gradual information flow typing
play

Gradual Information Flow Typing Tim Disney Cormac Flanagan - PowerPoint PPT Presentation

Jan 15, 2023 •275 likes •1.1k views

Gradual Information Flow Typing Tim Disney Cormac Flanagan University of California Santa Cruz January 29th, 2011 - STOP 2011 Combining gradual typing with information flow Gradual Information + Typing Flow = More secure software

  1. Gradual Information Flow Typing Tim Disney Cormac Flanagan University of California Santa Cruz January 29th, 2011 - STOP 2011

  2. Combining gradual typing with information flow Gradual Information + Typing Flow = More secure software

  3. Perfect world Security designed upfront

  4. Perfect world Security designed upfront vs. Broken world Security bolted on after the fact

  5. Requirements Design Implementation Verification Maintenance

  6. Finding security requirements upfront is often not economically feasible

  7. Perfect world Broken world

  8. Do not want Perfect world Broken world

  9. Does not exist Do not want Perfect world Broken world

  10. Real world Security evolves with program Does not exist Do not want Perfect world Broken world

  11. Information Flow Confidentiality: keeping sensitive data private & Integrity: protect against untrusted data

  12. Information Flow Confidentiality: keeping sensitive data private & Integrity: protect against untrusted data For this talk we focus on confidentiality

  13. Information Flow Labels H (private) L (public)

  14. Information Flow Labeled Values Labels H (private) 42 L 58,000 H “hello” L L (public)

  15. Gradual Typing Dynamically Statically typed program typed program Siek and Taha (2006), Findler and Felleisen (2002), Wadler and Findler (2009), Ahmed et al. (2011), etc.

  16. Gradual Typing Dynamically Mixed Statically typed program static/dynamic typed program Program fail with blame Casts Dynamically Statically typed modules typed modules Siek and Taha (2006), Findler and Felleisen (2002), Wadler and Findler (2009), Ahmed et al. (2011), etc.

  17. Gradual Typing Dynamically Statically Mixed typed program typed program static/dynamic Program fail with blame Casts Dynamically Statically typed modules typed modules Siek and Taha (2006), Findler and Felleisen (2002), Wadler and Findler (2009), Ahmed et al. (2011), etc.

  18. No security Gradual Security checks Static Dynamic security types security checks

  19. No security Gradual Security checks Mixed static/ Static Dynamic dynamic security security types security checks Program fail with blame Casts Dynamic Static security modules security modules

  20. No security Gradual Security rev 0 checks Mixed static/ Static Dynamic dynamic security security types security checks Program fail with blame Casts Dynamic Static security modules security modules

  21. No security Gradual Security rev 0 checks Mixed static/ Static Dynamic dynamic security security types security checks rev 1 Program fail with blame Casts Dynamic Static security modules security modules

  22. No security Gradual Security rev 0 checks Mixed static/ Static Dynamic dynamic security security types security checks rev 1 rev 2 Program fail with blame Casts Dynamic Static security modules security modules

  23. No security Gradual Security rev 0 checks Mixed static/ Static Dynamic dynamic security security types security checks rev 1 rev 2 rev 3 Program fail with blame Casts Dynamic Static security modules security modules

  24. A language for g radual i nformation f low

  25. The language Values (r): Labeled Values (v): 42 H , ( λ x : A. t ) L Types (a, b): Int , Bool , A → B Labeled Types (A, B): Int L , Bool L , ( A → B ) H

  26. The language Private types: Int H = { 0 L , 0 H , 1 L , 1 H , . . . } potentially private

  27. The language Private types: Int H = { 0 L , 0 H , 1 L , 1 H , . . . } potentially private Public types: Int L = { 0 L , 1 L , 2 L , . . . } definitely public

  28. The language Private types: Int H = { 0 L , 0 H , 1 L , 1 H , . . . } potentially private Public types: Int L = { 0 L , 1 L , 2 L , . . . } definitely public Subtypes

  29. The language Default labels are permissive

  30. The language Default labels are permissive 42 = 42 L

  31. The language Default labels are permissive 42 = 42 L Int = Int H

  32. The language Default labels are permissive 42 = 42 L Int = Int H

  33. The language Default labels are permissive 42 = 42 L Int = Int H

  34. Casting checks runtime labels t : A ⇒ p B Syntax similar to “Blame For All” by Ahmed et al.

  35. Casting checks runtime labels t : A ⇒ p B 42 L : Int H ⇒ p Int L 42 L Syntax similar to “Blame For All” by Ahmed et al.

