wyvern designing a language for security
play

Wyvern: Designing a Language for Security Jonathan Aldrich - PowerPoint PPT Presentation

Apr 03, 2024 •143 likes •654 views

Wyvern: Designing a Language for Security Jonathan Aldrich contributions from: Aaron Craig aldrich@cs.cmu.edu Justin Lubin http://www.cs.cmu.edu/~aldrich/ Darya Melicher Cyrus Omar Alex Potanin Anlun Xu Valerie Zhao 17-396: Language

  1. Wyvern: Designing a Language for Security Jonathan Aldrich contributions from: Aaron Craig aldrich@cs.cmu.edu Justin Lubin http://www.cs.cmu.edu/~aldrich/ Darya Melicher Cyrus Omar Alex Potanin Anlun Xu Valerie Zhao 17-396: Language Design and Prototyping Spring 2020 School of Computer Science

  2. Software security is a big problem! Prototype pollution attack (lodash) lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, … The 10 Worst Security Vulnerabilities of 2018 #3: The pdfinfojs NPM module for versions <= October 17, 2018 0.3.6 allows for command injection, allowing an attacker to execute arbitrary commands to the Security flaw in libssh leaves machine. thousands of servers at risk of hijacking 2

  3. Why Systems are Vulnerable? • We “know” how to code securely • Follow the rules: CERT, Oracle, … • Technical advances: type, memory safety • But we still fail too often! • Root causes • Coding instead of engineering • Human limitations • Unusable tools 3

  4. Our Approach: Usable Architecture-Based Security Outline – 3 issues Engineering: Usability: • Tampering w/mutable data An architecture/design A human  Immutability perspective perspective • Command injection  Type-specific languages • Resource use  Capabilities and effects Secure systems development Settings • Java (some studies) • Wyvern , a programming language designed following these principles Formal modeling: A mathematical perspective Bridge icon credit: iconsmind.com Lock icon credit: Appzgear at flaticon.com Wyvern credit: Zigeuner 4

  5. Immutability: An Architectural Perspective • Architecture: “the set of principal design decisions about the system” [Garlan and Shaw 1996; Taylor et al. 2009] • Typically large in scope • Non-architectural • final in Java: one field only, non-transitive • const in C++: protects through one reference only • Both weak reasoning: partial protection of data structure • Architectural • Transitive immutability : entire data structure protected • Strong reasoning – for security, concurrency, etc. • Interview studies: programmers want guarantees that only transitive immutability can provide [Coblenz et al. ICSE 2017] 5

  6. Formal modeling: enforcing immutability • How to enforce transitive immutability, technically? • Design decisions based on type systems / soundness proofs Static semantics Formal grammar Dynamic semantics 6

  7. Usability Experiments • 20 experienced Java programmers, 10 each in Java and Glacier • Compared errors/vulnerabilities and completion rates (Java  Glacier) errors completion 10  0 10  7 Enforcing immutability FileRequest.execute() security task 4  0 8  8 7  0 10  7 HashBucket.put() task • Unsuprising: no errors in Glacier condition • Surprising (perhaps): Glacier didn’t slow people down much • Usability results still uncommon for type systems • We should do more! 7

  8. Wyvern • Design goals • Sound, modern language design • Type- and memory-safe, mostly functional, advanced module system • Incorporate usability principles [Coblenz et al. Onward! 2018] • Security mechanisms built in • E.g. cleaner than Glacier retrofit to Java Discuss: how is immutability cleaner in Wyvern than in Glacier? • Immutability support • Default: transitive immutability • resource indicates types abstracting OS resources or mutable state Demo: Immutability in Wyvern (examples/types/person.wyv) http://wyvernlang.github.io/ 8

