mind your language s a discussion about languages and
play

Mind your Language(s)! A discussion about languages and security - PowerPoint PPT Presentation

Oct 10, 2023 •243 likes •1.07k views

Mind your Language(s)! A discussion about languages and security Olivier Levillain & Pierre Chifflier ANSSI Hackito Ergo Sum, 2015-10-29 Levillain & Chifflier Mind your Language(s)! HES 2015 1 / 59 Who are we? Olivier Levillain (

  1. Mind your Language(s)! A discussion about languages and security Olivier Levillain & Pierre Chifflier ANSSI Hackito Ergo Sum, 2015-10-29 Levillain & Chifflier Mind your Language(s)! HES 2015 1 / 59

  2. Who are we? Olivier Levillain ( @pictyeye ) ◮ 2007-2014 (DCSSI/ANSSI) in the labs (systems then network) ◮ since 2015 (ANSSI) head of the training center ◮ PhD student (since 2011!) working on SSL/TLS ◮ Participation to the languages studies since 2007 Pierre Chifflier ( @pollux7 ) ◮ 2011-2015 (ANSSI) in the labs (systems) ◮ since 2015 (ANSSI) head of the research Lab for Exploration and Detection (LED) ◮ Firewalls, IDS, UEFI, compilers, languages, . . . Levillain & Chifflier Mind your Language(s)! HES 2015 2 / 59

  3. ANSSI ANSSI (French Network and Information Security Agency) has InfoSec (and no Intelligence) missions: ◮ detect and early react to cyber attacks ◮ prevent threats by supporting the development of trusted products and services ◮ provide reliable advice and support ◮ communicate on information security threats and the related means of protection These missions concern: ◮ governmental entities ◮ companies ◮ the general public Levillain & Chifflier Mind your Language(s)! HES 2015 3 / 59

  4. Why would we mind our languages? In 2005, the DCSSI was asked whether Java could be used to develop security products or not The question is interesting, and it can be broadened: ◮ Are some languages better suited for security? On which criteria? ◮ Should we forbid, discourage, recommend or require the use of particular languages or particular constructions? ◮ What would be a language dedicated to security like? What about its compiler and its runtime? It seems few people considered this question Levillain & Chifflier Mind your Language(s)! HES 2015 4 / 59

  5. Foreword What this presentation is about ◮ the impact of the language on security properties is understudied ◮ it covers a broad spectrum of subjects ◮ since 2005, two studies: JavaSec and LaFoSec (available on www.ssi.gouv.fr ) ◮ each time, our partners did not at first share (or even understand) our concerns ◮ the following examples do not aim at criticising particular languages ◮ no language was harmed during our work 1 1 They were already like that when we began. Levillain & Chifflier Mind your Language(s)! HES 2015 5 / 59

  6. The five stages of this presentation During and after this presentation, you might experience different reactions ◮ denial: you can check yourself easily most of our examples ◮ anger: “Of course, language X first converts strings to ints before comparing them. You moron...” ◮ bargaining: you might be trying to justify the unjustifiable ◮ depression: “why bother developing if all is lost?” ◮ acceptance: some languages/constructions are not your friends... you must learn to know them and their quirks Levillain & Chifflier Mind your Language(s)! HES 2015 6 / 59

  7. Illustrations Outline Illustrations The elephant in the room Some revision of the classics What about your favorite script language? Qui aime bien chˆ atie bien Beyond the code About specifications Tools/Runtime? Conclusion Levillain & Chifflier Mind your Language(s)! HES 2015 7 / 59

  8. Illustrations The elephant in the room Outline Illustrations The elephant in the room Some revision of the classics What about your favorite script language? Qui aime bien chˆ atie bien Beyond the code About specifications Tools/Runtime? Conclusion Levillain & Chifflier Mind your Language(s)! HES 2015 8 / 59

