language based methods for software security
play

Language-based methods for software security Gilles Barthe IMDEA - PowerPoint PPT Presentation

Mar 27, 2024 •292 likes •1.83k views

Language-based methods for software security Gilles Barthe IMDEA Software, Madrid, Spain Part 2 Transfer rules P [ i ] = push n P [ i ] = binop op i st se ( i ) :: st i k 1 :: k 2 :: st ( k 1 k 2 ) :: st se ( i ) k

  1. Remarks on machine-checked proof We have used the Coq proof assistant to to formally define non-interference definition, to formally define an information type system, to mechanically proved that typability enforces non-interference, to program a type checker and prove it enforces typability, to extract an Ocaml implementation of this type checker. Structure of proofs Itermediate semantics simplifies the intermediate definition of 1 indistinguishability (call stacks), Second intermediate semantics : annotated semantics with result of 2 pre-analyses the pre-analyse checker enforces that both semantics correspond Implementation and correctness proof of the CDR checker 3 The information flow type system (and its corresponding type checker) 4 enforce non-interference wrt. the annotated semantics. About 20,000 lines of definitions and proofs, inc. 3000 lines to define the JVM semantics Gilles Barthe Language-based methods for software security

  2. Towards realistic applications Many features of missing to program realistic applications: declassification multi-threading flow sensitivity, polymorphism, etc Gilles Barthe Language-based methods for software security

  3. Declassification Baseline policies (i.e. non-interference) are too restrictive in practice. Declassification policies allow intentional information release. Main dimensions: what, where, who Gilles Barthe Language-based methods for software security

  4. Information release for JVM Goal is to define an information flow policy that: supports controlled release of information, that can be enforced e ffi ciently, with a modular proof of soundness , instantiable to bytecode can reuse machine-checked proofs Gilles Barthe Language-based methods for software security

  5. Policy setting Setting is heavily influenced by non-disclosure, but allows declassification of a variable rather than of a principal. Policy is local to each program point: modeled as an indexed family ( ∼ Γ [ i ] ) i ∈ P of relations on states each ∼ Γ [ i ] is symmetric and transitive monotonicity of equivalence Γ [ i ] � Γ [ j ] ∧ s ∼ Γ [ i ] t ⇒ s ∼ Γ [ j ] t (properties hold when relations are induced by the security level of variables) Gilles Barthe Language-based methods for software security

  6. Delimited non-disclosure P satisfies delimited non-disclosure (DND) i ff entry R entry , where R ⊆ P × P satisfies for every i , j ∈ P : if i R j then j R j ; if i R j then for all s i , t j and s ′ i ′ s.t. s i � s ′ i ′ ∧ s i ∼ Γ [ i ] t j ∧ safe ( t j ) there exists t ′ j ′ such that: t j � ⋆ t ′ j ′ ∧ i ′ R j ′ j ′ ∧ s ′ i ′ ∼ Γ [ entry ] t ′ Gilles Barthe Language-based methods for software security

  7. Local policies vs. declassify statements One could use a construction declassify ( e ) in { c } and compute local policies from program syntax: [ l 1 := 0 ] 1 ; declassify ( h ) in { [ l 2 := h ] 2 } ; [ l 3 := l 2 ] 3 yields Γ [ 1 ]( l 1 ) = Γ [ 1 ]( l 2 ) = Γ [ 1 ]( l 3 ) = L Γ [ 1 ]( h ) = H Γ [ 2 ]( l 1 ) = Γ [ 2 ]( l 2 ) = Γ [ 2 ]( l 3 ) = L Γ [ 2 ]( h ) = L Γ [ 3 ] = Γ [ 1 ] Gilles Barthe Language-based methods for software security

  8. Where is what? Declassification of expressions through fresh local variables: declassify ( h > 0 ) in { [ if ( h > 0 ) then { [ l := 0 ] 2 } ] 1 } becomes [ h ′ := h > 0 ] 1 ; declassify ( h ′ ) in { [ if ( h ′ ) then { [ l := 0 ] 3 } ] 2 } Gilles Barthe Language-based methods for software security

  9. DND type system Given a NI type system Γ , S , se ⊢ i ; think as a shorthand for ∃ s j . Γ [ i ] , S , se ⊢ S ( i ) ⇒ s j ∧ s j � S ( j ) Define a DND type system ( Γ [ j ]) j ∈ P , S , se ⊢ i as Γ [ i ] , S , se ⊢ i (Note: not so easy for source languages) Program P is typable w.r.t. policy ( Γ [ j ]) j ∈ P and type S i ff for all i Γ [ i ] , S , se ⊢ i Soundness If ( Γ [ j ]) j ∈ P , S , se ⊢ P then P satisfies DND. Policies must respect no creep up, ie Γ [ i ]( x ) � Γ [ entry ]( x ) Gilles Barthe Language-based methods for software security

  10. Unwinding + Progress Unwinding: if Γ , S ⊢ NI i then ( s i ∼ Γ t i ∧ s i � s ′ i ′ ∧ t i � t ′ j ′ ) ⇒ s ′ i ′ ∼ Γ t ′ j ′ Progress: if i is not an exit point and safe ( s i ) then there exists t s.t. s i � t  ( Γ [ i ]) i ∈ P , S ⊢ DND P   s i ∼ Γ [ i ] t i  ⇒ ∃ t ′ j ′ . t i � t ′ j ′ ∧ s ′ i ′ ∼ Γ [ entry ] t ′ s i � s ′ j ′ i ′   safe ( t i )  Gilles Barthe Language-based methods for software security

  11. High branches Unwinding: if Γ , S ⊢ NI i and H � se ( i ) then ( s i ∼ Γ t j ∧ s i � s ′ i ′ ) ⇒ s ′ i ′ ∼ Γ t j Exit from high loops: if i is a high branching point, then jun ( i ) is defined all executions entering region ( i ) exit the region at jun ( i ) No declassify in high context H � se ( i ) , se ( j ) ∧ i �→ j ⇒ Γ [ i ]( x ) = Γ [ j ]( x )  ( Γ [ i ]) i ∈ P , S ⊢ DND P   i high branching  jun ( i ) . s j � ⋆ s ′ ∃ s ′ jun ( i ) ∧ s j ∼ Γ [ entry ] s ′ jun ( i ) j ∈ region ( i )   safe ( s j )  Gilles Barthe Language-based methods for software security

  12. Bisimulation i , j ∈ region ( k ) ∪ { jun ( k ) } j B i se ( k ) = H i B i i B j i B j If i , j ∈ region ( k ) for some k s.t. H � se ( k ) . Assume s i ∼ Γ [ i ] t j , and s i � s ′ i ′ . Choose t ′ = t . By unwinding and monotonicity, s ′ i ′ ∼ Γ [ entry ] t j . By exit through junction, either i ′ ∈ region ( k ) or i ′ = jun ( k ) . If j ∈ region ( k ) and i = jun ( k ) for some k s.t. H � se ( k ) . . . . Gilles Barthe Language-based methods for software security

  13. Laundering attacks [ h := h ′ ] 1 ; declassify ( h ) in { [ l := h ] 2 } Such programs are insecure w.r.t. policies such as localized delimited release. It is possible to define a simple e ff ect system that prevents laundering attacks: judgments are of the form ⊢ LA c : U , V U is the set of assigned variables V is the set of declassified variables Gilles Barthe Language-based methods for software security