  9. Our Approach: Usable Architecture-Based Security Outline – 3 issues Engineering: Usability: • Tampering w/mutable data Transitive immutability Simple design,  Immutability has architectural benefits experimentally • Command injection proven effective  Type-specific languages • Resource use  Capabilities and effects Immutability in Wyvern Settings • Java (some studies) • Wyvern , a programming language designed following these principles Formal modeling: Proof of transitive immutability 9

  10. SQL Command Injection Example credit XKCD: HTTP :// XKCD . COM /327/ String s = "SELECT * FROM Students WHERE name ='" + studentName + "';" Now plug in the name: Robert'; DROP TABLE Students; -- "SELECT * FROM Students WHERE name ='Robert'; DROP TABLE Students; --';" Many similar issues • HTML (cross-site scripting) The data now includes an • Shell scripts (command injected SQL command injection) • … 10

  11. SQL Injection: a Solved Problem? Prepare a statement PreparedStatement s = connection.prepareStatement( with a hole "SELECT * FROM Students WHERE name = ?;"); s.setString(1, userName); Fill the hole s.executeQuery(); securely Discuss: why might this solution be less than satisfactory? • Evaluation X • Usability: unnatural, verbose X • Design: string manipulation captures domain poorly X • Language semantics: largely lost – just strings • No typechecking, IDE services, … 11

  12. Wyvern: Usable Secure Programming ~ introduces a domain- • A SQL query in Wyvern specific language (DSL) on the next indented lines connection.executeQuery(~) SELECT * FROM Students WHERE name = {studentName} Semantically rich DSL. Safely incorporates Can provide typchecking, dynamic data—as data, syntax highlighting, not a command …autocomplete, … • Hypothesis: Wyvern version more natural and more usable • No empirical evaluation, yet • But Omar et al. [ICSE 2012] shows benefits of similar DSL IDE plugins 12

  13. Technical Challenge: Syntax Conflicts • Language extensions as libraries has been tried before • Example: SugarJ/Sugar* [Erdweg et al, 2010; 2013] import XML, HTML Is it XML or HTML? val snippet = ~ How do I <b> parse </b> this example? 13

  14. Syntax Conflicts: Wyvern’s Solution metadata keyword indicates import metadata XML, HTML we are importing syntax, not just a library val snippet : XML = ~ How do I <b> parse </b> this example? No ambiguity: the compiler loads the unique parser associated with the expected type XML Syntax of language completely unrestricted – indentation separates from host language 14

  15. Thinking About Wyvern’s Solution import metadata XML, HTML, SQL val snippet : XML = ~ How do I <b> parse </b> this example? connection.executeQuery(~) SELECT * FROM Students WHERE name = {studentName} Discuss: what might be possible downsides of this design? 15

  16. Technical Challenge: Semantics Q: Is it safe to run custom parser at compile time? A: Yes – immutability types used to ensure imported metadata is purely functional, has no network access, etc. import metadata SQL Language definition includes val connection = SQL.connect(…) custom typechecker – can verify val studentName = input(…) query against database schema connection.executeQuery(~) SELECT * FROM Students WHERE name = {studentName} Splicing theory ensures capture- avoiding substitution in code SQL extension has access to generated by SQL extension – safe variables and their types in to use host language variables Wyvern host language 16

  17. Wyvern demo • wyvern/examples/tsls • formatstringClient.wyv (format strings) • postfixClient.wyv (list and postfix arithmetic) 17

  18. Our Approach: Usable Architecture-Based Security Outline – 3 issues Engineering: Usability: • Tampering w/mutable data Express design in Natural syntax,  Immutability domain-specific way enabling IDE • Command injection suppoert  Domain-specific languages • Resource use  Capabilities and effects DSL support in Wyvern Settings • Java (some studies) • Wyvern , a programming language designed following these principles Formal modeling: Type safety, variable hygiene, conflict-free extensions 18

  19. Resource Use • SQL extensions are nice! • But what if people use a low-level, string-based library anyway? • More broadly, what if people misuse resource-access libraries? 19

