program languages and program analysis for security
DESCRIPTION
Program Languages and Program Analysis for Security. Marco PistoiaUlfar Erlingsson. Introduction Secure Language Design Access Control Web Application Security Secure Information Flow Trusted Declassification Secure Development Conclusion. Software Security. - PowerPoint PPT PresentationTRANSCRIPT
Program Program Languages and Languages and
Program Analysis Program Analysis for Securityfor SecurityMarco PistoiaMarco Pistoia Ulfar ErlingssonUlfar Erlingsson
IntroductionIntroduction Secure Language DesignSecure Language Design Access ControlAccess Control Web Application SecurityWeb Application Security Secure Information FlowSecure Information Flow Trusted DeclassificationTrusted Declassification Secure DevelopmentSecure Development ConclusionConclusion
Software SecuritySoftware Security
Usually an afterthought of developmentUsually an afterthought of development When security problems arise it can be When security problems arise it can be
very difficult to find and fix themvery difficult to find and fix them Research community has created new Research community has created new
languages and static and dynamic analysis languages and static and dynamic analysis toolstools
Been looking for solutions to Been looking for solutions to automatically detectautomatically detect
ACM SIGPLANACM SIGPLAN
A yearly workshop on Programming A yearly workshop on Programming Languages and Analysis for Security Languages and Analysis for Security (PLAS)(PLAS) Introduced in 2006Introduced in 2006 This paper is a 3 year retrospective of PLASThis paper is a 3 year retrospective of PLAS
IntroductionIntroduction Secure Language DesignSecure Language Design Access ControlAccess Control Web Application SecurityWeb Application Security Secure Information FlowSecure Information Flow Trusted DeclassificationTrusted Declassification Secure DevelopmentSecure Development ConclusionConclusion
ResearchResearch
Designing languages with security Designing languages with security featuresfeatures Code-based and subject-based authentication Code-based and subject-based authentication
and authorization, information flow, and and authorization, information flow, and support for cryptographysupport for cryptography
Add missing security features to existing Add missing security features to existing languageslanguages
JIFJIF
Java Information Flow (JIF) is a language Java Information Flow (JIF) is a language that requires variables to be labeled with that requires variables to be labeled with information-flow security policies.information-flow security policies.
Compiler flags when possible information Compiler flags when possible information leaks may occurleaks may occur
IntroductionIntroduction Secure Language DesignSecure Language Design Access ControlAccess Control Web Application SecurityWeb Application Security Secure Information FlowSecure Information Flow Trusted DeclassificationTrusted Declassification Secure DevelopmentSecure Development ConclusionConclusion
MobileMobile
An extension of the .NET Common An extension of the .NET Common Intermediate Language which supports Intermediate Language which supports Inlined Reference Monitors (IRMs)Inlined Reference Monitors (IRMs)
If a mobile application is well typed then If a mobile application is well typed then it is guaranteed to not violate security it is guaranteed to not violate security policy when runpolicy when run An IRM expressed in Mobile can be certified An IRM expressed in Mobile can be certified
by a simple type-checkerby a simple type-checker Eliminates the need to trust the producerEliminates the need to trust the producer
Mobile with .NETMobile with .NET
No change is required to No change is required to existing .NET virtual machine existing .NET virtual machine implementations when executing implementations when executing Mobile programsMobile programs Mobile consist of normal managed CIL Mobile consist of normal managed CIL
code stored in .NET attributescode stored in .NET attributes
IntroductionIntroduction Secure Language DesignSecure Language Design Access ControlAccess Control Web Application SecurityWeb Application Security Secure Information FlowSecure Information Flow Trusted DeclassificationTrusted Declassification Secure DevelopmentSecure Development ConclusionConclusion
Integrity and Integrity and ConfidentialityConfidentiality
Common attacksCommon attacks Structured Query Language injection (SQLi)Structured Query Language injection (SQLi) Cross-site Scripting (XSS)Cross-site Scripting (XSS)
Other problems with advent of Web 2.0Other problems with advent of Web 2.0 Ajax, continuous network activityAjax, continuous network activity
Web apps need to sanitize all input data Web apps need to sanitize all input data from untrusted usersfrom untrusted users Verify info it releases is not private and Verify info it releases is not private and
properly declassifiedproperly declassified
Eliminate VulnerabilitiesEliminate Vulnerabilities
Script injection vulnerabilities in Script injection vulnerabilities in applicationsapplications
Requires only minor browser Requires only minor browser modificationsmodifications Extension of same-origin policy for JavaScriptExtension of same-origin policy for JavaScript No changes to the development process in No changes to the development process in
most casesmost cases Slight framework modification for apps built Slight framework modification for apps built
on top of a frameworkon top of a framework
Encryption MechanismEncryption Mechanism
Encrypt data before sending to untrusted Encrypt data before sending to untrusted sitessites
Manage encryption keys using keystores Manage encryption keys using keystores on the Web without user interventionon the Web without user intervention
Automated SolutionsAutomated Solutions
Manual code reviews are time consuming Manual code reviews are time consuming and expensiveand expensive
