : Int = 42 let salary : Int = 58000 // confidential!

  49. Rev 0 (no security) let intToString : Int → Str = . . . let age : Int = 42 // confidential! let salary : Int = 58000 let print : Str → Unit = λ s : Str . . . .

  50. Rev 0 (no security) let intToString : Int → Str = . . . let age : Int = 42 // confidential! let salary : Int = 58000 let print : Str → Unit = λ s : Str . . . . print ( intToString ( salary ))

  51. Rev 0 (no security) let intToString : Int → Str = . . . let age : Int = 42 // confidential! let salary : Int = 58000 let print : Str → Unit = λ s : Str . . . . print ( intToString ( salary )) Prints “58000”

  52. Rev 0 (no security) let intToString : Int → Str = . . . let age : Int = 42 // confidential! let salary : Int = 58000 let print : Str → Unit = λ s : Str . . . . print ( intToString ( salary )) Prints “58000”

  53. Add dynamic enforcement

  54. Rev 1 (dynamic enforcement) let intToString : Int → Str = . . . let age : Int = 42 let salary : Int = 58000: Int L V Int H let print : Str → Unit = λ s : Str . . . . print ( intToString ( salary ))

  55. Rev 1 (dynamic enforcement) let intToString : Int → Str = . . . let age : Int = 42 let salary : Int = 58000: Int L V Int H let print : Str → Unit = λ s : Str . . . . print ( intToString ( salary ))

  56. Rev 1 (dynamic enforcement) let intToString : Int → Str = . . . let age : Int = 42 let salary : Int = 58000: Int L V Int H let print : Str → Unit = λ s : Str . . . . print ( intToString ( salary )) Still prints “58000” H

  57. Rev 1 (dynamic enforcement) let intToString : Int → Str = . . . let age : Int = 42 let salary : Int = 58000: Int L V Int H let print : Str → Unit = λ s : Str . . . . print ( intToString ( salary )) Still prints “58000” H

  58. Rev 1 (dynamic enforcement) let intToString : Int → Str = . . . let age : Int = 42 let salary : Int = 58000: Int L V Int H let print : Str → Unit = λ s : Str . . . . let s = ( s : Str H ⇒ p Str L ) in . . . print ( intToString ( salary ))

  59. Rev 1 (dynamic enforcement) let intToString : Int → Str = . . . let age : Int = 42 let salary : Int = 58000: Int L V Int H let print : Str → Unit = λ s : Str . . . . let s = ( s : Str H ⇒ p Str L ) in . . . print ( intToString ( salary ))

  60. Rev 1 (dynamic enforcement) let intToString : Int → Str = . . . let age : Int = 42 let salary : Int = 58000: Int L V Int H let print : Str → Unit = λ s : Str . . . . let s = ( s : Str H ⇒ p Str L ) in . . . print ( intToString ( salary )) Fails and blames p since Str H can’t be cast to Str L

  61. Rev 1 (dynamic enforcement) let intToString : Int → Str = . . . let age : Int = 42 let salary : Int = 58000: Int L V Int H let print : Str → Unit = λ s : Str . . . . let s = ( s : Str H ⇒ p Str L ) in . . . print ( intToString ( salary )) Fails and blames p since Str H can’t be cast to Str L

  62. Add static enforcement

  63. Rev 2 (static enforcement) let intToString : Int H → Str H = . . . let age : Int L = 42 let salary : Int H = 58000: Int L V Int H let print : Str L → Unit L = λ s : Str L . . . . print ( intToString ( salary ))

  64. Rev 2 (static enforcement) let intToString : Int H → Str H = . . . let age : Int L = 42 let salary : Int H = 58000: Int L V Int H let print : Str L → Unit L = λ s : Str L . . . . print ( intToString ( salary )) intToString causes compile error

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Performance Evaluation for Gradual Typing Asumu Takikawa Daniel Feltey *Ben Greenman Max S.

Performance Evaluation for Gradual Typing Asumu Takikawa Daniel Feltey *Ben Greenman Max S.

Performance Evaluation for Gradual Typing Asumu Takikawa Daniel Feltey *Ben Greenman Max S. New Jan Vitek Matthias Felleisen 9 years of sound gradual typing Gradual Typing for Functional Languages, Jeremy Siek & Walid Taha. SFP '06

829 views • 41 slides
Gradual Typing with Inference Jeremy Siek University of Colorado at Boulder joint work with

Gradual Typing with Inference Jeremy Siek University of Colorado at Boulder joint work with

Gradual Typing with Inference Jeremy Siek University of Colorado at Boulder joint work with Manish Vachharajani Overview Motivation Background Gradual Typing Unification-based inference Exploring the Solution Space Type

1.25k views • 83 slides
Is Sound Gradual Typing Dead? Asumu Takikawa Daniel Feltey Ben Greenman Max S. New Jan Vitek