  36. Casting checks runtime labels t : A ⇒ p B 42 L : Int H ⇒ p Int L 42 L 42 H : Int H ⇒ p Int L blame p Syntax similar to “Blame For All” by Ahmed et al.

  37. Higher-order casting: cast at fault ( fn ): ( Int L → Int H ) ⇒ p ( Int L → Int L ) wrap fn

  38. Higher-order casting: cast at fault ( fn ): ( Int L → Int H ) ⇒ p ( Int L → Int L ) wrap fn fn = λ x : Int L . x + 1 L ( wrap fn ) 42 L 43 L

  39. Higher-order casting: cast at fault ( fn ): ( Int L → Int H ) ⇒ p ( Int L → Int L ) wrap fn fn = λ x : Int L . x + 1 L ( wrap fn ) 42 L 43 L fn = λ x : Int L . x + 1 H cast blamed ( wrap fn ) 42 L blame p

  40. Higher-order casting: context at fault ( fn ): ( Int L → Int L ) ⇒ p ( Int H → Int L ) wrap fn

  41. Higher-order casting: context at fault ( fn ): ( Int L → Int L ) ⇒ p ( Int H → Int L ) wrap fn 24 L ( wrap fn ) 42 L

  42. Higher-order casting: context at fault ( fn ): ( Int L → Int L ) ⇒ p ( Int H → Int L ) wrap fn 24 L ( wrap fn ) 42 L ( wrap fn ) 42 H blame p context blamed

  43. Labeling adds runtime labels V (58000 L : Int L V Int H ) 58000 H

  44. Labeling adds runtime labels V (58000 L : Int L V Int H ) 58000 H disk read : ( Int L → Int L ) V ( Int L → Int H ) wrap fn

  45. Evolution Example

  46. Rev 0 (no security) let intToString : Int → Str = . . .

  47. Rev 0 (no security) let intToString : Int → Str = . . . let age : Int = 42

  48. Rev 0 (no security) let intToString : Int → Str = . . . let age : Int = 42 let salary : Int = 58000 // confidential!

  49. Rev 0 (no security) let intToString : Int → Str = . . . let age : Int = 42 // confidential! let salary : Int = 58000 let print : Str → Unit = λ s : Str . . . .

  50. Rev 0 (no security) let intToString : Int → Str = . . . let age : Int = 42 // confidential! let salary : Int = 58000 let print : Str → Unit = λ s : Str . . . . print ( intToString ( salary ))

  51. Rev 0 (no security) let intToString : Int → Str = . . . let age : Int = 42 // confidential! let salary : Int = 58000 let print : Str → Unit = λ s : Str . . . . print ( intToString ( salary )) Prints “58000”

  52. Rev 0 (no security) let intToString : Int → Str = . . . let age : Int = 42 // confidential! let salary : Int = 58000 let print : Str → Unit = λ s : Str . . . . print ( intToString ( salary )) Prints “58000”

  53. Add dynamic enforcement

  54. Rev 1 (dynamic enforcement) let intToString : Int → Str = . . . let age : Int = 42 let salary : Int = 58000: Int L V Int H let print : Str → Unit = λ s : Str . . . . print ( intToString ( salary ))

  55. Rev 1 (dynamic enforcement) let intToString : Int → Str = . . . let age : Int = 42 let salary : Int = 58000: Int L V Int H let print : Str → Unit = λ s : Str . . . . print ( intToString ( salary ))

  56. Rev 1 (dynamic enforcement) let intToString : Int → Str = . . . let age : Int = 42 let salary : Int = 58000: Int L V Int H let print : Str → Unit = λ s : Str . . . . print ( intToString ( salary )) Still prints “58000” H

  57. Rev 1 (dynamic enforcement) let intToString : Int → Str = . . . let age : Int = 42 let salary : Int = 58000: Int L V Int H let print : Str → Unit = λ s : Str . . . . print ( intToString ( salary )) Still prints “58000” H