  20. What might code do to system resources? • Example scenario: constraining plugins Are these plugins safe? Could a malicious plugin delete my files? 20

  21. What might code do to system resources? • What can a plugin do? • File reads, writes? • Log an error message? • Like a file write, but more abstract Plugin My app 21

  22. What might code do to system resources? • Goal: enforce architectural layering [Dijkstra 1968] • Application code gets data using a Application code • Query ADT , which is implemented via a • SQL library , which sends commands via a • Network driver , which talks to database Query ADT • Security constraints • Network used only for database queries String-based • No direct use of string-based SQL library SQL library • Possible command injection • Abstraction of system resources • Application does safe queries Network • Query ADT does unsafe queries driver • Network driver does network access 22

  23. Two views of the resource use problem How to reason formally about resource use? How to practically enforce resource use? Can we be just as lightweight as the practical approach, but retain formal reasoning ? 23

  24. Formalist: Let’s check this statically! An effect system sounds like a good idea! 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Tree Manipula,on Language (TML) Mo,va,on Designing a language

Tree Manipula,on Language (TML) Mo,va,on Designing a language

Tree Manipula,on Language (TML) Mo,va,on Designing a language that simplifies programming trees Focuses more on tree opera,on rather than underlying

377 views • 10 slides
Written Feedback and Presentation Policy 2019-20 At Wyvern St Edmunds, our aim is that every

Written Feedback and Presentation Policy 2019-20 At Wyvern St Edmunds, our aim is that every

Excellence Together Written Feedback and Presentation Policy 2019-20 At Wyvern St Edmunds, our aim is that every student becomes the best version of themselves that they can be. Every policy and procedure has our students best

501 views • 6 slides
DESIGNING EFFECTIVE DESIGNING EFFECTIVE WORKSHOPS FOR WORKSHOPS FOR LANGUAGE TEACHERS LANGUAGE

DESIGNING EFFECTIVE DESIGNING EFFECTIVE WORKSHOPS FOR WORKSHOPS FOR LANGUAGE TEACHERS LANGUAGE

www.ELTacademia.com DESIGNING EFFECTIVE DESIGNING EFFECTIVE WORKSHOPS FOR WORKSHOPS FOR LANGUAGE TEACHERS LANGUAGE TEACHERS Professor Simon Borg www.ELTacademia.com What Who How IN-SERVICE WORKSHOPS www.ELTacademia.com Who

744 views • 22 slides
Designing Privacy and Security: Beyond the Technical Perspec9ve

Designing Privacy and Security: Beyond the Technical Perspec9ve

Designing Privacy and Security: Beyond the Technical Perspec9ve Charles D. Raab Professorial Fellow Director of CRISP (Centre for Research into Informa9on,

510 views • 22 slides
ubiquity: designing a multilingual natural language interface mitcho Michael Yoshitaka Erlewine

ubiquity: designing a multilingual natural language interface mitcho Michael Yoshitaka Erlewine

ubiquity: designing a multilingual natural language interface mitcho Michael Yoshitaka Erlewine 2009 SIGIR Workshop on Information Access in a Multilingual World Boston, July 23rd, 2009 ubiquity: designing a multilingual natural language

868 views • 86 slides
Course outline: the four hours 1. Language-Based Security: motivation 2. Language-Based

Course outline: the four hours 1. Language-Based Security: motivation 2. Language-Based

Course outline: the four hours 1. Language-Based Security: motivation 2. Language-Based Information-Flow Security: the big picture 3. Dimensions and principles of declassification 4. Dynamic vs. static security enforcement 1 Dimensions of

449 views • 30 slides
Course outline 1. Language-Based Security: motivation 2. Language-Based Information-Flow Security:

Course outline 1. Language-Based Security: motivation 2. Language-Based Information-Flow Security:

Course outline 1. Language-Based Security: motivation 2. Language-Based Information-Flow Security: the big picture 3. Dimensions and principles of declassification 4. Dynamic vs. static security enforcement 5. Tracking information flow in web