  9. Illustrations The elephant in the room [ JavaScript ] Some are more equal than others JavaScript offers all the modern comfort. . . if (0== ’0 ’) print (" Equal "); else print (" Different "); switch (0) { case ’0’:print (" Equal "); default:print (" Different "); } Levillain & Chifflier Mind your Language(s)! HES 2015 9 / 59

  10. Illustrations The elephant in the room [ JavaScript ] Some are more equal than others JavaScript offers all the modern comfort. . . if (0== ’0 ’) print (" Equal "); else print (" Different "); switch (0) { case ’0’:print (" Equal "); default:print (" Different "); } Output is Equal , then Different Levillain & Chifflier Mind your Language(s)! HES 2015 9 / 59

  11. Illustrations The elephant in the room [ JavaScript ] Reconversion Should we prefer cast and overloading, or associativity and transitivity? Levillain & Chifflier Mind your Language(s)! HES 2015 10 / 59

  12. Illustrations The elephant in the room [ JavaScript ] Reconversion Should we prefer cast and overloading, or associativity and transitivity? In JavaScript , ’0’==0 is true, as well as 0==’0.0’ . However, ’0’==’0.0’ is false; in other words, equality is not transitive Levillain & Chifflier Mind your Language(s)! HES 2015 10 / 59

  13. Illustrations The elephant in the room [ JavaScript ] Reconversion Should we prefer cast and overloading, or associativity and transitivity? In JavaScript , ’0’==0 is true, as well as 0==’0.0’ . However, ’0’==’0.0’ is false; in other words, equality is not transitive Another example: the + operator, which can be either the addition of integers, or the concatenation of strings, but is associative in both cases a=1; b=2; c=’Foo ’; print(a+b+c); print(c+a+b); print(c+(a+b)); Levillain & Chifflier Mind your Language(s)! HES 2015 10 / 59

  14. Illustrations The elephant in the room [ JavaScript ] Reconversion Should we prefer cast and overloading, or associativity and transitivity? In JavaScript , ’0’==0 is true, as well as 0==’0.0’ . However, ’0’==’0.0’ is false; in other words, equality is not transitive Another example: the + operator, which can be either the addition of integers, or the concatenation of strings, but is associative in both cases a=1; b=2; c=’Foo ’; print(a+b+c); print(c+a+b); print(c+(a+b)); 3Foo , Foo12 and Foo3 Levillain & Chifflier Mind your Language(s)! HES 2015 10 / 59

  15. Illustrations The elephant in the room [ JavaScript ] Enter the Matrix 1/4 Equal == Levillain & Chifflier Mind your Language(s)! HES 2015 11 / 59

  16. Illustrations The elephant in the room [ JavaScript ] Enter the Matrix 2/4 Lesser than or equal <= Levillain & Chifflier Mind your Language(s)! HES 2015 12 / 59

  17. Illustrations The elephant in the room [ JavaScript ] Enter the Matrix 3/4 Lesser than < Levillain & Chifflier Mind your Language(s)! HES 2015 13 / 59

  18. Illustrations The elephant in the room [ JavaScript ] Enter the Matrix 4/4 Greater than > Levillain & Chifflier Mind your Language(s)! HES 2015 14 / 59

  19. Illustrations The elephant in the room Levillain & Chifflier Mind your Language(s)! HES 2015 15 / 59

  20. Illustrations The elephant in the room [ JavaScript ] M’enfin Given that, crypto using JS (in the browser) really looks like a good idea: ◮ OpenPGP.js ◮ Google End-To-End ◮ keybase.io ◮ Heartbleed and javascript crypto Levillain & Chifflier Mind your Language(s)! HES 2015 16 / 59

  21. Illustrations Some revision of the classics Outline Illustrations The elephant in the room Some revision of the classics What about your favorite script language? Qui aime bien chˆ atie bien Beyond the code About specifications Tools/Runtime? Conclusion Levillain & Chifflier Mind your Language(s)! HES 2015 17 / 59