  14. Concurrency Mobile code applications often exploit concurrency Concurrent execution of secure sequential programs is not necessarily secure: if ( h > 0 ) { skip ; skip }{ skip } ; l := 1 || skip ; skip ; l := 2 Security of multi-threaded programs can be achieved: by imposing strong security conditions on programs by relying on secure schedulers Gilles Barthe Language-based methods for software security

  15. Secure schedulers A secure scheduler selects the thread to be executed in function of the security environment: the thread pool is partitioned into low, high, and hidden threads if a thread is currently executing a high branch, then only high threads are scheduled if the program counter of the last executed thread becomes high (resp. low), then the thread becomes hidden or high (resp. low) the choice of a low thread only depends on low history Round-robin schedulers are secure, provided they take over control when threads become high / low / hidden Gilles Barthe Language-based methods for software security

  16. Multi-threaded language New instruction start i States � � ρ , λ � � where λ associates to each active thread a pair � � i , s � � . Semantics s , h � s ′ : h is an history implicitly parameterized by scheduler (modeled as function pickt from states and histories to threads) and security environment most rules inherited from sequential fragment pickt ( � � ρ , λ � � , h ) = ctid pickt ( � � ρ , λ � � , h ) = ctid λ ( ctid ) = � � i , s � � λ ( ctid ) = � � i , s � � P [ i ] = start pc P [ i ] � start k ntid fresh � i ′ , ρ ′ , s ′ � � � i , ρ , s � � � seq � � � ρ ′ , λ ′ � � � ρ , λ � � , h � � � � ρ ′ , λ ′ � � � ρ , λ � � , h � � � where � � where � pc , ǫ � � if tid = ntid λ ′ ( tid ) = � � λ ( tid ) � i ′ , s ′ � otherwise � if tid = ctid λ ′ ( tid ) = λ ( tid ) otherwise Gilles Barthe Language-based methods for software security

  17. Policy and type system Policy is similar to sequential fragment Transfer rules inherited from sequential fragment i ⊢ seq st ⇒ st ′ P [ i ] � start j P [ i ] = start j se ( i ) � se ( j ) i ⊢ st ⇒ st ′ i ⊢ st ⇒ st Type system similar to sequential fragment. As in bytecode verification, each thread is verified in isolation. If P [ i ] = start j we do not have i �→ j Assume the scheduler is secure, type soundness can be lifted from sequential language Gilles Barthe Language-based methods for software security

  18. Type-preserving compilation Source type systems o ff er tools for developing safe / secure applications, but does not directly address mobile code Bytecode verifiers provides safety / security assurance to users Relating both type systems ensure: applications can be deployed in a mobile code architecture that delivers the promises of the source type system enhanced safety / security architecture can benefit from tools for developing applications that meet the policy it enforces Gilles Barthe Language-based methods for software security

  19. Compiler correctness The compiler is semantics-preserving (terminating runs, input / output behavior) P , µ ⇓ ν , v ⇒ [ [ P ] ] , µ ⇓ ν , v Thus source programs satisfy an input / output property i ff their compilation does ∀ P , φ , ψ , µ , ν , v . ( φ ( µ ) ⇒ P , µ ⇓ ν , v ⇒ ψ ( µ , ν , v )) ⇒ ( φ ( µ ) ⇒ [ [ P ] ] , µ ⇓ ν , v ⇒ ψ ( µ , ν , v )) But are typable programs compiled into typable programs? ∀ P , ⊢ P = ⇒ ∃ S . S , ⊢ [ [ P ] ] Yes for JVM typing, no in general Gilles Barthe Language-based methods for software security

  20. Loss of information Using the sign abstraction x := 1; y := x − x yields y = zero Solutions: But push 1 Change lattice store x Decompile expressions load x load x op − store y yields y = ⊤ Gilles Barthe Language-based methods for software security

  21. Source language: While A program is a command: commands c ::= x := e assignment | if ( e ) { c }{ c } conditional | while ( e ) { c } loop | c ; c sequence | skip skip | return e return value Semantics is standard: States are pairs � � c , ρ � � � c ′ , ρ ′ � Small-step semantics � � c , ρ � � � � � or � � c , ρ � � � � � ν , v � � � i ff c , µ � ⋆ � Evaluation semantics c , µ ⇓ � � ν , v � � ν , v � � Gilles Barthe Language-based methods for software security

  22. Information flow type system Security policy Γ : X → S and k ret Volpano-Smith security type system [ k ] ⊢ c ′ k ⊔ pc � Γ ( x ) e : k [ k ] ⊢ c [ pc ] ⊢ c ; c ′ [ pc ] ⊢ x := e e : k [ k ] ⊢ c 1 [ k ] ⊢ c 2 e : k [ k ] ⊢ c [ pc ] ⊢ if ( e ) { c 1 }{ c 2 } [ pc ] ⊢ while ( e ) { c } e : k k ⊔ pc � k ret [ pc ] ⊢ return e [ pc ] ⊢ skip plus subtyping rules pc ′ � pc [ pc ] ⊢ c k � k ′ e : k [ pc ′ ] ⊢ c ′ e : k ′ Gilles Barthe Language-based methods for software security

  23. Compiling statements [ [ x ] ] = load x [ [ v ] ] = push v [ [ e 1 op e 2 ] ] = [ [ e 2 ] ] ; [ [ e 1 ] ] ; binop op k :[ [ x := e ] ] = [ [ e ] ] ; store x k :[ [ i 1 ; i 2 ] ] = k :[ [ i 1 ] ] ; k 2 :[ [ i 2 ] ] where k 2 = k + | [ [ i 1 ] ] | k :[ [ return e ] ] = [ [ e ] ] ; return k :[ [ if ( e 1 cmp e 2 ) { i 1 }{ i 2 } ] ] = [ [ e 2 ] ] ; [ [ e 1 ] ] ; if cmp k 2 ; k 1 :[ [ i 1 ] ] ; goto l ; k 2 :[ [ i 2 ] ] where k 1 = k + | [ [ e 2 ] ] | + | [ [ e 1 ] ] | + 1 k 2 = k 1 + | [ [ i 1 ] ] | + 1 l = k 2 + | [ [ i 2 ] ] | k :[ [ while ( e 1 cmp e 2 ) { i } ] ] = [ [ e 2 ] ] ; [ [ e 1 ] ] ; if cmp k 2 ; k 1 :[ [ i ] ] ; goto k = k + | [ [ e 2 ] ] | + | [ [ e 1 ] ] | + 1 where k 1 k 2 = k 1 + | [ [ i ] ] | + 1 Gilles Barthe Language-based methods for software security

  24. Compiling control dependence regions i i region(i) region(i) junc(i) junc(i) Gilles Barthe Language-based methods for software security

  25. Compiling security environment load y H L if 6 L push 1 H ∈ region ( 2 ) store x H ∈ region ( 2 ) ∈ region ( 2 ) if ( y H ) { x := 1 }{ x := 2 } ; goto 8 H x ′ := 3; ∈ region ( 2 ) push 2 H ∈ region ( 2 ) return 2 store x H push 3 L jun ( 2 ) store x ′ L push 2 L return L Gilles Barthe Language-based methods for software security

  26. Preservation of information flow types If P is typable, then the extended compiler generates security environment, regions, and stack types at junction points, such that: regions satisfy SOAP and can be checked by region checker [ [ P ] ] can be verified by lightweight checker The result also applies to concurrency (using naive rule for parallel composition) declassification Gilles Barthe Language-based methods for software security

  27. Motivation: source code verification Traditional PCC Source Program Compiler Compiled Execution Program VCGen VCGen Verification Verification Conditions Conditions Proof Prover Certificate OK Checker Producer Consumer Gilles Barthe Language-based methods for software security