Use Static source-code analysisUse Static source-code analysis Precise alias analysisPrecise alias analysis
Targeted at the unique reference semantics Targeted at the unique reference semantics commonly found in scripting languagescommonly found in scripting languages
Quality and quantity of the generated Quality and quantity of the generated vulnerability reports is enhanced via a novel vulnerability reports is enhanced via a novel algorithmalgorithm
IntroductionIntroduction Secure Language DesignSecure Language Design Access ControlAccess Control Web Application SecurityWeb Application Security Secure Information FlowSecure Information Flow Trusted DeclassificationTrusted Declassification Secure DevelopmentSecure Development ConclusionConclusion
Type SystemsType Systems
Mechanism for efficiently checking that Mechanism for efficiently checking that information flows within a program are information flows within a program are securesecure Conservative, often rejecting safe programsConservative, often rejecting safe programs Users have to decideUsers have to decide
RemedyRemedy
Method for automatically finding Method for automatically finding witnesses of insecure information flowwitnesses of insecure information flow Reports exact input states that lead to leakage Reports exact input states that lead to leakage
of secret informationof secret information Combination of type-based analysis and model Combination of type-based analysis and model
checkingchecking
Fixing Existing ProgramFixing Existing Program
Adding sound information-flow security Adding sound information-flow security policy to an existing program is a difficult policy to an existing program is a difficult tasktask Requires major code inspectionRequires major code inspection Program analysisProgram analysis Structural changes of codeStructural changes of code
Refactoring ProgramsRefactoring Programs
Refactor ProgramsRefactor Programs Into distinct components Into distinct components of high and low securityof high and low security Aids in the production of programs with sound Aids in the production of programs with sound
information-flow policiesinformation-flow policies Programs without information-flowPrograms without information-flow
Program slicer is used to identify code that depends on Program slicer is used to identify code that depends on high security inputshigh security inputs
Controlled information releases can occur at Controlled information releases can occur at explicit declassification points explicit declassification points
Results in a program with explicit interfaces Results in a program with explicit interfaces between components of different security levelsbetween components of different security levels
Efficient AlgorithmEfficient Algorithm
Algorithms can be developed for Algorithms can be developed for information-flow analysis expressed information-flow analysis expressed using a type systemusing a type system The algorithm can check whether the The algorithm can check whether the
program is well typed, and there is no program is well typed, and there is no information of higher security classes information of higher security classes flowing into places of lower security classes flowing into places of lower security classes according to a lattice of security classesaccording to a lattice of security classes
Analysis is expresses as a set of Datalog like Analysis is expresses as a set of Datalog like rules based on the typing and subtyping rules based on the typing and subtyping rulesrules
IntroductionIntroduction Secure Language DesignSecure Language Design Access ControlAccess Control Web Application SecurityWeb Application Security Secure Information FlowSecure Information Flow Trusted DeclassificationTrusted Declassification Secure DevelopmentSecure Development ConclusionConclusion
DowngradingDowngrading
Process of verifying and endorsing Process of verifying and endorsing previously suspect information and previously suspect information and declassifying originally confidential declassifying originally confidential informationinformation Must be done with careMust be done with care
Trusted DeclassificationTrusted Declassification
Let declassified functions be set by the Let declassified functions be set by the security admin as part of the global policysecurity admin as part of the global policy
Declassification policies are a key part of Declassification policies are a key part of language based information securitylanguage based information security Different approaches address different aspectsDifferent approaches address different aspects
What, who, when, and whereWhat, who, when, and where Must combine all these to avoid information Must combine all these to avoid information
launderinglaundering
IntroductionIntroduction Secure Language DesignSecure Language Design Access ControlAccess Control Web Application SecurityWeb Application Security Secure Information FlowSecure Information Flow Trusted DeclassificationTrusted Declassification Secure DevelopmentSecure Development ConclusionConclusion
Secure Code Secure Code DevelopmentDevelopment
To guarantee security for a software’s To guarantee security for a software’s lifecyclelifecycle Essential to write secure codeEssential to write secure code Set of principlesSet of principles Subset implemented in IDE for Jif, (built on Subset implemented in IDE for Jif, (built on
Eclipse)Eclipse)
ConclusionConclusion
ACM SIGPLAN workshop on ACM SIGPLAN workshop on Programming Languages and Analysis for Programming Languages and Analysis for Security (PLAS)Security (PLAS) Provided important work on privacy, security Provided important work on privacy, security
and programming languagesand programming languages Has made progress in securing the entire Has made progress in securing the entire
software lifecyclesoftware lifecycle Development and deploymentDevelopment and deployment Legacy and new codeLegacy and new code