program languages and program analysis for security

Program Program Languages and Languages and

Program Analysis Program Analysis for Securityfor SecurityMarco PistoiaMarco Pistoia Ulfar ErlingssonUlfar Erlingsson

IntroductionIntroduction Secure Language DesignSecure Language Design Access ControlAccess Control Web Application SecurityWeb Application Security Secure Information FlowSecure Information Flow Trusted DeclassificationTrusted Declassification Secure DevelopmentSecure Development ConclusionConclusion

Software SecuritySoftware Security

Usually an afterthought of developmentUsually an afterthought of development When security problems arise it can be When security problems arise it can be

very difficult to find and fix themvery difficult to find and fix them Research community has created new Research community has created new

languages and static and dynamic analysis languages and static and dynamic analysis toolstools

Been looking for solutions to Been looking for solutions to automatically detectautomatically detect

ACM SIGPLANACM SIGPLAN

A yearly workshop on Programming A yearly workshop on Programming Languages and Analysis for Security Languages and Analysis for Security (PLAS)(PLAS) Introduced in 2006Introduced in 2006 This paper is a 3 year retrospective of PLASThis paper is a 3 year retrospective of PLAS

ResearchResearch

Designing languages with security Designing languages with security featuresfeatures Code-based and subject-based authentication Code-based and subject-based authentication

and authorization, information flow, and and authorization, information flow, and support for cryptographysupport for cryptography

Add missing security features to existing Add missing security features to existing languageslanguages

JIFJIF

Java Information Flow (JIF) is a language Java Information Flow (JIF) is a language that requires variables to be labeled with that requires variables to be labeled with information-flow security policies.information-flow security policies.

Compiler flags when possible information Compiler flags when possible information leaks may occurleaks may occur

MobileMobile

An extension of the .NET Common An extension of the .NET Common Intermediate Language which supports Intermediate Language which supports Inlined Reference Monitors (IRMs)Inlined Reference Monitors (IRMs)

If a mobile application is well typed then If a mobile application is well typed then it is guaranteed to not violate security it is guaranteed to not violate security policy when runpolicy when run An IRM expressed in Mobile can be certified An IRM expressed in Mobile can be certified

by a simple type-checkerby a simple type-checker Eliminates the need to trust the producerEliminates the need to trust the producer

Mobile with .NETMobile with .NET

No change is required to No change is required to existing .NET virtual machine existing .NET virtual machine implementations when executing implementations when executing Mobile programsMobile programs Mobile consist of normal managed CIL Mobile consist of normal managed CIL

code stored in .NET attributescode stored in .NET attributes

Integrity and Integrity and ConfidentialityConfidentiality

Common attacksCommon attacks Structured Query Language injection (SQLi)Structured Query Language injection (SQLi) Cross-site Scripting (XSS)Cross-site Scripting (XSS)

Other problems with advent of Web 2.0Other problems with advent of Web 2.0 Ajax, continuous network activityAjax, continuous network activity

Web apps need to sanitize all input data Web apps need to sanitize all input data from untrusted usersfrom untrusted users Verify info it releases is not private and Verify info it releases is not private and

properly declassifiedproperly declassified

Eliminate VulnerabilitiesEliminate Vulnerabilities

Script injection vulnerabilities in Script injection vulnerabilities in applicationsapplications

Requires only minor browser Requires only minor browser modificationsmodifications Extension of same-origin policy for JavaScriptExtension of same-origin policy for JavaScript No changes to the development process in No changes to the development process in

most casesmost cases Slight framework modification for apps built Slight framework modification for apps built

on top of a frameworkon top of a framework

Encryption MechanismEncryption Mechanism

Encrypt data before sending to untrusted Encrypt data before sending to untrusted sitessites

Manage encryption keys using keystores Manage encryption keys using keystores on the Web without user interventionon the Web without user intervention

Automated SolutionsAutomated Solutions

Manual code reviews are time consuming Manual code reviews are time consuming and expensiveand expensive