  28. Motivation: source code verification Source Code Verification Source Program Compiler Compiled Execution Program VCGen VCGen Verification Verification Conditions Conditions Proof Prover Certificate OK Checker Producer Consumer Gilles Barthe Language-based methods for software security

  29. Motivation: source code verification Certificate Translation Source Program Compiler Compiled Execution Program VCGen VCGen Verification Certificate Verification Translator Conditions Conditions Proof Prover Certificate Certificate OK Checker Producer Consumer Gilles Barthe Language-based methods for software security

  30. Certificate translation vs certifying compilation Source Compiler Compiled Execution Source Compiler Compiled Execution Program Program Program Program VCGen VCGen VCGen VCGen Verification Verification Verification Certificate Verification Translator Conditions Conditions Conditions Conditions Proof Proof Prover Certificate OK Prover Certificate Certificate OK Checker Checker Conventional PCC Certificate Translation Automatically in- Specification Interactive ferred invariants Automatic certifying Interactive source Verification compiler verification Complex func- Safety Properties tional properties Gilles Barthe Language-based methods for software security

  31. Certificate translation vs certified compilation Certified compilation aims at producing a proof term H such that H : ∀ P µ ν , P , µ ⇓ ν = ⇒ [ ] , µ ⇓ ν [ P ] Thus, we can build a proof term H ′ : { φ } [ [ P ] ] { ψ } from H and H 0 : { φ } P { ψ } Source Compiler Compiled Execution Program Program Compilation Proof OK Checker Certificate Producer Consumer * encapsulating compiler definition * limited to input output properties source program must be available Gilles Barthe Language-based methods for software security

  32. Program Specification Assertions: formulae attached to a program point, { pre } characterizing the set of execution states at that point. ins 1 Instructions are possibly annotated : { ϕ 1 } ins 2 Possibly annotated instructions . . . ins ::= ins | � ϕ , ins � { ϕ 2 } A partially annotated program is a triple � P , Φ , Ψ � s.t. ins k Φ is a precondition and Ψ is a postcondition { post } P is a sequence of possibly annotated instructions Gilles Barthe Language-based methods for software security

  33. Program Specification Assertions: formulae attached to a program point, { pre } characterizing the set of execution states at that point. ins 1 Instructions are possibly annotated : { ϕ 1 } ins 2 Possibly annotated instructions . . . ins ::= ins | � ϕ , ins � { ϕ 2 } A partially annotated program is a triple � P , Φ , Ψ � s.t. ins k Φ is a precondition and Ψ is a postcondition { post } P is a sequence of possibly annotated instructions Gilles Barthe Language-based methods for software security

  34. Program Specification Assertions: formulae attached to a program point, { pre } characterizing the set of execution states at that point. ins 1 Instructions are possibly annotated : { ϕ 1 } ins 2 Possibly annotated instructions . . . ins ::= ins | � ϕ , ins � { ϕ 2 } A partially annotated program is a triple � P , Φ , Ψ � s.t. ins k Φ is a precondition and Ψ is a postcondition { post } P is a sequence of possibly annotated instructions Gilles Barthe Language-based methods for software security

  35. Program Specification Assertions: formulae attached to a program point, { pre } characterizing the set of execution states at that point. ins 1 Instructions are possibly annotated : { ϕ 1 } ins 2 Possibly annotated instructions . . . ins ::= ins | � ϕ , ins � { ϕ 2 } A partially annotated program is a triple � P , Φ , Ψ � s.t. ins k Φ is a precondition and Ψ is a postcondition { post } P is a sequence of possibly annotated instructions Gilles Barthe Language-based methods for software security

  36. Program Specification Assertions: formulae attached to a program point, { pre } characterizing the set of execution states at that point. ins 1 Instructions are possibly annotated : { ϕ 1 } ins 2 Possibly annotated instructions . . . ins ::= ins | � ϕ , ins � { ϕ 2 } A partially annotated program is a triple � P , Φ , Ψ � s.t. ins k Φ is a precondition and Ψ is a postcondition { post } P is a sequence of possibly annotated instructions Gilles Barthe Language-based methods for software security

  37. Building a certificate Certification of annotated programs is performed in three steps A verification condition generator fully annotates the program, 1 and extracts a set of verification conditions (a.k.a. proof obligations) verification conditions are discharged interactively 2 a certificate is built from proofs of verification conditions 3 Specification + Program Theorem Prover VCGen Proof Obligations Certificate Gilles Barthe Language-based methods for software security

  38. Weakest precondition calculus Computes an assertion for a given program node only if the corresponding assertion has been already computed for all successor nodes Gilles Barthe Language-based methods for software security

  39. Weakest precondition calculus Computes an assertion for a given program node only if the corresponding assertion has been already computed for all successor nodes Su ffi ciently annotated program All infinite paths must go through an annotated program point Gilles Barthe Language-based methods for software security

  40. Weakest precondition calculus Computes an assertion for a given program node only if the corresponding assertion has been already computed for all successor nodes Su ffi ciently annotated program All infinite paths must go through an annotated program point Gilles Barthe Language-based methods for software security

  41. Weakest precondition calculus Computes an assertion for a given program node only if the corresponding assertion has been already computed for all successor nodes Su ffi ciently annotated program All infinite paths must go through an annotated program point Weakest precondition wp L ( k ) of program point k wp L ( k ) = φ if P [ k ] = � φ , i � wp L ( k ) = wp i ( k ) otherwise Gilles Barthe Language-based methods for software security

  42. Weakest precondition calculus Computes an assertion for a given program node only if the corresponding assertion has been already computed for all successor nodes Su ffi ciently annotated program All infinite paths must go through an annotated program point Weakest precondition wp L ( k ) of program point k wp L ( k ) = φ if P [ k ] = � φ , i � wp L ( k ) = wp i ( k ) otherwise Gilles Barthe Language-based methods for software security

  43. Weakest precondition calculus Computes an assertion for a given program node only if the corresponding assertion has been already computed for all successor nodes Su ffi ciently annotated program All infinite paths must go through an annotated program point Weakest precondition wp L ( k ) of program point k wp L ( k ) = φ if P [ k ] = � φ , i � wp L ( k ) = wp i ( k ) otherwise Gilles Barthe Language-based methods for software security

  44. Weakest precondition calculus Computes an assertion for a given program node only if the corresponding assertion has been already computed for all successor nodes Su ffi ciently annotated program All infinite paths must go through an annotated program point Weakest precondition wp L ( k ) of program point k wp L ( k ) = φ if P [ k ] = � φ , i � wp L ( k ) = wp i ( k ) otherwise Gilles Barthe Language-based methods for software security

  45. Weakest precondition calculus Computes an assertion for a given program node only if the corresponding assertion has been already computed for all successor nodes Su ffi ciently annotated program All infinite paths must go through an annotated program point Weakest precondition wp L ( k ) of program point k wp L ( k ) = φ if P [ k ] = � φ , i � wp L ( k ) = wp i ( k ) otherwise Gilles Barthe Language-based methods for software security

  46. Assertions Annotations do not refer to stacks Intermediate assertions may do so Gilles Barthe Language-based methods for software security

  47. Assertions Annotations do not refer to stacks Intermediate assertions may do so Gilles Barthe Language-based methods for software security

  48. Assertions Annotations do not refer to stacks Intermediate assertions may do so { true } push 5 store x { x = 5 } Gilles Barthe Language-based methods for software security