  22. Illustrations Some revision of the classics [ Shell ] True, False, FILE NOT FOUND 1/2 #!/ bin/bash PIN =1234 echo -n "Please type your PIN code (4 digits): " read -s PIN_TYPED; echo if [ "$PIN" -ne " $PIN_TYPED" ]; then echo "Invalid PIN code ."; exit 1 else echo " Authentication OK"; exit 0 fi Levillain & Chifflier Mind your Language(s)! HES 2015 18 / 59

  23. Illustrations Some revision of the classics [ Shell ] True, False, FILE NOT FOUND 1/2 #!/ bin/bash PIN =1234 echo -n "Please type your PIN code (4 digits): " read -s PIN_TYPED; echo if [ "$PIN" -ne " $PIN_TYPED" ]; then echo "Invalid PIN code ."; exit 1 else echo " Authentication OK"; exit 0 fi A wrong PIN code will be rejected; yet if the user sends non-numeric characters, access will be granted Levillain & Chifflier Mind your Language(s)! HES 2015 18 / 59

  24. Illustrations Some revision of the classics [ C ] True, False, FILE NOT FOUND 2/2 Focus on the Goto Fail vulnerability of GnuTLS (CVE-2014-0092), in March 2014 ( lwn.net ) But this bug is arguably much worse than Apple ’s, as it has allowed crafted certificates to evade validation check for all versions of GnuTLS ever released since that project got started in late 2000.[...] The check_if_ca function is supposed to return true (any non-zero value in C) or false (zero) depending on whether the issuer of the certificate is a certificate authority (CA). A true return should mean that the certificate passed muster and can be used further, but the bug meant that error returns were misinterpreted as certificate validations. Levillain & Chifflier Mind your Language(s)! HES 2015 19 / 59

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Mind your Language(s)! A discussion about languages and security Eric Jaeger &amp; Olivier

Mind your Language(s)! A discussion about languages and security Eric Jaeger &amp; Olivier

Mind your Language(s)! A discussion about languages and security Eric Jaeger &amp; Olivier Levillain LangSec Workshop @ IEEE SSP, 2014-05-18 ANSSI ANSSI (French Network and Information Security Agency) has InfoSec (and no Intelligence)

697 views • 46 slides
Languages General Discussion of Properties The Pumping Lemma Membership, Emptiness, Etc.

Languages General Discussion of Properties The Pumping Lemma Membership, Emptiness, Etc.

Decision Properties of Regular Languages General Discussion of Properties The Pumping Lemma Membership, Emptiness, Etc. 1 Properties of Language Classes A language class is a set of languages. Example: the regular languages. Language

920 views • 77 slides
Language and the Mind Sciences John A. Goldsmith March 31, 2016 Language and the Mind Sciences :

Language and the Mind Sciences John A. Goldsmith March 31, 2016 Language and the Mind Sciences :

Language and the Mind Sciences John A. Goldsmith March 31, 2016 Language and the Mind Sciences : A book in two volumes, with Bernard Laks, exploring the connections, ruptures, and continuities among linguistics, philosophy, psychology, and logic.

251 views • 5 slides
Decision Properties of Regular Languages General Discussion of Properties The Pumping

Decision Properties of Regular Languages General Discussion of Properties The Pumping

Decision Properties of Regular Languages General Discussion of Properties The Pumping Lemma Membership, Emptiness, Etc. 1 Properties of Language Classes A language class is a set of languages. We have one example: the regular

883 views • 56 slides
MASTER DISSERTATION Letters and Foreign Languages English Language Sciences of the language

MASTER DISSERTATION Letters and Foreign Languages English Language Sciences of the language

Mohamed Khider University of Biskra Faculty of Letters and Languages Department of Foreign Languages MASTER DISSERTATION Letters and Foreign Languages English Language Sciences of the language Submitted and Defended by: Mr.Kherbachi Abdellatif