Is Sound Gradual Typing Dead? Asumu Takikawa Daniel Feltey Ben Greenman Max S. New Jan Vitek

Is Sound Gradual Typing Dead? Asumu Takikawa Daniel Feltey Ben Greenman Max S. New Jan Vitek Matthias Felleisen Gradual typing thesis 1. People write untyped code 2. Static types help maintain software 3. Sound types can be added

754 views • 72 slides
The Recursive Union of Some Gradual Types Jeremy G. Siek Sam Tobin-Hochstadt Indiana

The Recursive Union of Some Gradual Types Jeremy G. Siek Sam Tobin-Hochstadt Indiana

The Recursive Union of Some Gradual Types Jeremy G. Siek Sam Tobin-Hochstadt Indiana University, Bloomington 1/ 24 Gradual Typing Goal: support the entire spectrum in one language. Program Dependent Static Dynamic Logics Types Typing

382 views • 24 slides
Gradual typing is morally incorrect; were all monsters now Timothy Jones and Michael Homer

Gradual typing is morally incorrect; were all monsters now Timothy Jones and Michael Homer

Gradual typing is morally incorrect; were all monsters now Timothy Jones and Michael Homer Victoria University of Wellington {tim,mwh}@ecs.vuw.ac.nz October 27, 2015 Introduction Meaning in the gradually typed world A type assertion

547 views • 43 slides
T Gradual typing for R Jan Vitek, Northeastern University Types enhance productivity The Iron

T Gradual typing for R Jan Vitek, Northeastern University Types enhance productivity The Iron

This is is not a type: T Gradual typing for R Jan Vitek, Northeastern University Types enhance productivity The Iron Rolling Mill by Adolf Menzel function ( x ) { var y = x ? 2 : Y if x y += ES else y += 40 return y } Types

779 views • 31 slides
Sound and Complete Flow Typing with Unions, Intersections and Negations David J. Pearce School

Sound and Complete Flow Typing with Unions, Intersections and Negations David J. Pearce School

Sound and Complete Flow Typing with Unions, Intersections and Negations David J. Pearce School of Engineering and Computer Science Victoria University of Wellington What is Flow Typing? Defining characteristic : ability to retype variables JVM

534 views • 18 slides
A Gradual Typing Poem Sam Tobin-Hochstadt & Robby Finder 1 The Problem Write a function

A Gradual Typing Poem Sam Tobin-Hochstadt & Robby Finder 1 The Problem Write a function

A Gradual Typing Poem Sam Tobin-Hochstadt & Robby Finder 1 The Problem Write a function that accepts the specification of an infinite regular tree and turn it into a representation of the tree 2 The Problem Write a function that accepts

565 views • 37 slides
Typing and ML Typing and ML A name for a set of values and some operations which can be

Typing and ML Typing and ML A name for a set of values and some operations which can be

Typing Typing Typing and ML Typing and ML A name for a set of values and some operations which can be performed on that set of values. CSC324 A collection of computational entities that share some common property. Winter 2007

412 views • 9 slides
Gradual Python with Colored Local Type Inference Joe Angell April 29, 2009 Joe Angell Gradual

Gradual Python with Colored Local Type Inference Joe Angell April 29, 2009 Joe Angell Gradual

Gradual Python with Colored Local Type Inference Joe Angell April 29, 2009 Joe Angell Gradual Python with Colored Local Type Inference Motivation Python programmers use dynamic typing Lets type check what we can, and what the programmer

303 views • 11 slides
Consistent Subtyping for All Ningning Xie Xuan Bi Bruno C. d. S. Oliveira 16 April, 2018 The

Consistent Subtyping for All Ningning Xie Xuan Bi Bruno C. d. S. Oliveira 16 April, 2018 The

Consistent Subtyping for All Ningning Xie Xuan Bi Bruno C. d. S. Oliveira 16 April, 2018 The University of Hong Kong ESOP 2018, Thessaloniki, Greece 1 Gradual Typing 101 The key external feature of every gradual type system is the

853 views • 61 slides
Typing and ML Typing and ML Definition Program organization and documentation A name for a

Typing and ML Typing and ML Definition Program organization and documentation A name for a

Typing Typing Uses/Merits Uses/Merits Type errors Type errors Typing and ML Typing and ML Definition Program organization and documentation A name for a set of values and some operations A type error occurs when execution of

725 views • 5 slides
May 15: Information Flow and Confinement Information flow for integrity policies Examples

May 15: Information Flow and Confinement Information flow for integrity policies Examples

May 15: Information Flow and Confinement Information flow for integrity policies Examples of information flow controls Android phone Firewalls Confinement Virtual machines May 15, 2017 ECS 235B Spring Quarter 2017 Slide

487 views • 32 slides
COVID-19 INFORMATION PACKAGE: Gradual Return Beginning May 25, 2020 1 TABLE OF CONTENTS