  49. Assertions Annotations do not refer to stacks Intermediate assertions may do so { true } push 5 store x os [ ⊤ ] = 5 { x = 5 } Gilles Barthe Language-based methods for software security

  50. Assertions Annotations do not refer to stacks Intermediate assertions may do so { true } push 5 5 = 5 store x os [ ⊤ ] = 5 { x = 5 } Gilles Barthe Language-based methods for software security

  51. Assertions Annotations do not refer to stacks Intermediate assertions may do so Stack indices ⊤ | ⊤ − i k ::= { true } Expressions push 5 5 = 5 store x os [ ⊤ ] = 5 res | x ⋆ | x | c | e op e | os [ k ] e ::= { x = 5 } Assertions φ ::= e cmp e | ¬ φ | φ ∧ φ | φ ∨ φ | φ ⇒ φ ∀ x . φ | ∃ x . φ Gilles Barthe Language-based methods for software security

  52. Weakest precondition if P [ k ] = push n then wp i ( k ) = wp L ( k + 1 )[ n / os [ ⊤ ] , ⊤ / ⊤ − 1 ] if P [ k ] = binop op then wp i ( k ) = wp L ( k + 1 )[ os ( ⊤ − 1 ) op os [ ⊤ ] / os [ ⊤ ] , ⊤ − 1 / ⊤ ] if P [ k ] = load x then wp i ( k ) = wp L ( k + 1 )[ x / os [ ⊤ ] , ⊤ / ⊤ − 1 ] if P [ k ] = store x then wp i ( k ) = wp L ( k + 1 )[ os [ ⊤ ] / x , ⊤ − 1 / ⊤ ] if P [ k ] = if cmp l then wp i ( k ) = ( os [ ⊤ − 1 ] cmp os [ ⊤ ] ⇒ wp L ( k + 1 )[ ⊤ − 2 / ⊤ ]) ∧ ( ¬ ( os [ ⊤ − 1 ] cmp os [ ⊤ ]) ⇒ wp L ( l )[ ⊤ − 2 / ⊤ ]) if P [ k ] = goto l then wp i ( k ) = wp L ( l ) if P [ k ] = return then wp i ( k ) = Ψ [ os [ ⊤ ] / res ] Gilles Barthe Language-based methods for software security

  53. Verification conditions Proof obligations PO ( P , Φ , Ψ ) Precondition implies the weakest precondition of entry point: Φ ⇒ wp L ( 1 ) For all annotated program points ( P [ k ] = � ϕ , i � ), the annotation ϕ implies the weakest precondition of the instruction at k : ϕ ⇒ wp i ( k ) An annotated program is correct if its verification conditions are valid. Gilles Barthe Language-based methods for software security

  54. Soundness Define validity of assertions: s | = φ µ , s | = φ (shorthand µ , ν | = φ if φ does not contain stack indices) If ( P , Φ , Ψ ) is correct, and P , µ ⇓ ν , v µ | = Φ then µ , ν | = Ψ [ v / res ] Furthermore, all intermediate assertions are verified Proof idea: if s � s ′ and s · pc = k and s ′ · pc = k ′ , µ , s ′ | = wp L ( k ′ ) µ , s | = wp i ( k ) = ⇒ Gilles Barthe Language-based methods for software security

  55. Source language Same assertions, without stack expressions Annotated programs ( P , Φ , Ψ ) , with all loops annotated while I ( t ) { s } Weakest precondition wp S ( skip , post ) = post, ∅ wp S ( x := e , post ) = post [ e / x ] , ∅ wp S ( i t , post ) = φ t , θ t wp S ( i f , post ) = φ f , θ f wp S ( if ( t ) { i t }{ i f } , post ) = ( t ⇒ φ t ) ∧ ( ¬ t ⇒ φ t ) , θ t ∪ θ f wp S ( i , I ) = φ , θ wp S ( while I ( t ) { i } , post ) = I , { I ⇒ (( t ⇒ φ ) ∧ ( ¬ t ⇒ post )) } ∪ θ wp S ( i 2 , post ) = φ 2 , θ 2 wp S ( i 1 , φ 2 ) = φ 1 , θ 1 wp S ( i 1 ; i 2 , post ) = φ 1 , θ 1 ∪ θ 2 Gilles Barthe Language-based methods for software security

  56. Preservation of proof obligations Non-optimizing compiler Syntactically equal proof obligations PO ( P , φ , ψ ) = PO ([ [ P ] ] , φ , ψ ) Non−optimizing Source Program Compiled Execution Compiler Program VCGen VCGen Preservation of Verification Verification Proof Obligations Conditions Conditions Proof Prover Certificate Certificate OK Checker Producer Consumer Gilles Barthe Language-based methods for software security

  57. PPO: from (sequential) Java to JVM We prove PPO for idealized, sequential fragments of Java and the JVM Java vs JVM Verification methods for Java programs Statement language must address known issues with objects, (obviously) methods, exceptions. Naming convention We use standard techniques: pre- and Basic types (exceptional) post-conditions, behavioral Compiler does simple subtyping optimizations Gilles Barthe Language-based methods for software security

  58. Implementing a proof transforming compiler (work by J. Charles and H. Lehner, using Mobius verification infrastructure) Reflective Proof Carrying Code Programmed and formally verified a the verification condition generator against reference specification of sequential JVM We have built a proof transforming compiler that generates for each annotated program a prelude and a set of VCs prove equivalence between source VCs and bytecode VCs Lemma vc_equiv: vc_source <-> vc_bytecode. Java Source, ESC/Java2 Frontend, ESC/Java2 AST, Source Verification Code Specs (JML) Conditions (Coq) JML to FOL Transl. FOL Annotations VCGen Bicolano (Coq) javac Equivalence FOL Annotations (Coq) Bytecode Verification Java Bytecode Bico+ VCGen (Coq) Conditions (Coq) Gilles Barthe Language-based methods for software security

  59. The main tactic Ltac magickal := repeat match goal with | [ |- forall lv: LocalVar.t, _ ] =>let lv := fresh "lv" in intro lv; mklvget lv 0%N | [ H: forall lv: LocalVar.t, _ |- _ ] => mklvupd MDom.LocalVar.empty 0%N | [ |- forall os: OperandStack.t, _ ] => intro | [ H: forall os: OperandStack.t, _ |- _ ] => let H’ := fresh "H" in (assert (H’ := H OperandStack.empty); clear H) | [ H : forall y: Heap.t, _ |- forall x: Heap.t, _] => let x := fresh "h" in (intro x; let H1 := fresh "H" in (assert (H1 := H x); clear H; try (clear x))) | [ H : forall y: Int.t, _ |- forall x: Int.t, _] => let x := fresh "i" in (intro x; let H1 := fresh "H" in (assert (H1 := H x); clear H; try (clear x))) | [ H : _ -> _ |- _ -> _] => let A := fresh "H" in (intros A; let H1 := fresh "H" in (assert (H1 := H A); clear H; clear A)) | [ H : _ /\ _ |- _ /\ _] =>let A := fresh "H" in let B := fresh "H" in (destruct H as (A, B); split; [clear B | clear A]) end. Gilles Barthe Language-based methods for software security

  60. Optimizing Compilers Non−optimizing Source Program Compiled Execution Compiler Program VCGen VCGen Preservation of Verification Verification Proof Obligations Conditions Conditions Proof Prover Certificate Certificate OK Checker Producer Consumer Proofs obligations might not be preserved annotations might need to be modified (e.g. constant propagation) certificates for analyzers might be needed (certifying analyzer) analyses might need to be modified (e.g. dead variable elimination) Gilles Barthe Language-based methods for software security

