language based methods for software security
play

Language-based methods for software security Gilles Barthe IMDEA - PowerPoint PPT Presentation

Oct 10, 2023 •152 likes •1.52k views

Language-based methods for software security Gilles Barthe IMDEA Software, Madrid, Spain Part 1 Motivation Mobile code is ubiquitous: large distributed networks of JVM devices aimed at providing a global and uniform access to services provide

  1. Other instances of PCC Touchstone has achieved an impressive level of scalability (programs with about one million instructions) but 1 “[...], there were errors in that code that escaped the thorough testing of the infrastructure” . the weak point was the VCGen (23,000 lines of C...) The size of the TCB can be reduced by relying on simpler checkers 1 by removing the VCGen: Foundational Proof-Carrying Code 2 by certifying the VCGen in a proof assistant 3 1 G.C. Necula and R.R. Schneck. A Sound Framework for Untrusted Verification-Condition Generators. LICS’03 Gilles Barthe Language-based methods for software security

  2. Simpler checkers? Proof � � ˙ α � P � ( Post � if B then S t else S f fi � ) ¨ = � def. (110) of ˙ ¨ α � P �� ¨ α � P � ∘ Post � if B then S t else S f fi � ∘ ¨ γ � P � = � def. (103) of Post � α � P � ∘ post [ τ ⋆ � if B then S t else S f fi � ] ∘ ¨ ¨ γ � P � = � big step operational semantics (93) � α � P � ∘ post [ ( 1 � � P � ∪ τ B ) ∘ τ ⋆ � S t � ∘ ( 1 � � P � ∪ τ t ) ∪ ( 1 � � P � ∪ τ ¯ B ) ∘ τ ⋆ � S f � ∘ ( 1 � � P � ∪ ¨ τ f ) ] ∘ ¨ γ � P � = � Galois connection (98) so that post preserves joins � τ B ) τ ⋆ � S t � τ t ) ] ˙ α � P � ¨ ∘ ( post [ ( 1 � � P � ∪ ∘ ∘ ( 1 � � P � ∪ ∪ post [ ( 1 � � P � ∪ τ ¯ B ) ∘ τ ⋆ � S f � ∘ ( 1 � � P � ∪ τ f ) ] ) ∘ ¨ γ � P � = � Galois connection (106) so that ¨ α � P � preserves joins � post [ ( 1 � � P � ∪ τ B ) ∘ τ ⋆ � S t � ∘ ( 1 � � P � ∪ τ t ) ] ˙ ( ¨ α � P � ∘ ∘ γ � P � ) ¨ ⊔ ¨ ( ¨ α � P � ∘ post [ ( 1 � � P � ∪ τ ¯ B ) ∘ τ ⋆ � S f � ∘ ( 1 � � P � ∪ τ f ) ] ∘ ¨ γ � P � ) ˙ ¨ ⊑ � lemma (5.3) and similar one for the else branch � λ J • let J t ′ = λ l ∈ in P � P � • ( ⊔ Abexp � B � ( J ℓ ) ¿ J l ) ( l = at P � S t � ? J at P � S t � ˙ ) in (120) let J t ′′ = APost � S t � ( J t ′ ) in ( l = ℓ ′ ? J t ′′ after P � S t � ¿ J t ′′ ⊔ J t ′′ λ l ∈ in P � P � • ( ℓ ′ ˙ l ) ) ⊔ ¨ let J f ′ = λ l ∈ in P � P � • ( ⊔ Abexp � T ( ¬ B ) � ( J ℓ ) ¿ J l ) ( l = at P � S f � ? J at P � S f � ˙ ) in let J f ′′ = APost � S f � ( J f ′ ) in ( l = ℓ ′ ? J f ′′ ⊔ J f ′′ after P � S f � ¿ J f ′′ λ l ∈ in P � P � • ( ˙ ) ) ℓ ′ l = � by grouping similar terms � J t ′ = λ l ∈ in P � P � • ( ⊔ Abexp � B � ( J ℓ ) ¿ J l ) ( l = at P � S t � ? J at P � S t � ˙ λ J • let ) and J f ′ = λ l ∈ in P � P � • ( ⊔ Abexp � T ( ¬ B ) � ( J ℓ ) ¿ J l ) ( l = at P � S f � ? J at P � S f � ˙ ) in J t ′′ = APost � S t � ( J t ′ ) let and J f ′′ = APost � S f � ( J f ′ ) in ( l = ℓ ′ ? J t ′′ ⊔ J t ′′ ⊔ J f ′′ ⊔ J f ′′ after P � S f � ¿ J t ′′ ⊔ J f ′′ λ l ∈ in P � P � • ( ℓ ′ ˙ after P � S t � ˙ ˙ ˙ ) ) ℓ ′ l l � by locality (113) and labelling scheme (59) so that in particular J t ′′ ℓ ′ = J t ′ ℓ ′ = J t ℓ ′ = J f = ℓ ′ = J f ′ ℓ ′ = J f ′′ ℓ ′ and APost � S t � and APost � S f � do not interfere � Gilles Barthe Language-based methods for software security

  3. Simpler checkers? Implementation Proof � � matrix_t* _matrix_alloc_int(const int mr, const int nc) α � P � ( Post � if B then S t else S f fi � ) ˙ ¨ { = � def. (110) of ˙ ¨ α � P �� matrix_t* mat = (matrix_t*)malloc(sizeof(matrix_t)); α � P � ∘ Post � if B then S t else S f fi � ∘ ¨ ¨ γ � P � mat->nbrows = mat->_maxrows = mr; = � def. (103) of Post � mat->nbcolumns = nc; α � P � ∘ post [ τ ⋆ � if B then S t else S f fi � ] ∘ ¨ ¨ γ � P � mat->_sorted = s; = � big step operational semantics (93) � if (mr*nc>0){ α � P � ∘ post [ ( 1 � � P � ∪ τ B ) ∘ τ ⋆ � S t � ∘ ( 1 � � P � ∪ τ t ) ∪ ( 1 � � P � ∪ τ ¯ B ) ∘ τ ⋆ � S f � ∘ ( 1 � � P � ∪ ¨ int i; τ f ) ] ∘ ¨ γ � P � pkint_t* q; = � Galois connection (98) so that post preserves joins � mat->_pinit = _vector_alloc_int(mr*nc); τ B ) τ ⋆ � S t � τ t ) ] ˙ ¨ α � P � ∘ ( post [ ( 1 � � P � ∪ ∘ ∘ ( 1 � � P � ∪ ∪ mat->p = (pkint_t**)malloc(mr * sizeof(pkint_t*)); post [ ( 1 � � P � ∪ τ ¯ B ) ∘ τ ⋆ � S f � ∘ ( 1 � � P � ∪ τ f ) ] ) ∘ ¨ γ � P � q = mat->_pinit; = � Galois connection (106) so that ¨ α � P � preserves joins � for (i=0;i<mr;i++){ post [ ( 1 � � P � ∪ τ B ) ∘ τ ⋆ � S t � ∘ ( 1 � � P � ∪ τ t ) ] ˙ ( ¨ α � P � ∘ ∘ γ � P � ) ¨ ⊔ ¨ ( ¨ α � P � ∘ mat->p[i]=q; post [ ( 1 � � P � ∪ τ ¯ B ) ∘ τ ⋆ � S f � ∘ ( 1 � � P � ∪ τ f ) ] ∘ ¨ q=q+nc; γ � P � ) ˙ ¨ }} ⊑ � lemma (5.3) and similar one for the else branch � λ J • let J t ′ = λ l ∈ in P � P � • ( ⊔ Abexp � B � ( J ℓ ) ¿ J l ) ( l = at P � S t � ? J at P � S t � ˙ return mat; ) in (120) let J t ′′ = APost � S t � ( J t ′ ) in } ( l = ℓ ′ ? J t ′′ after P � S t � ¿ J t ′′ ⊔ J t ′′ λ l ∈ in P � P � • ( ℓ ′ ˙ l ) ) void backsubstitute(matrix_t* con, int rank) ⊔ ¨ let J f ′ = λ l ∈ in P � P � • ( ⊔ Abexp � T ( ¬ B ) � ( J ℓ ) ¿ J l ) { ( l = at P � S f � ? J at P � S f � ˙ ) in let J f ′′ = APost � S f � ( J f ′ ) in int i,j,k; ( l = ℓ ′ ? J f ′′ for (k=rank-1; k>=0; k--) { ⊔ J f ′′ after P � S f � ¿ J f ′′ λ l ∈ in P � P � • ( ˙ ) ) ℓ ′ j = pk_cherni_intp[k]; l = � by grouping similar terms � for (i=0; i<k; i++) { J t ′ = λ l ∈ in P � P � • ( ⊔ Abexp � B � ( J ℓ ) ¿ J l ) ( l = at P � S t � ? J at P � S t � ˙ λ J • let ) if (pkint_sgn(con->p[i][j])) and J f ′ = λ l ∈ in P � P � • ( ⊔ Abexp � T ( ¬ B ) � ( J ℓ ) ¿ J l ) ( l = at P � S f � ? J at P � S f � ˙ ) in matrix_combine_rows(con,i,k,i,j); J t ′′ = APost � S t � ( J t ′ ) let } and J f ′′ = APost � S f � ( J f ′ ) in for (i=k+1; i<con->nbrows; i++) { ( l = ℓ ′ ? J t ′′ ⊔ J t ′′ ⊔ J f ′′ ⊔ J f ′′ after P � S f � ¿ J t ′′ ⊔ J f ′′ if (pkint_sgn(con->p[i][j])) λ l ∈ in P � P � • ( ℓ ′ ˙ after P � S t � ˙ ˙ ˙ ) ) ℓ ′ l l matrix_combine_rows(con,i,k,i,j); � by locality (113) and labelling scheme (59) so that in particular J t ′′ ℓ ′ = J t ′ ℓ ′ = J t ℓ ′ = J f = ℓ ′ }} = J f ′ ℓ ′ = J f ′′ ℓ ′ and APost � S t � and APost � S f � do not interfere � } Gilles Barthe Language-based methods for software security