1.32k views • 99 slides
11-830 Computational Ethics for NLP Language Technologies for Endangered Languages Government

11-830 Computational Ethics for NLP Language Technologies for Endangered Languages Government

11-830 Computational Ethics for NLP Language Technologies for Endangered Languages Government Investment in Languages Language Technologies mostly developed for High Resource Languages English, Spanish, German, Arabic, Mandarin What

465 views • 24 slides
Languages This will be on the exam Computability What is a language? What is a class

Languages This will be on the exam Computability What is a language? What is a class

Languages This will be on the exam Computability What is a language? What is a class of languages? Before We Start The Turing Machine Any questions? Motivating idea Build a theoretical a human computer Likened to

320 views • 10 slides
Languages and dialects ! What's a dialect of a language? ! Dialects of English: Languages,

Languages and dialects ! What's a dialect of a language? ! Dialects of English: Languages,

Languages and dialects ! What's a dialect of a language? ! Dialects of English: Languages, dialects, and power Scots / Scottish English Linguistics 201 African American Vernacular English Guest lecturer: Andrew Weir Cockney April 19,

64 views • 5 slides
Natural Language Processing Lecture 27: NLP for Languages Other Than English The multilingual

Natural Language Processing Lecture 27: NLP for Languages Other Than English The multilingual

Natural Language Processing Lecture 27: NLP for Languages Other Than English The multilingual world An Introduction How many languages are there? Ethnologue: over 7400 Lexico-statistical definition of languages: percentage

564 views • 52 slides
Languages at Downlands One language sets you in a corridor for life. Two languages open

Languages at Downlands One language sets you in a corridor for life. Two languages open

Modern Foreign Languages at Downlands One language sets you in a corridor for life. Two languages open every door along the way FRANK SMITH Transferable Skills : Giving students the edge social skills ability to work in a team

228 views • 6 slides
Language Contact Linguistics 203 Languages of the World Major Language Families Source: Comrie

Language Contact Linguistics 203 Languages of the World Major Language Families Source: Comrie

Language Contact Linguistics 203 Languages of the World Major Language Families Source: Comrie et al. (2003) Lack of Language Contact leads to greater differences in related languages/dialects Reasons for lack of contact migration

435 views • 40 slides
High-Level Languages Languages Assembly vs Machine Code Assembly vs high-level language

High-Level Languages Languages Assembly vs Machine Code Assembly vs high-level language

High-Level Languages Languages Assembly vs Machine Code Assembly vs high-level language Why Learn New Language availability special features porting maintenance more tools required for job cost Why Design a

1.36k views • 54 slides
Outline Languages and Formal Systems BNF Grammars Describing Languages Learning

Outline Languages and Formal Systems BNF Grammars Describing Languages Learning

Outline Languages and Formal Systems BNF Grammars Describing Languages Learning New Languages Languages Evaluation Rules #1 #2 What is a language? What is a language? Webster: Webster: A systematic means of A

521 views • 10 slides
1 Introduction Why Study Programming Languages? Choosing the right language for the job

1 Introduction Why Study Programming Languages? Choosing the right language for the job

1 Introduction Why Study Programming Languages? Choosing the right language for the job Designing a better language Languages we know determine how we think about programming A language that doesnt affect the way you think

622 views • 48 slides
Language engineering and Domain Specific Languages Perdita Stevens School of Informatics

Language engineering and Domain Specific Languages Perdita Stevens School of Informatics

Language engineering and Domain Specific Languages Perdita Stevens School of Informatics University of Edinburgh Plan 1. Defining languages 2. General purpose languages vs domain specific languages 3. Internal and external DSLs 4. What

677 views • 45 slides
understanding the mind Naomi Feldman University of Maryland December 4, 2014 Language in the

understanding the mind Naomi Feldman University of Maryland December 4, 2014 Language in the

Toward a goal of understanding the mind Naomi Feldman University of Maryland December 4, 2014 Language in the mind How to learners acquire speech sound categories? How do listeners perceive speech in noisy situations? How do