  61. Optimizing Compilers Non−optimizing Source Program Optimized Execution Compiler Program VCGen VCGen Compiled Optimizer Program Preservation of Verification Verification Proof Obligations Conditions Conditions Proof Prover Certificate Certificate OK Checker Producer Consumer Proofs obligations might not be preserved annotations might need to be modified (e.g. constant propagation) certificates for analyzers might be needed (certifying analyzer) analyses might need to be modified (e.g. dead variable elimination) Gilles Barthe Language-based methods for software security

  62. Optimizing Compilers Non−optimizing Source Program Optimized Execution Compiler Program VCGen VCGen Compiled Optimizer Program Preservation of Verification Verification Proof Obligations Conditions Conditions Proof Prover Certificate Certificate OK Checker Producer Consumer Proofs obligations might not be preserved annotations might need to be modified (e.g. constant propagation) certificates for analyzers might be needed (certifying analyzer) analyses might need to be modified (e.g. dead variable elimination) Gilles Barthe Language-based methods for software security

  63. Certificate Translation with Certifying Analyzers Specification of f A ( RES A ) Optimizing Certifying Analyzer Compiler Analyzer Optimized Program f Program ¯ f Specification of f TCB Interactive Verification VC Gen Certificate for f Certificate for f A Certificate Translator Proof Checker Certificate for ¯ f Gilles Barthe Language-based methods for software security

  64. Motivating example { j = 0 } Program { j = ( b + 0 ) ∗ 0 ∧ b � ( b + 0 ) ∧ 0 � 0 } + i := 0; Specification { j = ( b + i ) ∗ i ∧ b � ( b + i ) ∧ 0 � i } x := b + i ; { Inv : j = x ∗ i ∧ b � x ∧ 0 � i } while ( i ! = n ) Weakest { x ∗ ( c + i ) = x ∗ ( c + i ) ∧ b � x ∧ 0 � c + i } Precondition i := c + i (no fixpoint to compute) { x ∗ i = x ∗ i ∧ b � x ∧ 0 � i } j := x ∗ i ; { j = x ∗ i ∧ b � x ∧ 0 � i } Fully Annotated endwhile ; Program { n ∗ b � j } Gilles Barthe Language-based methods for software security

  65. Motivating example { j = 0 } Program { j = ( b + 0 ) ∗ 0 ∧ b � ( b + 0 ) ∧ 0 � 0 } + i := 0; Specification { j = ( b + i ) ∗ i ∧ b � ( b + i ) ∧ 0 � i } x := b + i ; { Inv : j = x ∗ i ∧ b � x ∧ 0 � i } while ( i ! = n ) Weakest { x ∗ ( c + i ) = x ∗ ( c + i ) ∧ b � x ∧ 0 � c + i } Precondition i := c + i (no fixpoint to compute) { x ∗ i = x ∗ i ∧ b � x ∧ 0 � i } j := x ∗ i ; { j = x ∗ i ∧ b � x ∧ 0 � i } Fully Annotated endwhile ; Program { n ∗ b � j } Gilles Barthe Language-based methods for software security

  66. Motivating example { j = 0 } Program { j = ( b + 0 ) ∗ 0 ∧ b � ( b + 0 ) ∧ 0 � 0 } + i := 0; Specification { j = ( b + i ) ∗ i ∧ b � ( b + i ) ∧ 0 � i } x := b + i ; { Inv : j = x ∗ i ∧ b � x ∧ 0 � i } while ( i ! = n ) Weakest { x ∗ ( c + i ) = x ∗ ( c + i ) ∧ b � x ∧ 0 � c + i } Precondition i := c + i (no fixpoint to compute) { x ∗ i = x ∗ i ∧ b � x ∧ 0 � i } j := x ∗ i ; { j = x ∗ i ∧ b � x ∧ 0 � i } Fully Annotated endwhile ; Program { n ∗ b � j } Gilles Barthe Language-based methods for software security

  67. Motivating example { j = 0 } Program { j = ( b + 0 ) ∗ 0 ∧ b � ( b + 0 ) ∧ 0 � 0 } + i := 0; Specification { j = ( b + i ) ∗ i ∧ b � ( b + i ) ∧ 0 � i } x := b + i ; { Inv : j = x ∗ i ∧ b � x ∧ 0 � i } while ( i ! = n ) Weakest { x ∗ ( c + i ) = x ∗ ( c + i ) ∧ b � x ∧ 0 � c + i } Precondition i := c + i (no fixpoint to compute) { x ∗ i = x ∗ i ∧ b � x ∧ 0 � i } j := x ∗ i ; { j = x ∗ i ∧ b � x ∧ 0 � i } Fully Annotated endwhile ; Program { n ∗ b � j } Gilles Barthe Language-based methods for software security

  68. Motivating example { j = 0 } Program { j = ( b + 0 ) ∗ 0 ∧ b � ( b + 0 ) ∧ 0 � 0 } + i := 0; Specification { j = ( b + i ) ∗ i ∧ b � ( b + i ) ∧ 0 � i } x := b + i ; { Inv : j = x ∗ i ∧ b � x ∧ 0 � i } while ( i ! = n ) Weakest { x ∗ ( c + i ) = x ∗ ( c + i ) ∧ b � x ∧ 0 � c + i } Precondition i := c + i (no fixpoint to compute) { x ∗ i = x ∗ i ∧ b � x ∧ 0 � i } j := x ∗ i ; { j = x ∗ i ∧ b � x ∧ 0 � i } Fully Annotated endwhile ; Program { n ∗ b � j } Gilles Barthe Language-based methods for software security

  69. Motivating example { j = 0 } Program { j = ( b + 0 ) ∗ 0 ∧ b � ( b + 0 ) ∧ 0 � 0 } + i := 0; Specification { j = ( b + i ) ∗ i ∧ b � ( b + i ) ∧ 0 � i } x := b + i ; { Inv : j = x ∗ i ∧ b � x ∧ 0 � i } while ( i ! = n ) Weakest { x ∗ ( c + i ) = x ∗ ( c + i ) ∧ b � x ∧ 0 � c + i } Precondition i := c + i (no fixpoint to compute) { x ∗ i = x ∗ i ∧ b � x ∧ 0 � i } j := x ∗ i ; { j = x ∗ i ∧ b � x ∧ 0 � i } Fully Annotated endwhile ; Program { n ∗ b � j } Gilles Barthe Language-based methods for software security

  70. Motivating example { j = 0 } { j = ( b + 0 ) ∗ 0 ∧ b � ( b + 0 ) ∧ 0 � 0 } i := 0; { j = ( b + i ) ∗ i ∧ b � ( b + i ) ∧ 0 � i } x := b + i ; { Inv : j = x ∗ i ∧ b � x ∧ 0 � i } while ( i ! = n ) { x ∗ ( c + i ) = x ∗ ( c + i ) ∧ b � x ∧ 0 � c + i } i := c + i j := x ∗ i ; endwhile ; { n ∗ b � j } Set of Proof Obligations: j = 0 ⇒ j = ( b + 0 ) ∗ 0 ∧ b � ( b + 0 ) ∧ 0 � 0 j = x ∗ i ∧ b � x ∧ 0 � i ∧ i � n ⇒ x ∗ ( c + i ) = x ∗ ( c + i ) ∧ b � x ∧ 0 � c + i j = x ∗ i ∧ b � x ∧ 0 � i ∧ i = n ⇒ n ∗ b � j Gilles Barthe Language-based methods for software security