  4. Simpler checkers? Implementation Proof � � matrix_t* _matrix_alloc_int(const int mr, const int nc) α � P � ( Post � if B then S t else S f fi � ) ˙ ¨ { = � def. (110) of ˙ α � P �� ¨ matrix_t* mat = (matrix_t*)malloc(sizeof(matrix_t)); ¨ α � P � ∘ Post � if B then S t else S f fi � ∘ ¨ γ � P � mat->nbrows = mat->_maxrows = mr; = � def. (103) of Post � mat->nbcolumns = nc; α � P � ∘ post [ τ ⋆ � if B then S t else S f fi � ] ∘ ¨ ¨ γ � P � mat->_sorted = s; = � big step operational semantics (93) � if (mr*nc>0){ α � P � ∘ post [ ( 1 � � P � ∪ τ B ) ∘ τ ⋆ � S t � ∘ ( 1 � � P � ∪ τ t ) ∪ ( 1 � � P � ∪ τ ¯ B ) ∘ τ ⋆ � S f � ∘ ( 1 � � P � ∪ ¨ int i; τ f ) ] ∘ ¨ γ � P � pkint_t* q; = � Galois connection (98) so that post preserves joins � mat->_pinit = _vector_alloc_int(mr*nc); τ B ) τ ⋆ � S t � τ t ) ] ˙ α � P � ¨ ∘ ( post [ ( 1 � � P � ∪ ∘ ∘ ( 1 � � P � ∪ ∪ mat->p = (pkint_t**)malloc(mr * sizeof(pkint_t*)); post [ ( 1 � � P � ∪ τ ¯ B ) ∘ τ ⋆ � S f � ∘ ( 1 � � P � ∪ τ f ) ] ) ∘ ¨ γ � P � q = mat->_pinit; = � Galois connection (106) so that ¨ α � P � preserves joins � for (i=0;i<mr;i++){ post [ ( 1 � � P � ∪ τ B ) ∘ τ ⋆ � S t � ∘ ( 1 � � P � ∪ τ t ) ] ˙ ( ¨ α � P � ∘ ∘ γ � P � ) ¨ ⊔ ¨ ( ¨ α � P � ∘ mat->p[i]=q; post [ ( 1 � � P � ∪ τ ¯ B ) ∘ τ ⋆ � S f � ∘ ( 1 � � P � ∪ τ f ) ] ∘ ¨ q=q+nc; γ � P � ) ¨ ˙ }} ⊑ � lemma (5.3) and similar one for the else branch � λ J • let J t ′ = λ l ∈ in P � P � • ( ⊔ Abexp � B � ( J ℓ ) ¿ J l ) Do the two parts connect? ( l = at P � S t � ? J at P � S t � ˙ return mat; ) in (120) let J t ′′ = APost � S t � ( J t ′ ) in } ( l = ℓ ′ ? J t ′′ after P � S t � ¿ J t ′′ ⊔ J t ′′ λ l ∈ in P � P � • ( ℓ ′ ˙ l ) ) void backsubstitute(matrix_t* con, int rank) ¨ ⊔ let J f ′ = λ l ∈ in P � P � • ( ⊔ Abexp � T ( ¬ B ) � ( J ℓ ) ¿ J l ) { ( l = at P � S f � ? J at P � S f � ˙ ) in let J f ′′ = APost � S f � ( J f ′ ) in int i,j,k; ( l = ℓ ′ ? J f ′′ for (k=rank-1; k>=0; k--) { ⊔ J f ′′ after P � S f � ¿ J f ′′ λ l ∈ in P � P � • ( ˙ ) ) ℓ ′ j = pk_cherni_intp[k]; l = � by grouping similar terms � for (i=0; i<k; i++) { J t ′ = λ l ∈ in P � P � • ( ⊔ Abexp � B � ( J ℓ ) ¿ J l ) ( l = at P � S t � ? J at P � S t � ˙ λ J • let ) if (pkint_sgn(con->p[i][j])) and J f ′ = λ l ∈ in P � P � • ( ⊔ Abexp � T ( ¬ B ) � ( J ℓ ) ¿ J l ) ( l = at P � S f � ? J at P � S f � ˙ ) in matrix_combine_rows(con,i,k,i,j); J t ′′ = APost � S t � ( J t ′ ) let } and J f ′′ = APost � S f � ( J f ′ ) in for (i=k+1; i<con->nbrows; i++) { ( l = ℓ ′ ? J t ′′ ⊔ J t ′′ ⊔ J f ′′ ⊔ J f ′′ after P � S f � ¿ J t ′′ ⊔ J f ′′ if (pkint_sgn(con->p[i][j])) λ l ∈ in P � P � • ( ℓ ′ ˙ after P � S t � ˙ ˙ ˙ ) ) ℓ ′ l l matrix_combine_rows(con,i,k,i,j); � by locality (113) and labelling scheme (59) so that in particular J t ′′ ℓ ′ = J t ′ ℓ ′ = J t ℓ ′ = J f = ℓ ′ }} = J f ′ ℓ ′ = J f ′′ ℓ ′ and APost � S t � and APost � S f � do not interfere � } Gilles Barthe Language-based methods for software security