641 views • 30 slides
Designing, Building and Managing a Cyber Security Program Based on the NIST Cybersecurity

Designing, Building and Managing a Cyber Security Program Based on the NIST Cybersecurity

Designing, Building and Managing a Cyber Security Program Based on the NIST Cybersecurity Framework (NIST CSF) A Business Case Agenda and Objectives The Digital Innovation Economy The Cyber Security Problem The Cyber Security Solution

260 views • 22 slides
Designing Trustworthy User-Agents for a Hostile Web Usenix Security 2009 IE8 Program Manager -

Designing Trustworthy User-Agents for a Hostile Web Usenix Security 2009 IE8 Program Manager -

Designing Trustworthy User-Agents for a Hostile Web Usenix Security 2009 IE8 Program Manager - Security IE7 PM Networking &amp; Trust Developer of Fiddler, TamperIE, IEToys IE 7 significantly reduced attack surface against the browser and

1k views • 87 slides
Designing Online Synchronous Communication to Strengthen Second-Language Communication Skills

Designing Online Synchronous Communication to Strengthen Second-Language Communication Skills

Designing Online Synchronous Communication to Strengthen Second-Language Communication Skills E. Murphy, C. Stoodley, P. Thomas, &amp; K. Scarth Objectives: 2006-07 1. Identify and examine the types of teacher practices and student

247 views • 21 slides
Toward De Designing Pri rivacy and Security La Label for or IoT IoT De Devices Pardis

Toward De Designing Pri rivacy and Security La Label for or IoT IoT De Devices Pardis

Toward De Designing Pri rivacy and Security La Label for or IoT IoT De Devices Pardis Emami-Naeini , Henry Dixon, Yuvraj Agarwal, Lorrie Cranor, Hanan Hibshi pardis@cmu.edu Roa oadmap to o de design IoT IoT Priv rivacy and and Sec

710 views • 36 slides
Outline Operating System Security, Buffer overflows Continued Designing secure

Outline Operating System Security, Buffer overflows Continued Designing secure

Outline Operating System Security, Buffer overflows Continued Designing secure operating systems CS 239 Assuring OS security Computer Security Logging and auditing February 27, 2006 Lecture 12 Lecture 12 Page 1 Page 2

329 views • 9 slides
Outline Operating System Security, Buffer overflows Continued Designing secure

Outline Operating System Security, Buffer overflows Continued Designing secure

Outline Operating System Security, Buffer overflows Continued Designing secure operating systems CS 239 Assuring OS security Computer Security Logging and auditing February 23, 2005 Lecture 11 Lecture 11 Page 1 Page 2

553 views • 8 slides
Language/OS Based Security 1 Infrastructure 2 Security Abstraction Layers 3 OS Security

Language/OS Based Security 1 Infrastructure 2 Security Abstraction Layers 3 OS Security

Language/OS Based Security 1 Infrastructure 2 Security Abstraction Layers 3 OS Security Control 4 Abstraction Imperfections OS: Each process has exclusive access to its own CPU and memory Illusion!! A process may be able to

429 views • 21 slides
A Model for Performance Based Method for Designing a PPS Garima Sharma Safety and Security

A Model for Performance Based Method for Designing a PPS Garima Sharma Safety and Security

A Model for Performance Based Method for Designing a PPS Garima Sharma Safety and Security Studies Division, Nuclear Controls and Planning Wing Department of Atomic Energy, Mumbai, India 400001 Email: garimas@dae.gov.in Black Swan Event

184 views • 15 slides
a language for designing board games Lauren Pully (Project Manager) Jesse Bentert (Tools &amp;

a language for designing board games Lauren Pully (Project Manager) Jesse Bentert (Tools &amp;

a language for designing board games Lauren Pully (Project Manager) Jesse Bentert (Tools &amp; Language Guru) John Graham (System Architect) Daniel Wilkey (System Integrator) Yipeng Huang (Tester &amp; Validator) Overview 1 John Graham