  71. Constant propagation analysis { j = 0 } { j = b ∗ 0 ∧ b � b ∧ 0 � 0 } i := 0; { j = b ∗ i ∧ b � b ∧ 0 � i } ( i , 0 ) → x := b + i ; { Inv : j = x ∗ i ∧ b � x ∧ 0 � i } ( x , b ) → while ( i ! = n ) { b ∗ ( c + i ) = x ∗ ( c + i ) ∧ b � x ∧ 0 � c + i } ( x , b ) → i := c + i { b ∗ i = x ∗ i ∧ b � x ∧ 0 � i } ( x , b ) → j := x ∗ i ; { j = x ∗ i ∧ b � x ∧ 0 � i } endwhile ; { n ∗ b � j } Gilles Barthe Language-based methods for software security

  72. Program transformation { j = 0 } { j = b ∗ 0 ∧ b � b ∧ 0 � 0 } i := 0; { j = b ∗ i ∧ b � b ∧ 0 � i } ( i , 0 ) → x := b ; { Inv : j = x ∗ i ∧ b � x ∧ 0 � i } ( x , b ) → while ( i ! = n ) { b ∗ ( c + i ) = x ∗ ( c + i ) ∧ b � x ∧ 0 � c + i } ( x , b ) → i := c + i { b ∗ i = x ∗ i ∧ b � x ∧ 0 � i } ( x , b ) → j := x ∗ i ; { j = x ∗ i ∧ b � x ∧ 0 � i } endwhile ; { n ∗ b � j } Gilles Barthe Language-based methods for software security

  73. Program transformation { j = 0 } { j = b ∗ 0 ∧ b � b ∧ 0 � 0 } i := 0; { j = b ∗ i ∧ b � b ∧ 0 � i } ( i , 0 ) → x := b ; { Inv : j = x ∗ i ∧ b � x ∧ 0 � i } ( x , b ) → while ( i ! = n ) { b ∗ ( c + i ) = x ∗ ( c + i ) ∧ b � x ∧ 0 � c + i } ( x , b ) → i := c + i { b ∗ i = x ∗ i ∧ b � x ∧ 0 � i } ( x , b ) → j := b ∗ i ; { j = x ∗ i ∧ b � x ∧ 0 � i } endwhile ; { n ∗ b � j } Gilles Barthe Language-based methods for software security

  74. WP Computation of optimized program { j = 0 } { j = b ∗ 0 ∧ b � b ∧ 0 � 0 } i := 0; { j = b ∗ i ∧ b � b ∧ 0 � i } ( i , 0 ) → x := b ; { Inv : j = x ∗ i ∧ b � x ∧ 0 � i } ( x , b ) → while ( i ! = n ) { b ∗ ( c + i ) = x ∗ ( c + i ) ∧ b � x ∧ 0 � c + i } ( x , b ) → i := c + i { b ∗ i = x ∗ i ∧ b � x ∧ 0 � i } ( x , b ) → j := b ∗ i ; { j = x ∗ i ∧ b � x ∧ 0 � i } endwhile ; { n ∗ b � j } Gilles Barthe Language-based methods for software security

  75. WP Computation of optimized program { j = 0 } { j = b ∗ 0 ∧ b � b ∧ 0 � 0 } i := 0; { j = b ∗ i ∧ b � b ∧ 0 � i } ( i , 0 ) → x := b ; { Inv : j = x ∗ i ∧ b � x ∧ 0 � i } ( x , b ) → while ( i ! = n ) { b ∗ ( c + i ) = x ∗ ( c + i ) ∧ b � x ∧ 0 � c + i } ( x , b ) → i := c + i { b ∗ i = x ∗ i ∧ b � x ∧ 0 � i } ( x , b ) → j := b ∗ i ; { j = x ∗ i ∧ b � x ∧ 0 � i } endwhile ; { n ∗ b � j } Gilles Barthe Language-based methods for software security

  76. WP Computation of optimized program { j = 0 } { j = b ∗ 0 ∧ b � b ∧ 0 � 0 } i := 0; { j = b ∗ i ∧ b � b ∧ 0 � i } ( i , 0 ) → x := b ; { Inv : j = x ∗ i ∧ b � x ∧ 0 � i } ( x , b ) → while ( i ! = n ) { b ∗ ( c + i ) = x ∗ ( c + i ) ∧ b � x ∧ 0 � c + i } ( x , b ) → i := c + i { b ∗ i = x ∗ i ∧ b � x ∧ 0 � i } ( x , b ) → j := b ∗ i ; { j = x ∗ i ∧ b � x ∧ 0 � i } endwhile ; { n ∗ b � j } Gilles Barthe Language-based methods for software security

  77. WP Computation of optimized program { j = 0 } { j = b ∗ 0 ∧ b � b ∧ 0 � 0 } i := 0; { j = b ∗ i ∧ b � b ∧ 0 � i } ( i , 0 ) → x := b ; { Inv : j = x ∗ i ∧ b � x ∧ 0 � i } ( x , b ) → while ( i ! = n ) { b ∗ ( c + i ) = x ∗ ( c + i ) ∧ b � x ∧ 0 � c + i } ( x , b ) → i := c + i { b ∗ i = x ∗ i ∧ b � x ∧ 0 � i } ( x , b ) → j := b ∗ i ; { j = x ∗ i ∧ b � x ∧ 0 � i } endwhile ; { n ∗ b � j } Gilles Barthe Language-based methods for software security

  78. WP Computation of optimized program { j = 0 } { j = b ∗ 0 ∧ b � b ∧ 0 � 0 } i := 0; { j = b ∗ i ∧ b � b ∧ 0 � i } ( i , 0 ) → x := b ; { Inv : j = x ∗ i ∧ b � x ∧ 0 � i } ( x , b ) → while ( i ! = n ) { b ∗ ( c + i ) = x ∗ ( c + i ) ∧ b � x ∧ 0 � c + i } ( x , b ) → i := c + i { b ∗ i = x ∗ i ∧ b � x ∧ 0 � i } ( x , b ) → j := b ∗ i ; { j = x ∗ i ∧ b � x ∧ 0 � i } endwhile ; { n ∗ b � j } Gilles Barthe Language-based methods for software security

  79. Proof Obligations { j = 0 } { j = b ∗ 0 ∧ b � b ∧ 0 � 0 } i := 0; { j = b ∗ i ∧ b � b ∧ 0 � i } x := b ; { Inv : j = x ∗ i ∧ b � x ∧ 0 � i } while ( i ! = n ) { b ∗ ( c + i ) = x ∗ ( c + i ) ∧ b � x ∧ 0 � c + i } i := c + i { b ∗ i = x ∗ i ∧ b � x ∧ 0 � i } j := b ∗ i ; { j = x ∗ i ∧ b � x ∧ 0 � i } endwhile ; { n ∗ b � j } Proof Obligations: j = 0 ⇒ j = b ∗ 0 ∧ b � b ∧ 0 � 0 1 j = x ∗ i ∧ b � x ∧ 0 � i ∧ i � n 2 ⇒ b ∗ ( c + i ) = x ∗ ( c + i ) ∧ b � x ∧ 0 � c + i j = x ∗ i ∧ b � x ∧ 0 � i ∧ i = n ⇒ n ∗ b � j 3 Gilles Barthe Language-based methods for software security