  5. Really simple checkers? Bytecode verification (together with stack inspection) is the basis of Java security. Dataflow analysis ensures that values are manipulated with correct types, methods are applied to correct arguments, no stack underflows and overflows. . . Preceeded by a structural analysis that ensures that the code is well-formed and methods, names, and classes exist. . . and that jumps remain with code! In 2004, Godwiak exploited failure of BCV to verify targets of jumps to launch attacks on Nokia phones No verifier for a real language is really simple! Gilles Barthe Language-based methods for software security

  6. Really simple checkers? Bytecode verification (together with stack inspection) is the basis of Java security. Dataflow analysis ensures that values are manipulated with correct types, methods are applied to correct arguments, no stack underflows and overflows. . . Preceeded by a structural analysis that ensures that the code is well-formed and methods, names, and classes exist. . . and that jumps remain with code! In 2004, Godwiak exploited failure of BCV to verify targets of jumps to launch attacks on Nokia phones No verifier for a real language is really simple! Gilles Barthe Language-based methods for software security

  7. Really simple checkers? Bytecode verification (together with stack inspection) is the basis of Java security. Dataflow analysis ensures that values are manipulated with correct types, methods are applied to correct arguments, no stack underflows and overflows. . . Preceeded by a structural analysis that ensures that the code is well-formed and methods, names, and classes exist. . . and that jumps remain with code! In 2004, Godwiak exploited failure of BCV to verify targets of jumps to launch attacks on Nokia phones No verifier for a real language is really simple! Gilles Barthe Language-based methods for software security

  8. Really simple checkers? Bytecode verification (together with stack inspection) is the basis of Java security. Dataflow analysis ensures that values are manipulated with correct types, methods are applied to correct arguments, no stack underflows and overflows. . . Preceeded by a structural analysis that ensures that the code is well-formed and methods, names, and classes exist. . . and that jumps remain with code! In 2004, Godwiak exploited failure of BCV to verify targets of jumps to launch attacks on Nokia phones No verifier for a real language is really simple! Gilles Barthe Language-based methods for software security

  9. Really simple checkers? Bytecode verification (together with stack inspection) is the basis of Java security. Dataflow analysis ensures that values are manipulated with correct types, methods are applied to correct arguments, no stack underflows and overflows. . . Preceeded by a structural analysis that ensures that the code is well-formed and methods, names, and classes exist. . . and that jumps remain with code! In 2004, Godwiak exploited failure of BCV to verify targets of jumps to launch attacks on Nokia phones No verifier for a real language is really simple! Gilles Barthe Language-based methods for software security

  10. Foundational Proof Carrying Code Theorem Executions of program p are safe. Proof proceeds by showing that safety is an invariant of execution, under assumptions given for p depends on the definition of execution. For the JVM: a 400 pages book! TCB of Foundational PCC: the proof checker (as before) 1 the formal definition of the language semantics 2 the formal definition of the policy 3 This is also a large TCB Still better to have 2,000 lines of formal definitions than with 20,000 lines of C code! Gilles Barthe Language-based methods for software security

  11. Foundational Proof Carrying Code Theorem Executions of program p are safe. Proof proceeds by showing that safety is an invariant of execution, under assumptions given for p depends on the definition of execution. For the JVM: a 400 pages book! TCB of Foundational PCC: the proof checker (as before) 1 the formal definition of the language semantics 2 the formal definition of the policy 3 This is also a large TCB Still better to have 2,000 lines of formal definitions than with 20,000 lines of C code! Gilles Barthe Language-based methods for software security

  12. Foundational Proof Carrying Code Theorem Executions of program p are safe. Proof proceeds by showing that safety is an invariant of execution, under assumptions given for p depends on the definition of execution. For the JVM: a 400 pages book! TCB of Foundational PCC: the proof checker (as before) 1 the formal definition of the language semantics 2 the formal definition of the policy 3 This is also a large TCB Still better to have 2,000 lines of formal definitions than with 20,000 lines of C code! Gilles Barthe Language-based methods for software security

  13. Foundational Proof Carrying Code Theorem Executions of program p are safe. Proof proceeds by showing that safety is an invariant of execution, under assumptions given for p depends on the definition of execution. For the JVM: a 400 pages book! TCB of Foundational PCC: the proof checker (as before) 1 the formal definition of the language semantics 2 the formal definition of the policy 3 This is also a large TCB Still better to have 2,000 lines of formal definitions than with 20,000 lines of C code! Gilles Barthe Language-based methods for software security

  14. Foundational Proof Carrying Code Theorem Executions of program p are safe. Proof proceeds by showing that safety is an invariant of execution, under assumptions given for p depends on the definition of execution. For the JVM: a 400 pages book! TCB of Foundational PCC: the proof checker (as before) 1 the formal definition of the language semantics 2 the formal definition of the policy 3 This is also a large TCB Still better to have 2,000 lines of formal definitions than with 20,000 lines of C code! Gilles Barthe Language-based methods for software security

  15. Executable checkers In foundational PCC, certificates represent deductive proofs Typing rules as lemmas A better alternative is to program a type system / VCGen in the proof checker and prove it correct! Scalable and shorter proof terms Allows extraction of certified checkers Gilles Barthe Language-based methods for software security

  16. Executable checkers vs Foundational PCC Reflection Use computations instead of deductions! • A predicate P : T → Prop • A decision procedure f : T → bool • A correctness lemma C : ∀ x : T . f x = true → P x If f a reduces to true, then C a ( refl eq true ) is a proof of P a Executable checkers provide the same guarantees than FPCC Executable checkers can be seen as e ffi cient procedures to generate compact certificates Gilles Barthe Language-based methods for software security

  17. TCB of certified PCC VCGen φ In standard PCC 1 If the VCGen is proved correct 2 Proof + the proof checker checker + the formal definition of the language semantics + the formal definition of the policy (same as FPCC) Execution platform Gilles Barthe Language-based methods for software security

  18. TCB of certified PCC VCGen φ In standard PCC 1 If the VCGen is proved correct 2 Proof + the proof checker checker + the formal definition of the language semantics + the formal definition of the policy (same as FPCC) Execution platform Gilles Barthe Language-based methods for software security

  19. TCB of certified PCC VCGen φ In standard PCC 1 If the VCGen is proved correct 2 Proof + the proof checker checker + the formal definition of the language semantics + the formal definition of the policy (same as FPCC) Execution platform Gilles Barthe Language-based methods for software security

  20. TCB of certified PCC VCGen φ In standard PCC 1 If the VCGen is proved correct 2 Proof + the proof checker checker + the formal definition of the language semantics + the formal definition of the policy (same as FPCC) Execution platform Gilles Barthe Language-based methods for software security

  21. TCB of certified PCC VCGen φ In standard PCC 1 If the VCGen is proved correct 2 Proof + the proof checker checker + the formal definition of the language semantics + the formal definition of the policy (same as FPCC) Execution platform Gilles Barthe Language-based methods for software security

  22. Using executable checkers Producer Consumer Gilles Barthe Language-based methods for software security

  23. Using executable checkers Producer Consumer semantics + policy Coq kernel Gilles Barthe Language-based methods for software security

  24. Using executable checkers Producer Consumer semantics certified verifier certified certified + verifier verifier (Coq file) policy Coq kernel certificate verifier checks certified solution Gilles Barthe Language-based methods for software security

  25. Using executable checkers Producer Consumer semantics certified verifier certified certified + verifier verifier (Coq file) policy Coq kernel solution certificate Safe? verifier program checks certified solution Gilles Barthe Language-based methods for software security

  26. Using executable checkers Producer Consumer semantics certified verifier certified certified + verifier verifier (Coq file) policy Coq kernel untrusted solver computes (certified) solution solution solution certificate Safe? verifier program checks certified solution Gilles Barthe Language-based methods for software security