669 views • 25 slides
Extending xADL with Statechart Behavioral Specification Leila Naslavsky, Lihua Xu, Marcio Dias,

Extending xADL with Statechart Behavioral Specification Leila Naslavsky, Lihua Xu, Marcio Dias,

Extending xADL with Statechart Behavioral Specification Leila Naslavsky, Lihua Xu, Marcio Dias, Hadar Ziv, and Debra J. Richardson Motivation Software Architecture in Dependable Systems Design (guide, analysis and evaluation of

147 views • 10 slides
Capability-based Systems Intel iAPX 432 Presented by Dan Amelang Capabilities Resources are

Capability-based Systems Intel iAPX 432 Presented by Dan Amelang Capabilities Resources are

Capability-based Systems Intel iAPX 432 Presented by Dan Amelang Capabilities Resources are represented by objects Hardware Memory Processor IO Software Services Contexts Ports Capabilities These

254 views • 13 slides
Trusted Network Communications Architecture 2.0 Overview 20 July 2017 1 Why are we talking

Trusted Network Communications Architecture 2.0 Overview 20 July 2017 1 Why are we talking

Trusted Network Communications Architecture 2.0 Overview 20 July 2017 1 Why are we talking about this? The TCGs Trusted Network Communications Workgroup is finalizing publication of the Trusted Network Communications Architecture for

402 views • 8 slides
I've been to the summer camp, now what? June 4, 2015 Sharon Broude Geva Director of Advanced

I've been to the summer camp, now what? June 4, 2015 Sharon Broude Geva Director of Advanced

I've been to the summer camp, now what? June 4, 2015 Sharon Broude Geva Director of Advanced Research Computing (ARC) sgeva@umich.edu arc.umich.edu What is ARC? Advanced Research Computing (ARC): Provides Flux, the shared, campus-wide

263 views • 14 slides
Silberschatz and Galvin Chapter 19 Protection CPSC 410--Richard Furuta 4/26/99 1 Protection

Silberschatz and Galvin Chapter 19 Protection CPSC 410--Richard Furuta 4/26/99 1 Protection

Silberschatz and Galvin Chapter 19 Protection CPSC 410--Richard Furuta 4/26/99 1 Protection Goals of protection schemes Domain of protection Mechanisms access matrix implementation of access matrix revocation of access

437 views • 14 slides
Static Lock Capabilities for Deadlock-Freedom Colin S. Gordon csgordon@cs.washington.edu

Static Lock Capabilities for Deadlock-Freedom Colin S. Gordon csgordon@cs.washington.edu

Static Lock Capabilities for Deadlock-Freedom Colin S. Gordon csgordon@cs.washington.edu University of Washington TLDI, January 28, 2012 Joint work with Michael D. Ernst and Dan Grossman Colin S. Gordon (University of Washington) Lock

649 views • 60 slides
Lecture 05:Examples of &amp; Metrics for Process Models 2015-05-11 Prof. Dr. Andreas Podelski,

Lecture 05:Examples of &amp; Metrics for Process Models 2015-05-11 Prof. Dr. Andreas Podelski,

Softwaretechnik / Software-Engineering Lecture 05:Examples of &amp; Metrics for Process Models 2015-05-11 Prof. Dr. Andreas Podelski, Dr. Bernd Westphal 05 2015-05-11 main Albert-Ludwigs-Universit at Freiburg, Germany

803 views • 57 slides
Software Development: Software Development: Tools and Processes Tools and Processes Lecture -

Software Development: Software Development: Tools and Processes Tools and Processes Lecture -

Software Development: Software Development: Tools and Processes Tools and Processes Lecture - - 4: Introduction to CMMI Framework 4: Introduction to CMMI Framework Lecture 1 1 Process Improvement Framework What do we understand by

403 views • 23 slides

More recommend