COVID-19 INFORMATION PACKAGE: Gradual Return Beginning May 25, 2020 1 TABLE OF CONTENTS

COVID-19 INFORMATION PACKAGE: Gradual Return Beginning May 25, 2020 1 TABLE OF CONTENTS Introduction Priority Measures Passive screening Physical distancing Handwashing Other Mitigation Measures Non-medical / community masks

504 views • 26 slides
The effectiveness of gradual learning EN S EMBLE METH ODS IN P YTH ON Romn de las Heras

The effectiveness of gradual learning EN S EMBLE METH ODS IN P YTH ON Romn de las Heras

The effectiveness of gradual learning EN S EMBLE METH ODS IN P YTH ON Romn de las Heras Data Scientist, SAP / Agile Solutions Collective vs gradual learning Collective Learning Gradual Learning Principle: wisdom of the crowd Principle:

461 views • 23 slides
Decompilation is an information-flow problem (Or, information flow meets program transformation)

Decompilation is an information-flow problem (Or, information flow meets program transformation)

Decompilation is an information-flow problem (Or, information flow meets program transformation) Boris Feigin Computer Laboratory, University of Cambridge PLID 2008 joint work with Alan Mycroft 1 / 22 Motivation Given suitable tools we

605 views • 33 slides
03: Choice & Control 15-424: Foundations of Cyber-Physical Systems Andr e Platzer

03: Choice & Control 15-424: Foundations of Cyber-Physical Systems Andr e Platzer

03: Choice & Control 15-424: Foundations of Cyber-Physical Systems Andr e Platzer aplatzer@cs.cmu.edu Computer Science Department Carnegie Mellon University, Pittsburgh, PA 0.5 0.4 0.3 0.2 1.0 0.1 0.8 0.6 0.4 0.2 Andr e

847 views • 27 slides
with Deferrable constraints in Haskell through the tale of a Haskell information flow control

with Deferrable constraints in Haskell through the tale of a Haskell information flow control

Gradually typed DSLs with Deferrable constraints in Haskell through the tale of a Haskell information flow control library Pablo Buiras, Alejandro Russo, Dimitrios Vytiniotis Information flow control 101 Non- interference:

465 views • 31 slides
Web Mining and Recommender Systems T emporal data mining This week Temporal models This week

Web Mining and Recommender Systems T emporal data mining This week Temporal models This week

Web Mining and Recommender Systems T emporal data mining This week Temporal models This week well look back on some of the topics already covered in this class, and see how they can be adapted to make use of temporal information 1.

707 views • 59 slides
Graffit ffiti i Data a Analy lysis sis Philip lip Santarp tarpia ia Pro rof. Chun un

Graffit ffiti i Data a Analy lysis sis Philip lip Santarp tarpia ia Pro rof. Chun un

12/17/2015 Graffit ffiti i Data a Analy lysis sis Philip lip Santarp tarpia ia Pro rof. Chun un BDA 761 Inquiries about the Graffiti Data What is the Average clean up time per borough? What is the largest problem area in each

221 views • 5 slides
Space Art astronautical extraterrestrial What is space art? astronomical How has space art

Space Art astronautical extraterrestrial What is space art? astronomical How has space art

The Federation of Galaxy Explorers Grade 3 | Lesson 6 Space Art astronautical extraterrestrial What is space art? astronomical How has space art affected how we think about space? Early space art Camille Flammarion Henry Alvim-Correa

423 views • 10 slides
Should I Worry? A Cross-Cultural Examination of Account Security Incident Response Elissa

Should I Worry? A Cross-Cultural Examination of Account Security Incident Response Elissa

Should I Worry? A Cross-Cultural Examination of Account Security Incident Response Elissa M. Redmiles @eredmil1 eredmiles@cs.umd.edu How do users respond when their accounts are attacked? Elissa M. Redmiles 2 Cross cultural interview

426 views • 25 slides
Local Government, Governance And Local Government, Governance And Raising The Quality Of Public

Local Government, Governance And Local Government, Governance And Raising The Quality Of Public

Local Government, Governance And Local Government, Governance And Raising The Quality Of Public Debate A presentation in the Treasury Academic Lecture Series by Stephen Selwood of the New Zealand Council for infrastructure Stephen Selwood of the

596 views • 27 slides
Text Threat | Maroussia Lvesque | LogoCities 2007 TRADITIONAL FACADES: HARDCODED, STATIC DISPLAY

Text Threat | Maroussia Lvesque | LogoCities 2007 TRADITIONAL FACADES: HARDCODED, STATIC DISPLAY

LABORATORY FOR EXPERIMENTAL MEDIA Text Threat | Maroussia Lvesque | LogoCities 2007 TRADITIONAL FACADES: HARDCODED, STATIC DISPLAY Engineering and ar- chitectures agenda. Emotionally touch the user, inspire fear, admiration, etc FACADE

288 views • 11 slides

More recommend