  27. Using executable checkers Producer Consumer semantics certified verifier certified certified + verifier verifier (Coq file) policy Coq kernel untrusted solver computes (certified) solution solution untrusted solution compressor certificate Safe? verifier program checks certified solution Gilles Barthe Language-based methods for software security

  28. Application scenario: PCC with trusted intermediaries PCC PKI Producer 1 Consumer 1 Producer 2 Phone Operator/ Consumer 2 Manufacturer Consumer C Producer P Size of certificate not a major issue Can check whether certified policy meets expected policy Complex policies can be verified Gilles Barthe Language-based methods for software security

  29. Using executable checkers Producer Consumer and verifier semantics certified verifier certified certified + verifier verifier (Coq file) policy Coq kernel untrusted solver ( + Coq extraction) computes (certified) solution solution inclusion certificates untrusted solution compressor (extracted) certificate Safe? verifier program checks certified solution Gilles Barthe Language-based methods for software security

  30. Application scenario: retail PCC Trusted intermediary validates verifier User validates application Size of certificate an issue Restricted to simpler policies Increased flexibility Gilles Barthe Language-based methods for software security

  31. Objectives Present two instances of certified Proof Carrying code and provide methods to generate certificates from source code verification Type system for information flow based confidentiality policies Verification condition generator for logical specifications Gilles Barthe Language-based methods for software security

  32. Objectives Present two instances of certified Proof Carrying code and provide methods to generate certificates from source code verification Type system for information flow based confidentiality policies Verification condition generator for logical specifications Source program Interactive proofs JML specification Certificate Bytecode program Certificate checker Bytecode specification API Certificate Virtual machine Operating system Gilles Barthe Language-based methods for software security

  33. Objectives Present two instances of certified Proof Carrying code and provide methods to generate certificates from source code verification Type system for information flow based confidentiality policies Verification condition generator for logical specifications Source program Source program Jif type Interactive checker proofs Jif types JML specification Certificate Bytecode program Inf flow Bytecode program Certificate BCV checker Information flow Bytecode types specification API Security env API Virtual machine Regions Certificate Virtual machine Operating system Operating system Gilles Barthe Language-based methods for software security

  34. Proof assistants based on type theory Type theory is a language for: defining mathematical objects (including data structures, algorithms, and mathematical theories) performing computations on and with these objects reasoning about these objects It is a foundational language that underlies: proof assistants (inc. Coq, Epigram, Agda) programming languages (inc. Cayenne, DML). Gilles Barthe Language-based methods for software security

  35. Proof assistants Implement type theories / higher order logics to specify and reason about mathematics. Interactive proofs, with mechanisms to guarantee that theorems are applied with the right hypotheses functions are applied to the right arguments no missing cases in proofs or in function definitions no illicit logical step (all reasoning is reduced to elementary steps) Proof assistants include domain-specific tactics that help solving specific problems e ffi ciently. Proof objects as certificates Completed proofs are represented by proof objects that can easily be checked by a proof-checker. Proof checker is small. Gilles Barthe Language-based methods for software security

  36. Sample applications (many more) Programming languages Programming language semantics Program transformations: compilers, partial evaluators, normalizers Program verification: type systems, Hoare logics, verification condition generators, Operating systems Cryptographic protocols and algorithms Dolev-Yao model (perfect cryptography assumption) Computational model Mathematics and logic: Galois theory, category theory, real numbers, polynomials, computer algebra systems, geometry, group theory, etc. 4-colors theorem Type theory Gilles Barthe Language-based methods for software security

  37. Type theory and the Curry-Howard isomorphism Type theory is a programming language for writing algorithms. But all functions are total and terminating, so that convertibility is decidable. Type theory is a language for proofs, via the Curry-Howard isomorphism: Propositions = Types Proofs = Terms Proof-Checking = Type-Checking But the underlying logic is constructive. (Classical logic can be recovered with an axiom, or a control operator) Gilles Barthe Language-based methods for software security

  38. A Theory of Functions Judgements x 1 : A 1 , . . . , x n : A n ⊢ M : B Typing rules ( x : A ) ∈ Γ Γ , x : A ⊢ M : B Γ ⊢ M : A → B Γ ⊢ N : A Γ ⊢ x : A Γ ⊢ M N : B Γ ⊢ λ x : A . M : A → B Evaluation: computing the application a function to an argument ( λ x : A . M ) N → β M { x := N } The result of computation is unique M = β N ⇒ M ↓ β N Evaluation preserves typing Type-Checking: it is decidable whether Γ ⊢ M : A . Type-Inference: there exists a partial function inf s.t. Γ ⊢ M : A ⇔ Γ ⊢ M : ( inf ( Γ , M )) ∧ ( inf ( Γ , M )) = A Gilles Barthe Language-based methods for software security

  39. A Language for Proofs Minimal Intuitionistic Logic Formulae: F = X If Γ ⊢ M : A then Γ ⊢ A | F → F If Γ ⊢ A then Γ ⊢ M : A for some M Judgements A 1 , . . . , A n ⊢ B (A tight correspondence between derivation trees and λ -terms, and Derivation rules between proof normalization and A ∈ Γ β -reduction) Γ ⊢ A In a proof assistant M is often built Γ ⊢ A → B Γ ⊢ A backwards. Γ ⊢ B Γ , A ⊢ B Γ ⊢ A → B Gilles Barthe Language-based methods for software security

  40. BHK Interpretation A proof of: is given by: A ∧ B a proof of A and a proof of B A ∨ B a proof of A or a proof of B A → B a method to transform proofs of A into proofs of B ∀ x . A a method to produce a proof of A ( t ) for every t ∃ x . A a witness t and a proof of A ( t ) ⊥ has no proof Use dependent types (terms arise in types) to achieve the expressive power of predicate logics N : Type , O : N , P : N → Prop ⊢ λ x : ( P O ) . x : ( P O ) → P (( λ z : N . z ) O ) Gilles Barthe Language-based methods for software security

  41. Typing dependent types: Calculus of Constructions Γ ⊢ A : s 1 Γ , x : A ⊢ B : s 2 Rules ( s 1 , s 2 ) ∈ R Γ ⊢ ( Π x : A . B ) : s 2 ( Prop , Prop ) implication Γ ⊢ F : ( Π x : A . B ) Γ ⊢ a : A ( Type , Type ) Γ ⊢ F a : B { x := a } generalized function space Γ , x : A ⊢ b : B Γ ⊢ ( Π x : A . B ) : s ( Type , Prop ) universal Γ ⊢ λ x : A . b : Π x : A . B quantification Γ ⊢ B ′ : s ( Prop , Type ) Γ ⊢ A : B B = β B ′ Γ ⊢ A : B ′ precondition, etc Gilles Barthe Language-based methods for software security

  42. Inductive definitions Inductive definitions provide mechanisms to define data structures, to define recursive functions and to reason about inhabitants of data structures recursors / case-expressions and guarded fixpoints / pattern matching induction principles Encode a rich class of structures: algebraic types: booleans, binary natural numbers, integers, etc parameterized types: lists, trees, etc inductive families and relations: vectors, accessibility relations (to define functions by well-founded recursion), transition systems, etc. Extensively used in the formalization of mathematics, programming languages, cryptographic algorithms, in reflexive tactics, etc. Gilles Barthe Language-based methods for software security

  43. Typing rules for natural numbers Γ ⊢ n : Nat ⊢ Nat : s ⊢ 0 : Nat Γ ⊢ S n : Nat Γ ⊢ n : Nat Γ ⊢ f 0 : A Γ ⊢ f s : Nat → A Γ ⊢ case n of { 0 ⇒ f 0 | s ⇒ f s } : A Γ ⊢ n : Nat Γ ⊢ P : Nat → s Γ ⊢ f 0 : P 0 Γ ⊢ f s : Π n : Nat . P ( S n ) Γ ⊢ case n of { 0 ⇒ f 0 | s ⇒ f s } : P n Γ , f : Nat → A ⊢ e : Nat → A Γ ⊢ letrec f = e : Nat → A Gilles Barthe Language-based methods for software security