  58. Rev 1 (dynamic enforcement) let intToString : Int → Str = . . . let age : Int = 42 let salary : Int = 58000: Int L V Int H let print : Str → Unit = λ s : Str . . . . let s = ( s : Str H ⇒ p Str L ) in . . . print ( intToString ( salary ))

  59. Rev 1 (dynamic enforcement) let intToString : Int → Str = . . . let age : Int = 42 let salary : Int = 58000: Int L V Int H let print : Str → Unit = λ s : Str . . . . let s = ( s : Str H ⇒ p Str L ) in . . . print ( intToString ( salary ))

  60. Rev 1 (dynamic enforcement) let intToString : Int → Str = . . . let age : Int = 42 let salary : Int = 58000: Int L V Int H let print : Str → Unit = λ s : Str . . . . let s = ( s : Str H ⇒ p Str L ) in . . . print ( intToString ( salary )) Fails and blames p since Str H can’t be cast to Str L

  61. Rev 1 (dynamic enforcement) let intToString : Int → Str = . . . let age : Int = 42 let salary : Int = 58000: Int L V Int H let print : Str → Unit = λ s : Str . . . . let s = ( s : Str H ⇒ p Str L ) in . . . print ( intToString ( salary )) Fails and blames p since Str H can’t be cast to Str L

  62. Add static enforcement

  63. Rev 2 (static enforcement) let intToString : Int H → Str H = . . . let age : Int L = 42 let salary : Int H = 58000: Int L V Int H let print : Str L → Unit L = λ s : Str L . . . . print ( intToString ( salary ))

  64. Rev 2 (static enforcement) let intToString : Int H → Str H = . . . let age : Int L = 42 let salary : Int H = 58000: Int L V Int H let print : Str L → Unit L = λ s : Str L . . . . print ( intToString ( salary )) intToString causes compile error

Recommend

Performance Evaluation for Gradual Typing Asumu Takikawa Daniel Feltey *Ben Greenman Max S.

Performance Evaluation for Gradual Typing Asumu Takikawa Daniel Feltey *Ben Greenman Max S.

Performance Evaluation for Gradual Typing Asumu Takikawa Daniel Feltey *Ben Greenman Max S. New Jan Vitek Matthias Felleisen 9 years of sound gradual typing Gradual Typing for Functional Languages, Jeremy Siek & Walid Taha. SFP '06

829 views • 41 slides
Gradual Typing with Inference Jeremy Siek University of Colorado at Boulder joint work with

Gradual Typing with Inference Jeremy Siek University of Colorado at Boulder joint work with

Gradual Typing with Inference Jeremy Siek University of Colorado at Boulder joint work with Manish Vachharajani Overview Motivation Background Gradual Typing Unification-based inference Exploring the Solution Space Type

1.25k views • 83 slides
Is Sound Gradual Typing Dead? Asumu Takikawa Daniel Feltey Ben Greenman Max S. New Jan Vitek

Is Sound Gradual Typing Dead? Asumu Takikawa Daniel Feltey Ben Greenman Max S. New Jan Vitek

Is Sound Gradual Typing Dead? Asumu Takikawa Daniel Feltey Ben Greenman Max S. New Jan Vitek Matthias Felleisen Gradual typing thesis 1. People write untyped code 2. Static types help maintain software 3. Sound types can be added

754 views • 72 slides
The Recursive Union of Some Gradual Types Jeremy G. Siek Sam Tobin-Hochstadt Indiana

The Recursive Union of Some Gradual Types Jeremy G. Siek Sam Tobin-Hochstadt Indiana

The Recursive Union of Some Gradual Types Jeremy G. Siek Sam Tobin-Hochstadt Indiana University, Bloomington 1/ 24 Gradual Typing Goal: support the entire spectrum in one language. Program Dependent Static Dynamic Logics Types Typing

382 views • 24 slides
Gradual typing is morally incorrect; were all monsters now Timothy Jones and Michael Homer

Gradual typing is morally incorrect; were all monsters now Timothy Jones and Michael Homer

Gradual typing is morally incorrect; were all monsters now Timothy Jones and Michael Homer Victoria University of Wellington {tim,mwh}@ecs.vuw.ac.nz October 27, 2015 Introduction Meaning in the gradually typed world A type assertion

