language based methods for software security
play

Language-based methods for software security Gilles Barthe IMDEA - PowerPoint PPT Presentation

Mar 27, 2024 •292 likes •1.83k views

Language-based methods for software security Gilles Barthe IMDEA Software, Madrid, Spain Part 2 Transfer rules P [ i ] = push n P [ i ] = binop op i st se ( i ) :: st i k 1 :: k 2 :: st ( k 1 k 2 ) :: st se ( i ) k

  1. Remarks on machine-checked proof We have used the Coq proof assistant to to formally define non-interference definition, to formally define an information type system, to mechanically proved that typability enforces non-interference, to program a type checker and prove it enforces typability, to extract an Ocaml implementation of this type checker. Structure of proofs Itermediate semantics simplifies the intermediate definition of 1 indistinguishability (call stacks), Second intermediate semantics : annotated semantics with result of 2 pre-analyses the pre-analyse checker enforces that both semantics correspond Implementation and correctness proof of the CDR checker 3 The information flow type system (and its corresponding type checker) 4 enforce non-interference wrt. the annotated semantics. About 20,000 lines of definitions and proofs, inc. 3000 lines to define the JVM semantics Gilles Barthe Language-based methods for software security

  2. Towards realistic applications Many features of missing to program realistic applications: declassification multi-threading flow sensitivity, polymorphism, etc Gilles Barthe Language-based methods for software security

  3. Declassification Baseline policies (i.e. non-interference) are too restrictive in practice. Declassification policies allow intentional information release. Main dimensions: what, where, who Gilles Barthe Language-based methods for software security

  4. Information release for JVM Goal is to define an information flow policy that: supports controlled release of information, that can be enforced e ffi ciently, with a modular proof of soundness , instantiable to bytecode can reuse machine-checked proofs Gilles Barthe Language-based methods for software security

  5. Policy setting Setting is heavily influenced by non-disclosure, but allows declassification of a variable rather than of a principal. Policy is local to each program point: modeled as an indexed family ( ∼ Γ [ i ] ) i ∈ P of relations on states each ∼ Γ [ i ] is symmetric and transitive monotonicity of equivalence Γ [ i ] � Γ [ j ] ∧ s ∼ Γ [ i ] t ⇒ s ∼ Γ [ j ] t (properties hold when relations are induced by the security level of variables) Gilles Barthe Language-based methods for software security

  6. Delimited non-disclosure P satisfies delimited non-disclosure (DND) i ff entry R entry , where R ⊆ P × P satisfies for every i , j ∈ P : if i R j then j R j ; if i R j then for all s i , t j and s ′ i ′ s.t. s i � s ′ i ′ ∧ s i ∼ Γ [ i ] t j ∧ safe ( t j ) there exists t ′ j ′ such that: t j � ⋆ t ′ j ′ ∧ i ′ R j ′ j ′ ∧ s ′ i ′ ∼ Γ [ entry ] t ′ Gilles Barthe Language-based methods for software security

  7. Local policies vs. declassify statements One could use a construction declassify ( e ) in { c } and compute local policies from program syntax: [ l 1 := 0 ] 1 ; declassify ( h ) in { [ l 2 := h ] 2 } ; [ l 3 := l 2 ] 3 yields Γ [ 1 ]( l 1 ) = Γ [ 1 ]( l 2 ) = Γ [ 1 ]( l 3 ) = L Γ [ 1 ]( h ) = H Γ [ 2 ]( l 1 ) = Γ [ 2 ]( l 2 ) = Γ [ 2 ]( l 3 ) = L Γ [ 2 ]( h ) = L Γ [ 3 ] = Γ [ 1 ] Gilles Barthe Language-based methods for software security

  8. Where is what? Declassification of expressions through fresh local variables: declassify ( h > 0 ) in { [ if ( h > 0 ) then { [ l := 0 ] 2 } ] 1 } becomes [ h ′ := h > 0 ] 1 ; declassify ( h ′ ) in { [ if ( h ′ ) then { [ l := 0 ] 3 } ] 2 } Gilles Barthe Language-based methods for software security