  44. Case expressions and fixpoints: reduction rules case 0 of { 0 ⇒ e 0 | s ⇒ e s } → e 0 case ( s n ) of { 0 ⇒ e 0 | s ⇒ e s } → e s n ( letrec f = e ) n → e { f := ( letrec f = e ) } n To ensure termination we use a side condition G ( f , e ) , read f is guarded in e , in the typing rule for fixpoint we require n to be of the form c � b in the reduction rule in the reduction rule for fixpoint Not su ffi cient to impose restrictions on fixpoint definitions. Must also guarantee inductive definitions are well-formed. Gilles Barthe Language-based methods for software security

  45. Example: formalizing semantics of expressions a ∈ AExp b ∈ BExp c ∈ Comm a := n b := true c := skip | x | false | x := a | a 1 + a 2 | a 1 = a 2 | c 1 ; c 2 | a 1 − a 2 | a 1 < a 2 | if b then c 1 else c 2 a 1 ∗ a 2 | | not b | while b do c | b 1 and b 2 Gilles Barthe Language-based methods for software security

  46. Shallow embedding Expressions have type mem → Nat Memories have type mem = loc → Nat Num [ v : Nat ] = λ s : mem . v Loc [ v : loc ] = λ s : mem . s v Plus [ e 1, e 2 : Exp ] = λ s : mem . ( e 1 s ) + ( e 2 s ) Minus [ e 1, e 2 : Exp ] = λ s : mem . ( e 1 s ) − ( e 2 s ) Mult [ e 1, e 2 : Exp ] = λ s : mem . ( e 1 s ) ∗ ( e 2 s ) x , y : Exp ⊢ Plus x ( Minus y ( Num 3 )): Exp Expressions of the object language are (undistinguished) terms of the specification language Expressions are evaluated using the evaluation system of underlying specification language Cannot talk about expressions of the object language Gilles Barthe Language-based methods for software security

  47. Deep embedding Represent explicitely the syntax of the object language Possible to compute and reason about expressions of the object language Explicit function eval needed to evaluate terms Inductive bExp : Set := Inductive aExp : Set := IMPtrue: bExp Loc: loc -> aExp | IMPfalse: bExp | Num: nat -> aExp | Equal: aExp -> aExp -> bExp | Plus: aExp -> aExp -> aExp | LessEqual: aExp -> aExp -> bExp | Minus: aExp -> aExp -> aExp | Not: bExp -> bExp | Mult: aExp -> aExp -> aExp . | Or: bExp -> bExp -> bExp | And: bExp -> bExp -> bExp . Inductive com : Set := Skip: com | Assign: loc -> aExp -> com | Scolon: com -> com -> com | IfThenElse: bExp -> com -> com -> com | WhileDo: bExp -> com -> com . Gilles Barthe Language-based methods for software security

  48. Semantics of arithmetic expressions: inductive style Memory mem = loc → Nat Evaluation relation � a , σ � → a n , i.e. → a ⊆ AExp × Σ × N Evaluation rules � a 1 , σ � → a n 1 � a 2 , σ � → a n 2 � n , σ � → a n � x , σ � → a σ ( x ) � a 1 + a 2 , σ � → a n 1 + n 2 Inductive evalaExp_ind : aExp -> memory -> nat -> Prop := eval_Loc: forall (v:locs)(n:nat)(s : memory), (lookup s v)=n -> (evalaExp_ind (Loc v) s n) | eval_Num: forall (n : nat) (s : memory), (evalaExp_ind (Num n) s n) | eval_Plus: forall (a0, a1 : aExp) (n0, n1, n : nat) (s : memory), (evalaExp_ind a0 s n0) -> (evalaExp_ind a1 s n1) -> n = (plus n0 n1) -> (evalaExp_ind (Plus a0 a1) s n) ... Gilles Barthe Language-based methods for software security

  49. Semantics of arithmetic expressions – functional style Fixpoint evalaExp_rec [a: aExp] : memory -> nat := fun (s : memory) => match a with (Loc v) => (lookup s v) | (Num n) => n | (Plus a1 a2) => (plus (evalaExp_rec a1 s) (evalaExp_rec a2 s)) | ... end. Possible di ffi culties with functional semantics Determinacy Partiality Termination For commands: Small-step semantics is possible to define but many undefined cases to handle still harder to reason about than inductive semantics Big-step semantics is hard (requires well-founded recursion) Gilles Barthe Language-based methods for software security

  50. Certifying type-based methods Bytecode verification Abstraction-carrying code Non-interference Gilles Barthe Language-based methods for software security

  51. Bytecode verification: goals Bytecode verification aims to contribute to safe execution of programs by enforcing: Values are used with the right types (no pointer arithmetic) Operand stack is of appropriate length (no overflow, no underflow) Subroutines are correct Object initialization But well-typed programs do not go wrong (With some limits: array bound checks, interfaces, etc) Gilles Barthe Language-based methods for software security

  52. Bytecode verification: principles Exhibit for each program point an abstraction of the local variables and of the operand stack, and verify that instructions are compatible with the abstraction Informally ⊢ iadd : ( rt , int :: int :: s ) ⇒ ( rt , int :: s ) � iadd : ( rt , bool :: int :: s ) ⇒ ( rt , int :: s ) ⊢ pop : ( rt , α :: s ) ⇒ ( rt , s ) � pop : ( rt , s ) ⇒ ( rt , s ) Compatibility w.r.t. stack types is formalized by transfer rules P [ i ] = ins P [ i ] = ins i ⊢ lv , st ⇒ lv ′ , st ′ i ⊢ lv , st ⇒ Program P : τ is type-safe if there exists S : P → RT × T ⋆ s.t. S 1 = ( rt 1 , ǫ ) for all i , j ∈ P i �→ j ⇒ ∃ σ . i ⊢ S i ⇒ σ ⊑ S j ; i �→⇒ ∃ τ ′ . i ⊢ S i ⇒ τ ′ ⊑ τ where ⊑ is inherited from JVM types Gilles Barthe Language-based methods for software security

  53. Bytecode verification: consequences Programs do not go wrong If S ⊢ P : τ and s is type-correct w.r.t. S i and Γ , then: P [ i ] = return then the return value has type τ s � s ′ and s ′ is type-correct w.r.t. S i ′ (where i = pc ( s ) and i ′ = pc ( s ′ ) ) Run-time type checking is redundant A typed state is a state that manipulates typed values (instead of untyped values) A defensive virtual machine checks types at execution, i.e. � def ⊆ tstate × ( tstate + { TypeError } ) If P is type-safe w.r.t. S , then executions of � and � def coincide Gilles Barthe Language-based methods for software security

  54. Type inference Goal is to exhibit S . Entry point of program is typed with the empty stack Propagation Pick an program point i annotated with st Compute rt ′ , st ′ such that i ⊢ rt , st ⇒ rt ′ , st ′ . If there is no rt ′ , st ′ , then reject program. For all successors j of i if j is not yet annotated, annotated it with rt ′ , st ′ if j is annotated with rt ′′ , st ′′ , replace rt ′′ , st ′′ by rt ′ , st ′ ⊔ rt ′′ , st ′′ Upon termination accept program if no type error ⊤ in the computed S . Termination is ensured by tracking which states remain to be analyzed, by ascending chain condition Fixpoint computation! Gilles Barthe Language-based methods for software security