Use Static source-code analysisUse Static source-code analysis Precise alias analysisPrecise alias analysis

Targeted at the unique reference semantics Targeted at the unique reference semantics commonly found in scripting languagescommonly found in scripting languages

Quality and quantity of the generated Quality and quantity of the generated vulnerability reports is enhanced via a novel vulnerability reports is enhanced via a novel algorithmalgorithm

Type SystemsType Systems

Mechanism for efficiently checking that Mechanism for efficiently checking that information flows within a program are information flows within a program are securesecure Conservative, often rejecting safe programsConservative, often rejecting safe programs Users have to decideUsers have to decide

RemedyRemedy

Method for automatically finding Method for automatically finding witnesses of insecure information flowwitnesses of insecure information flow Reports exact input states that lead to leakage Reports exact input states that lead to leakage

of secret informationof secret information Combination of type-based analysis and model Combination of type-based analysis and model

checkingchecking

Fixing Existing ProgramFixing Existing Program

Adding sound information-flow security Adding sound information-flow security policy to an existing program is a difficult policy to an existing program is a difficult tasktask Requires major code inspectionRequires major code inspection Program analysisProgram analysis Structural changes of codeStructural changes of code

Refactoring ProgramsRefactoring Programs

Refactor ProgramsRefactor Programs Into distinct components Into distinct components of high and low securityof high and low security Aids in the production of programs with sound Aids in the production of programs with sound

information-flow policiesinformation-flow policies Programs without information-flowPrograms without information-flow

Program slicer is used to identify code that depends on Program slicer is used to identify code that depends on high security inputshigh security inputs

Controlled information releases can occur at Controlled information releases can occur at explicit declassification points explicit declassification points

Results in a program with explicit interfaces Results in a program with explicit interfaces between components of different security levelsbetween components of different security levels

Efficient AlgorithmEfficient Algorithm

Algorithms can be developed for Algorithms can be developed for information-flow analysis expressed information-flow analysis expressed using a type systemusing a type system The algorithm can check whether the The algorithm can check whether the

program is well typed, and there is no program is well typed, and there is no information of higher security classes information of higher security classes flowing into places of lower security classes flowing into places of lower security classes according to a lattice of security classesaccording to a lattice of security classes

Analysis is expresses as a set of Datalog like Analysis is expresses as a set of Datalog like rules based on the typing and subtyping rules based on the typing and subtyping rulesrules

DowngradingDowngrading

Process of verifying and endorsing Process of verifying and endorsing previously suspect information and previously suspect information and declassifying originally confidential declassifying originally confidential informationinformation Must be done with careMust be done with care

Trusted DeclassificationTrusted Declassification

Let declassified functions be set by the Let declassified functions be set by the security admin as part of the global policysecurity admin as part of the global policy

Declassification policies are a key part of Declassification policies are a key part of language based information securitylanguage based information security Different approaches address different aspectsDifferent approaches address different aspects

What, who, when, and whereWhat, who, when, and where Must combine all these to avoid information Must combine all these to avoid information

launderinglaundering

Secure Code Secure Code DevelopmentDevelopment

To guarantee security for a software’s To guarantee security for a software’s lifecyclelifecycle Essential to write secure codeEssential to write secure code Set of principlesSet of principles Subset implemented in IDE for Jif, (built on Subset implemented in IDE for Jif, (built on

Eclipse)Eclipse)

ConclusionConclusion

ACM SIGPLAN workshop on ACM SIGPLAN workshop on Programming Languages and Analysis for Programming Languages and Analysis for Security (PLAS)Security (PLAS) Provided important work on privacy, security Provided important work on privacy, security

and programming languagesand programming languages Has made progress in securing the entire Has made progress in securing the entire

software lifecyclesoftware lifecycle Development and deploymentDevelopment and deployment Legacy and new codeLegacy and new code

program languages and program analysis for security

Documents

information flows

mobile application

possible information

security policy

security featurescode

security plasintroduced

program languages

programming languages