  9. DND type system Given a NI type system Γ , S , se ⊢ i ; think as a shorthand for ∃ s j . Γ [ i ] , S , se ⊢ S ( i ) ⇒ s j ∧ s j � S ( j ) Define a DND type system ( Γ [ j ]) j ∈ P , S , se ⊢ i as Γ [ i ] , S , se ⊢ i (Note: not so easy for source languages) Program P is typable w.r.t. policy ( Γ [ j ]) j ∈ P and type S i ff for all i Γ [ i ] , S , se ⊢ i Soundness If ( Γ [ j ]) j ∈ P , S , se ⊢ P then P satisfies DND. Policies must respect no creep up, ie Γ [ i ]( x ) � Γ [ entry ]( x ) Gilles Barthe Language-based methods for software security

  10. Unwinding + Progress Unwinding: if Γ , S ⊢ NI i then ( s i ∼ Γ t i ∧ s i � s ′ i ′ ∧ t i � t ′ j ′ ) ⇒ s ′ i ′ ∼ Γ t ′ j ′ Progress: if i is not an exit point and safe ( s i ) then there exists t s.t. s i � t  ( Γ [ i ]) i ∈ P , S ⊢ DND P   s i ∼ Γ [ i ] t i  ⇒ ∃ t ′ j ′ . t i � t ′ j ′ ∧ s ′ i ′ ∼ Γ [ entry ] t ′ s i � s ′ j ′ i ′   safe ( t i )  Gilles Barthe Language-based methods for software security

  11. High branches Unwinding: if Γ , S ⊢ NI i and H � se ( i ) then ( s i ∼ Γ t j ∧ s i � s ′ i ′ ) ⇒ s ′ i ′ ∼ Γ t j Exit from high loops: if i is a high branching point, then jun ( i ) is defined all executions entering region ( i ) exit the region at jun ( i ) No declassify in high context H � se ( i ) , se ( j ) ∧ i �→ j ⇒ Γ [ i ]( x ) = Γ [ j ]( x )  ( Γ [ i ]) i ∈ P , S ⊢ DND P   i high branching  jun ( i ) . s j � ⋆ s ′ ∃ s ′ jun ( i ) ∧ s j ∼ Γ [ entry ] s ′ jun ( i ) j ∈ region ( i )   safe ( s j )  Gilles Barthe Language-based methods for software security

  12. Bisimulation i , j ∈ region ( k ) ∪ { jun ( k ) } j B i se ( k ) = H i B i i B j i B j If i , j ∈ region ( k ) for some k s.t. H � se ( k ) . Assume s i ∼ Γ [ i ] t j , and s i � s ′ i ′ . Choose t ′ = t . By unwinding and monotonicity, s ′ i ′ ∼ Γ [ entry ] t j . By exit through junction, either i ′ ∈ region ( k ) or i ′ = jun ( k ) . If j ∈ region ( k ) and i = jun ( k ) for some k s.t. H � se ( k ) . . . . Gilles Barthe Language-based methods for software security

  13. Laundering attacks [ h := h ′ ] 1 ; declassify ( h ) in { [ l := h ] 2 } Such programs are insecure w.r.t. policies such as localized delimited release. It is possible to define a simple e ff ect system that prevents laundering attacks: judgments are of the form ⊢ LA c : U , V U is the set of assigned variables V is the set of declassified variables Gilles Barthe Language-based methods for software security

  14. Concurrency Mobile code applications often exploit concurrency Concurrent execution of secure sequential programs is not necessarily secure: if ( h > 0 ) { skip ; skip }{ skip } ; l := 1 || skip ; skip ; l := 2 Security of multi-threaded programs can be achieved: by imposing strong security conditions on programs by relying on secure schedulers Gilles Barthe Language-based methods for software security

  15. Secure schedulers A secure scheduler selects the thread to be executed in function of the security environment: the thread pool is partitioned into low, high, and hidden threads if a thread is currently executing a high branch, then only high threads are scheduled if the program counter of the last executed thread becomes high (resp. low), then the thread becomes hidden or high (resp. low) the choice of a low thread only depends on low history Round-robin schedulers are secure, provided they take over control when threads become high / low / hidden Gilles Barthe Language-based methods for software security

  16. Multi-threaded language New instruction start i States � � ρ , λ � � where λ associates to each active thread a pair � � i , s � � . Semantics s , h � s ′ : h is an history implicitly parameterized by scheduler (modeled as function pickt from states and histories to threads) and security environment most rules inherited from sequential fragment pickt ( � � ρ , λ � � , h ) = ctid pickt ( � � ρ , λ � � , h ) = ctid λ ( ctid ) = � � i , s � � λ ( ctid ) = � � i , s � � P [ i ] = start pc P [ i ] � start k ntid fresh � i ′ , ρ ′ , s ′ � � � i , ρ , s � � � seq � � � ρ ′ , λ ′ � � � ρ , λ � � , h � � � � ρ ′ , λ ′ � � � ρ , λ � � , h � � � where � � where � pc , ǫ � � if tid = ntid λ ′ ( tid ) = � � λ ( tid ) � i ′ , s ′ � otherwise � if tid = ctid λ ′ ( tid ) = λ ( tid ) otherwise Gilles Barthe Language-based methods for software security