366 views • 22 slides
Compiling occam to C with Tock Adam Sampson ats@offog.org University of Kent

Compiling occam to C with Tock Adam Sampson ats@offog.org University of Kent

Compiling occam to C with Tock Adam Sampson ats@offog.org University of Kent http://www.cs.kent.ac.uk/ Compiling occam to C with Tock p. 1 Introduction We do most of our work with occam- Big new project starting in a couple of

369 views • 22 slides
CS 457 Networking and the Internet Fall 2016 Electronic Mail: SMTP [RFC 2821] uses TCP

CS 457 Networking and the Internet Fall 2016 Electronic Mail: SMTP [RFC 2821] uses TCP

CS 457 Networking and the Internet Fall 2016 Electronic Mail: SMTP [RFC 2821] uses TCP to reliably transfer email message from client to server, port 25 direct transfer: sending server to receiving server three phases of

472 views • 11 slides
Formal semantics of Cypher: towards a standard language for querying property graphs N. Francis 1

Formal semantics of Cypher: towards a standard language for querying property graphs N. Francis 1

Formal semantics of Cypher: towards a standard language for querying property graphs N. Francis 1 A. Green 2 M. Rydberg 2 P. Guagliardo 3 V. Marsault 1 T. Lindaaker 2 P. Selmer 2 L. Libkin 3 S. Plantikow 2 A. Taylor 2 M. Schuster 3 1. Univ.

1.46k views • 111 slides
FIM : Fbi IMproved 21.03.2013 A flexible image viewer muc.ccc.de svn export

FIM : Fbi IMproved 21.03.2013 A flexible image viewer muc.ccc.de svn export

FIM : Fbi IMproved 21.03.2013 A flexible image viewer muc.ccc.de svn export http://code.autistici.org/svn/fim what ? fim is an image viewer a modal one: two modes: interactive (using Keys ) command line

836 views • 27 slides
3GB3 C HAPTER 4: G AME W ORLDS D EFINITION : W HAT IS A GAME WORLD ? Artificial universe,

3GB3 C HAPTER 4: G AME W ORLDS D EFINITION : W HAT IS A GAME WORLD ? Artificial universe,

3GB3 C HAPTER 4: G AME W ORLDS D EFINITION : W HAT IS A GAME WORLD ? Artificial universe, imaginary place in which events of the game occur - Football (Game, magic circle, no gameworld ) - Chess (Is a game world, but not

742 views • 9 slides
CLiMB ToolKit ToolKit: A Case Study : A Case Study CLiMB of Iterative Evaluation of Iterative

CLiMB ToolKit ToolKit: A Case Study : A Case Study CLiMB of Iterative Evaluation of Iterative

CLiMB ToolKit ToolKit: A Case Study : A Case Study CLiMB of Iterative Evaluation of Iterative Evaluation in a Multidisciplinary Project in a Multidisciplinary Project Rebecca Passonneau, Roberta Blitz, David Elson, Angela Giral Columbia

244 views • 21 slides
Token to Words Expanding identified token to words numbers+type = word list

Token to Words Expanding identified token to words numbers+type = word list

Token to Words Expanding identified token to words numbers+type = word list homographs+type = words symbols broken down and pronounced unknown words: as word or letter sequence 11-752, LTI, Carnegie Mellon (define (token_to_words

836 views • 48 slides
Languages of the World Antonis Anastasopoulos Site https://phontron.com/class/mtandseq2seq2019/

Languages of the World Antonis Anastasopoulos Site https://phontron.com/class/mtandseq2seq2019/

CS11-731 Machine Translation and Sequence-to-Sequence Models Languages of the World Antonis Anastasopoulos Site https://phontron.com/class/mtandseq2seq2019/ The state-of-the-art in German-English MT on News translation is around 42

548 views • 22 slides

More recommend