  55. Lightweight bytecode verification Provide types of junction points Entry point and junction points are typed the entry point of the program is typed with the empty stack Propagation Pick an program point i annotated with st Compute rt ′ , st ′ such that i ⊢ rt , st ⇒ rt ′ , st ′ . If there is no rt ′ , st ′ , then reject program. For all successors j of i if j is not yet annotated, annotated it with rt ′ , st ′ if j is annotated with rt ′′ , st ′′ , check that ( rt ′ , st ′ ) ⊑ ( rt ′′ , st ′′ ) . If not, reject program Gilles Barthe Language-based methods for software security

  56. Lightweight bytecode verification Provide types of junction points Entry point and junction points are typed the entry point of the program is typed with the empty stack Propagation Pick an program point i annotated with st Compute rt ′ , st ′ such that i ⊢ rt , st ⇒ rt ′ , st ′ . If there is no rt ′ , st ′ , then reject program. For all successors j of i if j is not yet annotated, annotated it with rt ′ , st ′ if j is annotated with rt ′′ , st ′′ , check that ( rt ′ , st ′ ) ⊑ ( rt ′′ , st ′′ ) . If not, reject program One pass verification, sound and complete wrt bytecode verification Gilles Barthe Language-based methods for software security

  57. Verified bytecode verification A puzzle with 8 pieces, Each piece interacts with its neighbors Gilles Barthe Language-based methods for software security

  58. Bicolano a Coq formalisation of the JVM the basis for certified PCC Initially a joint work e ff ort between INRIA Sophia-Antipolis and IRISA, now developed / used by many other sites Initial requirements a direct translation of the reference book, readable (even for non Coq expert), easy to manipulate in proofs, support executable checkers, avoid implementation choices Gilles Barthe Language-based methods for software security

  59. Bicolano vs requirements Bicolano should be a direct translation of the reference book, readable (even for non Coq expert), easy to manipulate in proofs, support executable checkers Gilles Barthe Language-based methods for software security

  60. Bicolano vs requirements Bicolano should be a direct translation of the reference book, small step semantics, same level of details (not a JVM implementation) readable (even for non Coq expert), easy to manipulate in proofs, support executable checkers Gilles Barthe Language-based methods for software security

  61. Bicolano vs requirements Bicolano should be a direct translation of the reference book, small step semantics, same level of details (not a JVM implementation) readable (even for non Coq expert), use of module interfaces easy to manipulate in proofs, support executable checkers Gilles Barthe Language-based methods for software security

  62. Bicolano vs requirements Bicolano should be a direct translation of the reference book, small step semantics, same level of details (not a JVM implementation) readable (even for non Coq expert), use of module interfaces easy to manipulate in proofs, inductive definitions support executable checkers Gilles Barthe Language-based methods for software security

  63. Bicolano vs requirements Bicolano should be a direct translation of the reference book, small step semantics, same level of details (not a JVM implementation) readable (even for non Coq expert), use of module interfaces easy to manipulate in proofs, inductive definitions support executable checkers implementation of module interfaces Gilles Barthe Language-based methods for software security

  64. Java fragment handled numeric values : int, short, byte no float, no double, no long no 64 bits values: complex management of 64 and 32 bits elements in the operand stack objects, arrays virtual method calls class hierarchy is dynamically traversed to find a suitable implementation visibility modifiers exceptions programs are post-linked (no constant pool, no dynamical linking) no initialisation (use default values instead) no subroutines (CLDC!) Gilles Barthe Language-based methods for software security

  65. Syntax Factorisation: Binary operations on int: ibinop op ( iadd , iand , idiv , imul , ior , irem , ishl , ishr , isub , iushr , ixor ) Tests on int value : if0 comp ( ifeq , ifne , iflt , ifle , ifgt , ifge ) Push numerical constants on the operand stack: const t c ( bipush , iconst_<i> , ldc , sipush ) load value from local variables : aload , iload load value from array : aaload , baload , iaload , saload similar instructions to store values... Gilles Barthe Language-based methods for software security

  66. Wellformedness properties on programs Some examples all the classes have a super-class except java.lang.Object , the class hierarchy is not cyclic, all class have distinct names, ... Coq packaging: Record well formed program (p : Program ) : Set : = { property1 : . . . ; property2 : . . . ; . . . } . Definition check wf (p : Program ) : option ( well formed program P ) . Proof on wellformed programs: f o r a l l (p : Program ) , well formed program p − > . . . Gilles Barthe Language-based methods for software security

  67. Verified bytecode verification semantics domains Example: JVM states frame call stack � � h , � m , pc , l , v :: s � , sf � � heap operand stack method local variables program point Gilles Barthe Language-based methods for software security

  68. Formalization of JVM states Values, local variables and operand stack Inductive value : Set : = | Int ( v :Z) ( ∗ Numeric value ∗ ) | NULL ( ∗ reference ∗ ) | UNDEF ( ∗ default value ∗ ) . ( ∗ I n i t i a l ( default ) value . Must be compatible with the type of the f i e l d . ∗ ) Parameter initValue : Field − value . > Module Type LOCALVAR. Parameter t : Type . Parameter get : t − > Var − > option value . Parameter update : t − > Var − > value − > t . Parameter get update new : f o r a l l l x v , get ( update l x v ) x = Some v . Parameter get update old : f o r a l l l x y v , x <> y − > get ( update l x v ) y = get l y . End LOCALVAR. Declare Module LocalVar : LOCALVAR. Module Type OPERANDSTACK. Definition t : Set : = l i s t value . Definition empty : t : = n i l . Definition push : value − > t − > t : = fun v t = > cons v t . Definition size : t − > nat : = fun t = > length t . Definition get nth : t − > nat − > option value : = fun s n = > nth error s n . End OPERANDSTACK. Declare Module OperandStack : OPERANDSTACK. ( ∗ ∗ Transfer fonction between operand stack and l o c a l variables ∗ ∗ ) Parameter stack2localvar : OperandStack − > nat − > LocalVar . t . Gilles Barthe Language-based methods for software security

  69. Formalization of JVM states Heap Module Type HEAP. Parameter t : Type . Inductive AdressingMode : Set : = | S t a t i c F i e l d : FieldSignature − > AdressingMode | DynamicField : Location − > FieldSignature − > AdressingMode | ArrayElement : Location − > Int − > AdressingMode . Inductive LocationType : Set : = | LocationObject : ClassName − > LocationType | LocationArray : Int − > type − > LocationType . ( ∗ ∗ ( LocationArray length element type ) ∗ ) Parameter typeof : t − > Location − > option LocationType . ( ∗ ∗ typeof h loc = None − > no object , no array allocated at location loc ∗ ) Parameter get : t − > AdressingMode − > option value . Parameter update : t − > AdressingMode − > value − > t . Parameter new : t − > Program − > LocationType − > option ( Location ∗ t ) . Parameter get update same : f o r a l l h am v , Compat h am − > get ( update h am v ) am = Some v . Parameter get update old : f o r a l l h am1 am2 v , am1 <> am2 − > get ( update h am1 v ) am2 = get h am2 . Parameter new fresh location : f o r a l l (h : t ) (p : Program ) ( l t : LocationType ) ( loc : Location ) (h ’ : t ) , new h p l t = Some ( loc , h ’ ) − > typeof h loc = None . . . . Gilles Barthe Language-based methods for software security

  70. Verified bytecode verification semantics abstract domains domains is partially ordered, with a top element ⊤ for errors, and a “lub” operator ⊔ w / o infinite increasing chains x 0 ⊏ x 1 ⊏ · · · ⊏ · · · Inherited from JVM types (extension to finite maps and stacks) Gilles Barthe Language-based methods for software security