  17. Policy and type system Policy is similar to sequential fragment Transfer rules inherited from sequential fragment i ⊢ seq st ⇒ st ′ P [ i ] � start j P [ i ] = start j se ( i ) � se ( j ) i ⊢ st ⇒ st ′ i ⊢ st ⇒ st Type system similar to sequential fragment. As in bytecode verification, each thread is verified in isolation. If P [ i ] = start j we do not have i �→ j Assume the scheduler is secure, type soundness can be lifted from sequential language Gilles Barthe Language-based methods for software security

  18. Type-preserving compilation Source type systems o ff er tools for developing safe / secure applications, but does not directly address mobile code Bytecode verifiers provides safety / security assurance to users Relating both type systems ensure: applications can be deployed in a mobile code architecture that delivers the promises of the source type system enhanced safety / security architecture can benefit from tools for developing applications that meet the policy it enforces Gilles Barthe Language-based methods for software security

  19. Compiler correctness The compiler is semantics-preserving (terminating runs, input / output behavior) P , µ ⇓ ν , v ⇒ [ [ P ] ] , µ ⇓ ν , v Thus source programs satisfy an input / output property i ff their compilation does ∀ P , φ , ψ , µ , ν , v . ( φ ( µ ) ⇒ P , µ ⇓ ν , v ⇒ ψ ( µ , ν , v )) ⇒ ( φ ( µ ) ⇒ [ [ P ] ] , µ ⇓ ν , v ⇒ ψ ( µ , ν , v )) But are typable programs compiled into typable programs? ∀ P , ⊢ P = ⇒ ∃ S . S , ⊢ [ [ P ] ] Yes for JVM typing, no in general Gilles Barthe Language-based methods for software security

  20. Loss of information Using the sign abstraction x := 1; y := x − x yields y = zero Solutions: But push 1 Change lattice store x Decompile expressions load x load x op − store y yields y = ⊤ Gilles Barthe Language-based methods for software security

  21. Source language: While A program is a command: commands c ::= x := e assignment | if ( e ) { c }{ c } conditional | while ( e ) { c } loop | c ; c sequence | skip skip | return e return value Semantics is standard: States are pairs � � c , ρ � � � c ′ , ρ ′ � Small-step semantics � � c , ρ � � � � � or � � c , ρ � � � � � ν , v � � � i ff c , µ � ⋆ � Evaluation semantics c , µ ⇓ � � ν , v � � ν , v � � Gilles Barthe Language-based methods for software security

  22. Information flow type system Security policy Γ : X → S and k ret Volpano-Smith security type system [ k ] ⊢ c ′ k ⊔ pc � Γ ( x ) e : k [ k ] ⊢ c [ pc ] ⊢ c ; c ′ [ pc ] ⊢ x := e e : k [ k ] ⊢ c 1 [ k ] ⊢ c 2 e : k [ k ] ⊢ c [ pc ] ⊢ if ( e ) { c 1 }{ c 2 } [ pc ] ⊢ while ( e ) { c } e : k k ⊔ pc � k ret [ pc ] ⊢ return e [ pc ] ⊢ skip plus subtyping rules pc ′ � pc [ pc ] ⊢ c k � k ′ e : k [ pc ′ ] ⊢ c ′ e : k ′ Gilles Barthe Language-based methods for software security