547 views • 43 slides
T Gradual typing for R Jan Vitek, Northeastern University Types enhance productivity The Iron

T Gradual typing for R Jan Vitek, Northeastern University Types enhance productivity The Iron

This is is not a type: T Gradual typing for R Jan Vitek, Northeastern University Types enhance productivity The Iron Rolling Mill by Adolf Menzel function ( x ) { var y = x ? 2 : Y if x y += ES else y += 40 return y } Types

779 views • 31 slides
Sound and Complete Flow Typing with Unions, Intersections and Negations David J. Pearce School

Sound and Complete Flow Typing with Unions, Intersections and Negations David J. Pearce School

Sound and Complete Flow Typing with Unions, Intersections and Negations David J. Pearce School of Engineering and Computer Science Victoria University of Wellington What is Flow Typing? Defining characteristic : ability to retype variables JVM

534 views • 18 slides
A Gradual Typing Poem Sam Tobin-Hochstadt & Robby Finder 1 The Problem Write a function

A Gradual Typing Poem Sam Tobin-Hochstadt & Robby Finder 1 The Problem Write a function

A Gradual Typing Poem Sam Tobin-Hochstadt & Robby Finder 1 The Problem Write a function that accepts the specification of an infinite regular tree and turn it into a representation of the tree 2 The Problem Write a function that accepts

565 views • 37 slides
Typing and ML Typing and ML A name for a set of values and some operations which can be

Typing and ML Typing and ML A name for a set of values and some operations which can be

Typing Typing Typing and ML Typing and ML A name for a set of values and some operations which can be performed on that set of values. CSC324 A collection of computational entities that share some common property. Winter 2007

412 views • 9 slides
Gradual Python with Colored Local Type Inference Joe Angell April 29, 2009 Joe Angell Gradual

Gradual Python with Colored Local Type Inference Joe Angell April 29, 2009 Joe Angell Gradual

Gradual Python with Colored Local Type Inference Joe Angell April 29, 2009 Joe Angell Gradual Python with Colored Local Type Inference Motivation Python programmers use dynamic typing Lets type check what we can, and what the programmer

303 views • 11 slides
Consistent Subtyping for All Ningning Xie Xuan Bi Bruno C. d. S. Oliveira 16 April, 2018 The

Consistent Subtyping for All Ningning Xie Xuan Bi Bruno C. d. S. Oliveira 16 April, 2018 The

Consistent Subtyping for All Ningning Xie Xuan Bi Bruno C. d. S. Oliveira 16 April, 2018 The University of Hong Kong ESOP 2018, Thessaloniki, Greece 1 Gradual Typing 101 The key external feature of every gradual type system is the

853 views • 61 slides
Typing and ML Typing and ML Definition Program organization and documentation A name for a

Typing and ML Typing and ML Definition Program organization and documentation A name for a

Typing Typing Uses/Merits Uses/Merits Type errors Type errors Typing and ML Typing and ML Definition Program organization and documentation A name for a set of values and some operations A type error occurs when execution of

725 views • 5 slides
May 15: Information Flow and Confinement Information flow for integrity policies Examples

May 15: Information Flow and Confinement Information flow for integrity policies Examples

May 15: Information Flow and Confinement Information flow for integrity policies Examples of information flow controls Android phone Firewalls Confinement Virtual machines May 15, 2017 ECS 235B Spring Quarter 2017 Slide

487 views • 32 slides
COVID-19 INFORMATION PACKAGE: Gradual Return Beginning May 25, 2020 1 TABLE OF CONTENTS

COVID-19 INFORMATION PACKAGE: Gradual Return Beginning May 25, 2020 1 TABLE OF CONTENTS

COVID-19 INFORMATION PACKAGE: Gradual Return Beginning May 25, 2020 1 TABLE OF CONTENTS Introduction Priority Measures Passive screening Physical distancing Handwashing Other Mitigation Measures Non-medical / community masks

504 views • 26 slides
The effectiveness of gradual learning EN S EMBLE METH ODS IN P YTH ON Romn de las Heras

The effectiveness of gradual learning EN S EMBLE METH ODS IN P YTH ON Romn de las Heras