  80. Proof Obligations { j = 0 } { j = b ∗ 0 ∧ b � b ∧ 0 � 0 } i := 0; { j = b ∗ i ∧ b � b ∧ 0 � i } x := b ; { Inv : j = x ∗ i ∧ b � x ∧ 0 � i } while ( i ! = n ) { b ∗ ( c + i ) = x ∗ ( c + i ) ∧ b � x ∧ 0 � c + i } i := c + i { b ∗ i = x ∗ i ∧ b � x ∧ 0 � i } j := b ∗ i ; { j = x ∗ i ∧ b � x ∧ 0 � i } endwhile ; { n ∗ b � j } Proof Obligations: j = 0 ⇒ j = b ∗ 0 ∧ b � b ∧ 0 � 0 1 j = x ∗ i ∧ b � x ∧ 0 � i ∧ i � n Unprovable 2 ⇒ b ∗ ( c + i ) = x ∗ ( c + i ) ∧ b � x ∧ 0 � c + i without knowing j = x ∗ i ∧ b � x ∧ 0 � i ∧ i = n ⇒ n ∗ b � j 3 x = b Gilles Barthe Language-based methods for software security

  81. Proof Obligations { j = 0 } { j = b ∗ 0 ∧ b � b ∧ 0 � 0 } i := 0; { j = b ∗ i ∧ b � b ∧ 0 � i } x := b ; { Inv : j = x ∗ i ∧ b � x ∧ 0 � i ∧ x = b } while ( i ! = n ) { b ∗ ( c + i ) = x ∗ ( c + i ) ∧ b � x ∧ 0 � c + i } i := c + i { b ∗ i = x ∗ i ∧ b � x ∧ 0 � i } j := b ∗ i ; { j = x ∗ i ∧ b � x ∧ 0 � i } endwhile ; { n ∗ b � j } Proof Obligations: j = 0 ⇒ j = b ∗ 0 ∧ b � b ∧ 0 � 0 1 j = x ∗ i ∧ b � x ∧ 0 � i ∧ x = b ∧ i � n Solution: 2 ⇒ b ∗ ( c + i ) = x ∗ ( c + i ) ∧ b � x ∧ 0 � c + i strengthen annotations j = x ∗ i ∧ b � x ∧ 0 � i ∧ i = n ⇒ n ∗ b � j 3 Gilles Barthe Language-based methods for software security

  82. Strengthening annotations allows to verify proof obligations of original program but also introduces new proof obligations S 1 S 1 { ϕ 1 } { ϕ 1 ∧ ψ 1 } S 2 S 2 { ϕ 2 } { ϕ 2 ∧ ψ 2 } � S 3 S 3 { ϕ 3 } { ϕ 3 ∧ ψ 3 } ϕ 1 ⇒ wp ( S 1 , ϕ 2 ) ϕ 1 ∧ ψ 1 ⇒ wp ( S 1 , ϕ 2 ∧ ψ 2 ) ϕ 2 ⇒ wp ( S 2 , ϕ 3 ) ϕ 2 ∧ ψ 2 ⇒ wp ( S 2 , ϕ 3 ∧ ψ 3 ) If the analysis is correct, ψ 1 ⇒ wp ( S 1 , ψ 2 ) ψ 2 ⇒ wp ( S 2 , ψ 3 ) are valid proof obligations. Gilles Barthe Language-based methods for software security

  83. Strengthening annotations allows to verify proof obligations of original program but also introduces new proof obligations S 1 S 1 { ϕ 1 } { ϕ 1 ∧ ψ 1 } S 2 S 2 { ϕ 2 } { ϕ 2 ∧ ψ 2 } � S 3 S 3 { ϕ 3 } { ϕ 3 ∧ ψ 3 } ϕ 1 ⇒ wp ( S 1 , ϕ 2 ) ϕ 1 ∧ ψ 1 ⇒ wp ( S 1 , ϕ 2 ∧ ψ 2 ) ϕ 2 ⇒ wp ( S 2 , ϕ 3 ) ϕ 2 ∧ ψ 2 ⇒ wp ( S 2 , ϕ 3 ∧ ψ 3 ) If the analysis is correct, ψ 1 ⇒ wp ( S 1 , ψ 2 ) ψ 2 ⇒ wp ( S 2 , ψ 3 ) are valid proof obligations. Gilles Barthe Language-based methods for software security

  84. Strengthening annotations allows to verify proof obligations of original program but also introduces new proof obligations S 1 S 1 { ϕ 1 } { ϕ 1 ∧ ψ 1 } S 2 S 2 { ϕ 2 } { ϕ 2 ∧ ψ 2 } � S 3 S 3 { ϕ 3 } { ϕ 3 ∧ ψ 3 } ϕ 1 ⇒ wp ( S 1 , ϕ 2 ) ϕ 1 ∧ ψ 1 ⇒ wp ( S 1 , ϕ 2 ∧ ψ 2 ) ϕ 2 ⇒ wp ( S 2 , ϕ 3 ) ϕ 2 ∧ ψ 2 ⇒ wp ( S 2 , ϕ 3 ∧ ψ 3 ) If the analysis is correct, ψ 1 ⇒ wp ( S 1 , ψ 2 ) ψ 2 ⇒ wp ( S 2 , ψ 3 ) are valid proof obligations. Gilles Barthe Language-based methods for software security

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Language-based methods for software security Gilles Barthe IMDEA Software, Madrid, Spain Part 1

Language-based methods for software security Gilles Barthe IMDEA Software, Madrid, Spain Part 1

Language-based methods for software security Gilles Barthe IMDEA Software, Madrid, Spain Part 1 Motivation Mobile code is ubiquitous: large distributed networks of JVM devices aimed at providing a global and uniform access to services provide

1.52k views • 136 slides
Course outline: the four hours 1. Language-Based Security: motivation 2. Language-Based

Course outline: the four hours 1. Language-Based Security: motivation 2. Language-Based

Course outline: the four hours 1. Language-Based Security: motivation 2. Language-Based Information-Flow Security: the big picture 3. Dimensions and principles of declassification 4. Dynamic vs. static security enforcement 1 Dimensions of

449 views • 30 slides
Course outline 1. Language-Based Security: motivation 2. Language-Based Information-Flow Security:

Course outline 1. Language-Based Security: motivation 2. Language-Based Information-Flow Security:

Course outline 1. Language-Based Security: motivation 2. Language-Based Information-Flow Security: the big picture 3. Dimensions and principles of declassification 4. Dynamic vs. static security enforcement 5. Tracking information flow in web

641 views • 30 slides
Event-based Methods for Security Protocols Federico Crazzolara C&amp;C Laboratories, NEC Europe

Event-based Methods for Security Protocols Federico Crazzolara C&amp;C Laboratories, NEC Europe

Event-based Methods for Security Protocols Federico Crazzolara C&amp;C Laboratories, NEC Europe (joint work with G. Winskel while at BRICS) DIMACS, July 8, 2003 Road map 1) Security Protocol Language (SPL) Transition vs.