  71. JVM types ⊤ � � � � � Object � � ������� � Inductive type : Set : = � � | ReferenceType ( r t : refType ) � | PrimitiveType ( pt : primitiveType ) Interfaces Arrays Prim with refType : Set : = | ArrayType ( typ : type ) � � | ClassType ( ct : ClassName ) � Instances � | InterfaceType ( i t : InterfaceName ) � � with primitiveType : Set : = � � | BOOLEAN | BYTE | SHORT | INT . Null � � � � � ⊥ Specific challenges, e.g. interfaces i n t e r f a c e I { . . . } i n t e r f a c e J { . . . } c l a s s C implements I , J { . . . } c l a s s D implements I , J { . . . } Both I and J are upper bounds for C and D, but they are incomparable. Gilles Barthe Language-based methods for software security

  72. Verified bytecode verification semantics abstraction abstract domains relations domains Each type represents a property on concrete values This correspondence is formalised by the relation value : type (that respects subtyping) Gilles Barthe Language-based methods for software security

  73. Verified bytecode verification semantics abstraction abstract domains relations domains semantic rules Operational semantics � between states P [( m , pc )] = push c � � h , � m , pc , l , s � , sf � � � � � h , � m , pc + 1, l , c :: s � , sf � � P [( m , pc )] = invokevirtual m id m ′ = methodLookup ( m id , h ( loc )) V = v 1 :: · · · :: v nbArguments ( m id ) � h , � m ′ , 1, V , ε � , � m , pc , l , s � :: sf � � � h , � m , pc , l , loc :: V :: s � , sf � � � � � Gilles Barthe Language-based methods for software security

  74. Formalization of rules | const step ok : f o r a l l h m pc pc ’ s l sf t z , instructionAt m pc = Some ( Const t z ) − > next m pc = Some pc ’ − > ( ( t = BYTE / \ − 2ˆ7 < = z < 2ˆ7) \ / ( t = SHORT / \ − 2ˆ15 < = z < 2ˆ15) \ / ( t = INT / \ − 2ˆ31 < = z < 2ˆ31) ) − > step p ( St h ( Fr m pc s l ) sf ) ( St h ( Fr m pc ’ (Num ( I ( Int . const z ) ) : : s ) l ) sf ) | invokevirtual step ok : f o r a l l h m pc s l sf mid cn M args loc c l bM fnew , instructionAt m pc = Some ( Invokevirtual ( cn , mid ) ) − > lookup p cn mid ( pair c l M) − > Heap . typeof h loc = Some (Heap . LocationObject cn ) − > length args = length (METHODSIGNATURE. parameters mid) − > METHOD. body M = Some bM − > fnew = ( Fr M (BYTECODEMETHOD. firstAddress bM) OperandStack . empty ( stack2localvar ( args ++ (Ref loc ) : : s ) (1 + ( length args ) ) ) ) − > step p ( St h ( Fr m pc ( args ++ (Ref loc ) : : s ) l ) sf ) ( St h fnew ( ( Fr m pc s l ) : : sf ) ) Gilles Barthe Language-based methods for software security

  75. Small step semantics Two kinds of state: normal state : ( St h ( Fr m pc s l ) sf ) exception state (not yet caught) ( StE h ( FrE m pc loc l ) sf ) The small step semantics is defined with a relation between state step (p : Program ) : State − > State − > Prop Gilles Barthe Language-based methods for software security

  76. Small step semantics Four cases normal → normal 1 normal → exception 2 exception → normal 3 exception → exception 4 Gilles Barthe Language-based methods for software security

  77. Small step semantics Four cases normal → normal 1 | putfield step ok : f o r a l l h m pc pc ’ s l sf f loc cn v , instructionAt m pc = Some ( Putfield f ) − > next m pc = Some pc ’ − > Heap . typeof h loc = Some (Heap . LocationObject cn ) − > defined field p cn f − > assign compatible p h v (FIELDSIGNATURE. type f ) − > step p ( St h ( Fr m pc ( v : : ( Ref loc ) : : s ) l ) sf ) ( St (Heap . update h (Heap . DynamicField loc f ) v ) ( Fr m pc ’ s l ) sf ) normal → exception 2 exception → normal 3 exception → exception 4 Gilles Barthe Language-based methods for software security

  78. Small step semantics Four cases normal → normal 1 normal → exception 2 | putfield step NullPointerException : f o r a l l h m pc s l sf f v h ’ loc ’ , instructionAt m pc = Some ( Putfield f ) − > Heap . new h p (Heap . LocationObject ( javaLang , NullPointerException ) ) = Some ( loc ’ , h ’ ) − > step p ( St h ( Fr m pc ( v : : Null : : s ) l ) sf ) ( StE h ’ ( FrE m pc loc ’ l ) sf ) exception → normal 3 exception → exception 4 Gilles Barthe Language-based methods for software security

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Language-based methods for software security Gilles Barthe IMDEA Software, Madrid, Spain Part 2

Language-based methods for software security Gilles Barthe IMDEA Software, Madrid, Spain Part 2

Language-based methods for software security Gilles Barthe IMDEA Software, Madrid, Spain Part 2 Transfer rules P [ i ] = push n P [ i ] = binop op i st se ( i ) :: st i k 1 :: k 2 :: st ( k 1 k 2 ) :: st se ( i ) k

1.83k views • 153 slides
Course outline: the four hours 1. Language-Based Security: motivation 2. Language-Based

Course outline: the four hours 1. Language-Based Security: motivation 2. Language-Based

Course outline: the four hours 1. Language-Based Security: motivation 2. Language-Based Information-Flow Security: the big picture 3. Dimensions and principles of declassification 4. Dynamic vs. static security enforcement 1 Dimensions of

449 views • 30 slides
Course outline 1. Language-Based Security: motivation 2. Language-Based Information-Flow Security:

Course outline 1. Language-Based Security: motivation 2. Language-Based Information-Flow Security:

Course outline 1. Language-Based Security: motivation 2. Language-Based Information-Flow Security: the big picture 3. Dimensions and principles of declassification 4. Dynamic vs. static security enforcement 5. Tracking information flow in web

641 views • 30 slides
Event-based Methods for Security Protocols Federico Crazzolara C&amp;C Laboratories, NEC Europe

Event-based Methods for Security Protocols Federico Crazzolara C&amp;C Laboratories, NEC Europe

Event-based Methods for Security Protocols Federico Crazzolara C&amp;C Laboratories, NEC Europe (joint work with G. Winskel while at BRICS) DIMACS, July 8, 2003 Road map 1) Security Protocol Language (SPL) Transition vs.

591 views • 25 slides
Language/OS Based Security 1 Infrastructure 2 Security Abstraction Layers 3 OS Security

Language/OS Based Security 1 Infrastructure 2 Security Abstraction Layers 3 OS Security

Language/OS Based Security 1 Infrastructure 2 Security Abstraction Layers 3 OS Security Control 4 Abstraction Imperfections OS: Each process has exclusive access to its own CPU and memory Illusion!! A process may be able to

429 views • 21 slides
deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security

deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security

Software and Web Security deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security vulnerabilities esp in systems accessible via a network part 1 security problems in machine code, compiled from C(++)

1.35k views • 67 slides
Software Security VMI (Virtual Machine Introspection) / VMM-based Intrusion Prevention Julian

Software Security VMI (Virtual Machine Introspection) / VMM-based Intrusion Prevention Julian

Software Security VMI (Virtual Machine Introspection) / VMM-based Intrusion Prevention Julian Vetter Prof. Jean-Pierre Seifert Security in Telecommunications TU Berlin SoSe 2016 julian (sect) Software Security SoSe 2016 1 / 21

220 views • 21 slides
Language-Based Information-Flow Security Presenter: Yiming Zhang Goal of this paper? This is a

Language-Based Information-Flow Security Presenter: Yiming Zhang Goal of this paper? This is a