The effectiveness of gradual learning EN S EMBLE METH ODS IN P YTH ON Romn de las Heras Data Scientist, SAP / Agile Solutions Collective vs gradual learning Collective Learning Gradual Learning Principle: wisdom of the crowd Principle:

461 views • 23 slides
Decompilation is an information-flow problem (Or, information flow meets program transformation)

Decompilation is an information-flow problem (Or, information flow meets program transformation)

Decompilation is an information-flow problem (Or, information flow meets program transformation) Boris Feigin Computer Laboratory, University of Cambridge PLID 2008 joint work with Alan Mycroft 1 / 22 Motivation Given suitable tools we

605 views • 33 slides
numpy : Numerical Python "Duck'' typing makes Python slow Duck Typing If it looks like a

numpy : Numerical Python "Duck'' typing makes Python slow Duck Typing If it looks like a

numpy : Numerical Python "Duck'' typing makes Python slow Duck Typing If it looks like a duck, then it is a duck. a.k.a. dynamic typing Dynamic typing requires lots of metadata around a variable. Solution: numpy data structures Data

230 views • 8 slides
Typing and ML Typing and ML CSC324 Fall 2004 Sheila McIlraith Acknowledgement: The material

Typing and ML Typing and ML CSC324 Fall 2004 Sheila McIlraith Acknowledgement: The material

Typing and ML Typing and ML CSC324 Fall 2004 Sheila McIlraith Acknowledgement: The material in these notes is derived from a variety of sources, including: Elements of ML Programming (Ullman), Concepts in Programming Languages (Mitchell)

595 views • 36 slides
Typing and ML Typing and ML CSC324 Fall 2004 Sheila McIlraith Acknowledgement: The material

Typing and ML Typing and ML CSC324 Fall 2004 Sheila McIlraith Acknowledgement: The material

Typing and ML Typing and ML CSC324 Fall 2004 Sheila McIlraith Acknowledgement: The material in these notes is derived from a variety of sources, including: Elements of ML Programming (Ullman), Concepts in Programming Languages (Mitchell)

647 views • 26 slides
Recognize people by the way they type Typing Biometrics Authentication Cybercrime & identity

Recognize people by the way they type Typing Biometrics Authentication Cybercrime & identity

Typing Biometrics Authentication Recognize people by the way they type Typing Biometrics Authentication Cybercrime & identity theft 17 million victims $30 billion / year Typing Biometrics Authentication The way you type is unique Typing

143 views • 10 slides
IP Flow Information eXport IP Flow Information eXport (IPFIX) (IPFIX)

IP Flow Information eXport IP Flow Information eXport (IPFIX) (IPFIX)

IP Flow Information eXport IP Flow Information eXport (IPFIX) (IPFIX) elisa.boschi@hitachi-eu.com {boschi, zseby, mark, hirsch}@fokus.fraunhofer.de Outline Outline IPFIX Terminology Applicability Initial Goals

212 views • 19 slides
Gradual Ownership Types Ilya Sergey Dave Clarke ESOP 2012 Ownership Types (a gradual

Gradual Ownership Types Ilya Sergey Dave Clarke ESOP 2012 Ownership Types (a gradual

Gradual Ownership Types Ilya Sergey Dave Clarke ESOP 2012 Ownership Types (a gradual introduction) class List { Link head; void add(Data d) { Data Data head = new Link(head, d); } owner Iterator makeIterator() { return new

781 views • 38 slides
Towards a Flow- and Path-Sensitive Information Flow Analysis Peixuan Li, Danfeng Zhang

Towards a Flow- and Path-Sensitive Information Flow Analysis Peixuan Li, Danfeng Zhang

Towards a Flow- and Path-Sensitive Information Flow Analysis Peixuan Li, Danfeng Zhang Pennsylvania State University University Park, PA, USA {pzl129,zhang}@cse.psu.edu Background: Information Flow Analysis o Security enforcement to prevent

379 views • 24 slides
Flow Networks Flow Network: - digraph - weights, called capacities on edges - two

Flow Networks Flow Network: - digraph - weights, called capacities on edges - two

M AXIMUM F LOW How to do it... Why you want it... Where you find it... The Tao of Flow: Let your body go with the flow. -Madonna, Vogue Maximum flow...because youre worth it. -Loreal Go with the flow, Joe.

619 views • 20 slides

More recommend