591 views • 25 slides
Language/OS Based Security 1 Infrastructure 2 Security Abstraction Layers 3 OS Security

Language/OS Based Security 1 Infrastructure 2 Security Abstraction Layers 3 OS Security

Language/OS Based Security 1 Infrastructure 2 Security Abstraction Layers 3 OS Security Control 4 Abstraction Imperfections OS: Each process has exclusive access to its own CPU and memory Illusion!! A process may be able to

429 views • 21 slides
deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security

deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security

Software and Web Security deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security vulnerabilities esp in systems accessible via a network part 1 security problems in machine code, compiled from C(++)

1.35k views • 67 slides
Software Security VMI (Virtual Machine Introspection) / VMM-based Intrusion Prevention Julian

Software Security VMI (Virtual Machine Introspection) / VMM-based Intrusion Prevention Julian

Software Security VMI (Virtual Machine Introspection) / VMM-based Intrusion Prevention Julian Vetter Prof. Jean-Pierre Seifert Security in Telecommunications TU Berlin SoSe 2016 julian (sect) Software Security SoSe 2016 1 / 21

220 views • 21 slides
Language-Based Information-Flow Security Presenter: Yiming Zhang Goal of this paper? This is a

Language-Based Information-Flow Security Presenter: Yiming Zhang Goal of this paper? This is a

Language-Based Information-Flow Security Presenter: Yiming Zhang Goal of this paper? This is a survey paper that studies the research on information-flow security, especially on work that uses static program analysis. Why language-based

585 views • 24 slides
Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software

Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software

1 Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software is the main source of security vulnerabilities esp in systems accessible via a network i t ibl i t k part 1 part 1 security problems

672 views • 65 slides
Overview of Language-Based Security Bibliography Dan Grossman 13 October 2004 Papers are

Overview of Language-Based Security Bibliography Dan Grossman 13 October 2004 Papers are

Overview of Language-Based Security Bibliography Dan Grossman 13 October 2004 Papers are organized by topic, in the order of the presentation. There are more papers here than discussed in the presentation. Language-based security is a big

373 views • 8 slides
INF 111 / CSE 121: Software Tools and Methods Software Tools and Methods Lecture Notes for

INF 111 / CSE 121: Software Tools and Methods Software Tools and Methods Lecture Notes for

INF 111 / CSE 121: Software Tools and Methods Software Tools and Methods Lecture Notes for Summer, 2008 Michele Rousseau Lecture Note 10 Effort Estimation Announcements Assignment #3 is due on Monday Quiz #3 regrades are due today

647 views • 21 slides
Secure Web Application Development METHODOLOGIES AND AUTOMATED TOOLS MURAT KAYA SOFTWARE

Secure Web Application Development METHODOLOGIES AND AUTOMATED TOOLS MURAT KAYA SOFTWARE

Secure Web Application Development METHODOLOGIES AND AUTOMATED TOOLS MURAT KAYA SOFTWARE SECURITY SPECIALIST Agenda Software Security Overview Software Security Methodologies Security Test Methods Analysis Tools Tools

497 views • 25 slides
Language Information Retrieval applications: integration of ontology-based methods and Linguistic

Language Information Retrieval applications: integration of ontology-based methods and Linguistic

technology from seed Multi-word processing in domain specific Cross- Language Information Retrieval applications: integration of ontology-based methods and Linguistic resources Johanna Monti UNISS Maria Pia di Buono UNISA Mario

312 views • 3 slides
Institute for Cyber Security Towards An Attribute Based Constraints Specification Language

Institute for Cyber Security Towards An Attribute Based Constraints Specification Language

Institute for Cyber Security Towards An Attribute Based Constraints Specification Language Khalid Zaman Bijon, Ram Krishnan and Ravi Sandhu Institute for Cyber Security University of Texas at San Antonio September 11, 2013 2013 ASE/IEEE

425 views • 17 slides
Natural language is a programming language: Applying natural language processing to software

Natural language is a programming language: Applying natural language processing to software

Natural language is a programming language: Applying natural language processing to software development Michael D. Ernst Presented by: Tomas Geffner, Subendhu Rongali &amp; Natcha Simsiri Before we start, what is software? Not just code/AST

437 views • 23 slides
Clustering ! Hierarchical methods ! Model-based methods ! Density-based methods 1 2 What is

Clustering ! Hierarchical methods ! Model-based methods ! Density-based methods 1 2 What is

Preview ! Introduction Lecture 10 ! Partitioning methods Clustering ! Hierarchical methods ! Model-based methods ! Density-based methods 1 2 What is Clustering? Examples of Clustering Applications ! Cluster: a collection of data objects !

301 views • 8 slides
Functional Languages Languages: LISP, Scheme (dialect of LISP from MIT, mid 70s), ML,

Functional Languages Languages: LISP, Scheme (dialect of LISP from MIT, mid 70s), ML,

7/6/2015 Functional Programming Paradigm The program is a collection of functions A function computes and returns a value No side effects (i.e., no changes to state) No program variables whose values change Basically, no

95 views • 8 slides
Mixing Mutability into the Nanopass Framework Andy Keep Background Nanopass framework is a

Mixing Mutability into the Nanopass Framework Andy Keep Background Nanopass framework is a

Mixing Mutability into the Nanopass Framework Andy Keep Background Nanopass framework is a DSL for writing compilers Provides a syntax for defining the grammar of an intermediate representation Intermediate representations are

1.08k views • 71 slides
Kubernetes as a Streaming Data Platform A Federated Operator Approach Data Council - Barcelona,

Kubernetes as a Streaming Data Platform A Federated Operator Approach Data Council - Barcelona,

Kubernetes as a Streaming Data Platform A Federated Operator Approach Data Council - Barcelona, October 2nd, 2019 Gerard Maas Principal Engineer, Lightbend, Inc. @maasg Gerard Maas Principal Engineer gerard.maas@lightbend.com @maasg

1.07k views • 58 slides
Functional Programming IV Spring 2014 Carola Wenk Data Structures in Scheme Scheme does not

Functional Programming IV Spring 2014 Carola Wenk Data Structures in Scheme Scheme does not

Functional Programming IV Spring 2014 Carola Wenk Data Structures in Scheme Scheme does not appear to have arrays, references, or pointers. Can we still represent the data structures weve talked about? 1 2 99 4 3 5 (1 2 99 4 3

384 views • 13 slides
Open-source Public Key Infrastructure (PKI) Simos Xenitellis University of London

Open-source Public Key Infrastructure (PKI) Simos Xenitellis University of London

Open-source Public Key Infrastructure Open-source Public Key Infrastructure (PKI) Simos Xenitellis University of London S.Xenitellis@rhbnc.ac.uk 1 3rd August 2000, LBW2000 Open-source Public Key Infrastructure Agenda We are going to

826 views • 25 slides
1 st look at dE / dx in GArSoft 19 Mar 2019 Leo Bellantoni New art Data Product

1 st look at dE / dx in GArSoft 19 Mar 2019 Leo Bellantoni New art Data Product

1 st look at dE / dx in GArSoft 19 Mar 2019 Leo Bellantoni New art Data Product .../ReconstructionDataProduct/TrackIoniz.* Now ../Reco/tpctrackfit2_module.cc , in the KalmanFit function, will (forward pass only): for (TPCCluster=1 to

486 views • 12 slides
OpenVMS Security Update OpenVMS Security Update TCSEC C2 Ramp TCSEC C2 Ramp - -&gt; Common

OpenVMS Security Update OpenVMS Security Update TCSEC C2 Ramp TCSEC C2 Ramp - -&gt; Common

Agenda Agenda Security Ratings Security Ratings ITSEC E3 ITSEC E3 C2 &amp; E3 B1 update on C2 &amp; E3 B1 update on V6 V6.2 .2 OpenVMS Security Update OpenVMS Security Update TCSEC C2 Ramp TCSEC C2 Ramp - -&gt; Common &gt;

570 views • 7 slides
High-speed cryptography Do we care about speed? Daniel J. Bernstein Almost all software is

High-speed cryptography Do we care about speed? Daniel J. Bernstein Almost all software is

1 2 High-speed cryptography Do we care about speed? Daniel J. Bernstein Almost all software is University of Illinois at Chicago &amp; much slower than it could be. Technische Universiteit Eindhoven Is software applied to much data? with

1.17k views • 115 slides

More recommend