Language-Based Information-Flow Security Presenter: Yiming Zhang Goal of this paper? This is a survey paper that studies the research on information-flow security, especially on work that uses static program analysis. Why language-based

585 views • 24 slides
Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software

Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software

1 Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software is the main source of security vulnerabilities esp in systems accessible via a network i t ibl i t k part 1 part 1 security problems

672 views • 65 slides
Overview of Language-Based Security Bibliography Dan Grossman 13 October 2004 Papers are

Overview of Language-Based Security Bibliography Dan Grossman 13 October 2004 Papers are

Overview of Language-Based Security Bibliography Dan Grossman 13 October 2004 Papers are organized by topic, in the order of the presentation. There are more papers here than discussed in the presentation. Language-based security is a big

373 views • 8 slides
INF 111 / CSE 121: Software Tools and Methods Software Tools and Methods Lecture Notes for

INF 111 / CSE 121: Software Tools and Methods Software Tools and Methods Lecture Notes for

INF 111 / CSE 121: Software Tools and Methods Software Tools and Methods Lecture Notes for Summer, 2008 Michele Rousseau Lecture Note 10 Effort Estimation Announcements Assignment #3 is due on Monday Quiz #3 regrades are due today

647 views • 21 slides
Secure Web Application Development METHODOLOGIES AND AUTOMATED TOOLS MURAT KAYA SOFTWARE

Secure Web Application Development METHODOLOGIES AND AUTOMATED TOOLS MURAT KAYA SOFTWARE

Secure Web Application Development METHODOLOGIES AND AUTOMATED TOOLS MURAT KAYA SOFTWARE SECURITY SPECIALIST Agenda Software Security Overview Software Security Methodologies Security Test Methods Analysis Tools Tools

497 views • 25 slides
Language Information Retrieval applications: integration of ontology-based methods and Linguistic

Language Information Retrieval applications: integration of ontology-based methods and Linguistic

technology from seed Multi-word processing in domain specific Cross- Language Information Retrieval applications: integration of ontology-based methods and Linguistic resources Johanna Monti UNISS Maria Pia di Buono UNISA Mario

312 views • 3 slides
Institute for Cyber Security Towards An Attribute Based Constraints Specification Language

Institute for Cyber Security Towards An Attribute Based Constraints Specification Language

Institute for Cyber Security Towards An Attribute Based Constraints Specification Language Khalid Zaman Bijon, Ram Krishnan and Ravi Sandhu Institute for Cyber Security University of Texas at San Antonio September 11, 2013 2013 ASE/IEEE

425 views • 17 slides
Natural language is a programming language: Applying natural language processing to software

Natural language is a programming language: Applying natural language processing to software

Natural language is a programming language: Applying natural language processing to software development Michael D. Ernst Presented by: Tomas Geffner, Subendhu Rongali &amp; Natcha Simsiri Before we start, what is software? Not just code/AST

437 views • 23 slides
Clustering ! Hierarchical methods ! Model-based methods ! Density-based methods 1 2 What is

Clustering ! Hierarchical methods ! Model-based methods ! Density-based methods 1 2 What is

Preview ! Introduction Lecture 10 ! Partitioning methods Clustering ! Hierarchical methods ! Model-based methods ! Density-based methods 1 2 What is Clustering? Examples of Clustering Applications ! Cluster: a collection of data objects !

301 views • 8 slides
Cryo-SeaNice : CryoSat SciEnce-oriented data ANalysis over Sea-ICE areas Pierre Fabry, Nicolas

Cryo-SeaNice : CryoSat SciEnce-oriented data ANalysis over Sea-ICE areas Pierre Fabry, Nicolas

Cryo-SeaNice : CryoSat SciEnce-oriented data ANalysis over Sea-ICE areas Pierre Fabry, Nicolas Bercher (A-T) Sara Fleury (LEGOS), Elena Zakharova (LEGOS) Jrme Boufgard, Pierre Fmnias (ESA-ESRIN) Context

526 views • 16 slides
Data Invariants, Abstraction and Refinement Liam OConnor University of Edinburgh LFCS (and

Data Invariants, Abstraction and Refinement Liam OConnor University of Edinburgh LFCS (and

Data Invariants and ADTs Validation Data Refinement Administrivia Software System Design and Implementation Data Invariants, Abstraction and Refinement Liam OConnor University of Edinburgh LFCS (and UNSW) Term 2 2020 1 Data Invariants

1.07k views • 68 slides
FPGA-specific arithmetic pipeline design using FloPoCo Bogdan Pasca, Ar enaire CARAMEL,

FPGA-specific arithmetic pipeline design using FloPoCo Bogdan Pasca, Ar enaire CARAMEL,

FPGA-specific arithmetic pipeline design using FloPoCo Bogdan Pasca, Ar enaire CARAMEL, 17/02/2011 Outline FPGAs and floating-point Datapath design using FloPoCo Inside FloPoCo Back-end for HLS Conclusion Bogdan Pasca, Ar enaire

1.12k views • 79 slides
DeePattern: Layout Pattern Generation with Transforming Convolutional Auto-Encoder Haoyu Yang 1 ,

DeePattern: Layout Pattern Generation with Transforming Convolutional Auto-Encoder Haoyu Yang 1 ,

DeePattern: Layout Pattern Generation with Transforming Convolutional Auto-Encoder Haoyu Yang 1 , Piyush Pathak 2 , Frank Gennari 2 , Ya-Chieh Lai 2 , Bei Yu 1 1 The Chinese University of Hong Kong 2 Cadence Design Systems, Inc. 1 / 16 &lt;latexit

533 views • 16 slides
JUNCTION BASED ROUTING: A SCALABLE TECHNIQUE TO SUPPORT SOURCE ROUTING IN LARGE NOC PLATFORMS

JUNCTION BASED ROUTING: A SCALABLE TECHNIQUE TO SUPPORT SOURCE ROUTING IN LARGE NOC PLATFORMS

JUNCTION BASED ROUTING: A SCALABLE TECHNIQUE TO SUPPORT SOURCE ROUTING IN LARGE NOC PLATFORMS Shabnam Badri, Rickard Holsmark and Shashi Kumar JNKPING UNIVERSITY, SWEDEN NoCArc Workshop, Vancouver, Canada, 2012-12-01 Outline Goals

550 views • 34 slides
Title LIGO-G1100174 DC Readout in Enhanced LIGO 1 Enhanced LIGO Try out Advanced LIGO

Title LIGO-G1100174 DC Readout in Enhanced LIGO 1 Enhanced LIGO Try out Advanced LIGO

Title LIGO-G1100174 DC Readout in Enhanced LIGO 1 Enhanced LIGO Try out Advanced LIGO technologies Bet that increased sensitivity outweighs the downtime exposure = time * (range)^3 New Laser More Power New input optics New

711 views • 36 slides
Supervisory Incentives in a Banking Union Elena Carletti (Bocconi University and CEPR) Giovanni

Supervisory Incentives in a Banking Union Elena Carletti (Bocconi University and CEPR) Giovanni

Supervisory Incentives in a Banking Union Elena Carletti (Bocconi University and CEPR) Giovanni DellAriccia (IMF and CEPR) Robert Marquez ( University of California, Davis) The centralization of supervision in the Euro area Bank

400 views • 28 slides
WiFi-Direct InterNetworking PhD student: PhD state: planner Antnio Tefilo 1,2 Research

WiFi-Direct InterNetworking PhD student: PhD state: planner Antnio Tefilo 1,2 Research

WiFi-Direct InterNetworking PhD student: PhD state: planner Antnio Tefilo 1,2 Research area: Networking Advisors: Herv Paulino 2 Joo Loureno 2 1 ADEETC, ISEL, Instituto Politcnico de Lisboa, Portugal 2 NOVA LINCS, DI, FCT,

344 views • 20 slides

More recommend