  23. Compiling statements [ [ x ] ] = load x [ [ v ] ] = push v [ [ e 1 op e 2 ] ] = [ [ e 2 ] ] ; [ [ e 1 ] ] ; binop op k :[ [ x := e ] ] = [ [ e ] ] ; store x k :[ [ i 1 ; i 2 ] ] = k :[ [ i 1 ] ] ; k 2 :[ [ i 2 ] ] where k 2 = k + | [ [ i 1 ] ] | k :[ [ return e ] ] = [ [ e ] ] ; return k :[ [ if ( e 1 cmp e 2 ) { i 1 }{ i 2 } ] ] = [ [ e 2 ] ] ; [ [ e 1 ] ] ; if cmp k 2 ; k 1 :[ [ i 1 ] ] ; goto l ; k 2 :[ [ i 2 ] ] where k 1 = k + | [ [ e 2 ] ] | + | [ [ e 1 ] ] | + 1 k 2 = k 1 + | [ [ i 1 ] ] | + 1 l = k 2 + | [ [ i 2 ] ] | k :[ [ while ( e 1 cmp e 2 ) { i } ] ] = [ [ e 2 ] ] ; [ [ e 1 ] ] ; if cmp k 2 ; k 1 :[ [ i ] ] ; goto k = k + | [ [ e 2 ] ] | + | [ [ e 1 ] ] | + 1 where k 1 k 2 = k 1 + | [ [ i ] ] | + 1 Gilles Barthe Language-based methods for software security

  24. Compiling control dependence regions i i region(i) region(i) junc(i) junc(i) Gilles Barthe Language-based methods for software security

  25. Compiling security environment load y H L if 6 L push 1 H ∈ region ( 2 ) store x H ∈ region ( 2 ) ∈ region ( 2 ) if ( y H ) { x := 1 }{ x := 2 } ; goto 8 H x ′ := 3; ∈ region ( 2 ) push 2 H ∈ region ( 2 ) return 2 store x H push 3 L jun ( 2 ) store x ′ L push 2 L return L Gilles Barthe Language-based methods for software security

  26. Preservation of information flow types If P is typable, then the extended compiler generates security environment, regions, and stack types at junction points, such that: regions satisfy SOAP and can be checked by region checker [ [ P ] ] can be verified by lightweight checker The result also applies to concurrency (using naive rule for parallel composition) declassification Gilles Barthe Language-based methods for software security

  27. Motivation: source code verification Traditional PCC Source Program Compiler Compiled Execution Program VCGen VCGen Verification Verification Conditions Conditions Proof Prover Certificate OK Checker Producer Consumer Gilles Barthe Language-based methods for software security

  28. Motivation: source code verification Source Code Verification Source Program Compiler Compiled Execution Program VCGen VCGen Verification Verification Conditions Conditions Proof Prover Certificate OK Checker Producer Consumer Gilles Barthe Language-based methods for software security

  29. Motivation: source code verification Certificate Translation Source Program Compiler Compiled Execution Program VCGen VCGen Verification Certificate Verification Translator Conditions Conditions Proof Prover Certificate Certificate OK Checker Producer Consumer Gilles Barthe Language-based methods for software security

  30. Certificate translation vs certifying compilation Source Compiler Compiled Execution Source Compiler Compiled Execution Program Program Program Program VCGen VCGen VCGen VCGen Verification Verification Verification Certificate Verification Translator Conditions Conditions Conditions Conditions Proof Proof Prover Certificate OK Prover Certificate Certificate OK Checker Checker Conventional PCC Certificate Translation Automatically in- Specification Interactive ferred invariants Automatic certifying Interactive source Verification compiler verification Complex func- Safety Properties tional properties Gilles Barthe Language-based methods for software security

  31. Certificate translation vs certified compilation Certified compilation aims at producing a proof term H such that H : ∀ P µ ν , P , µ ⇓ ν = ⇒ [ ] , µ ⇓ ν [ P ] Thus, we can build a proof term H ′ : { φ } [ [ P ] ] { ψ } from H and H 0 : { φ } P { ψ } Source Compiler Compiled Execution Program Program Compilation Proof OK Checker Certificate Producer Consumer * encapsulating compiler definition * limited to input output properties source program must be available Gilles Barthe Language-based methods for software security

  32. Program Specification Assertions: formulae attached to a program point, { pre } characterizing the set of execution states at that point. ins 1 Instructions are possibly annotated : { ϕ 1 } ins 2 Possibly annotated instructions . . . ins ::= ins | � ϕ , ins � { ϕ 2 } A partially annotated program is a triple � P , Φ , Ψ � s.t. ins k Φ is a precondition and Ψ is a postcondition { post } P is a sequence of possibly annotated instructions Gilles Barthe Language-based methods for software security

  33. Program Specification Assertions: formulae attached to a program point, { pre } characterizing the set of execution states at that point. ins 1 Instructions are possibly annotated : { ϕ 1 } ins 2 Possibly annotated instructions . . . ins ::= ins | � ϕ , ins � { ϕ 2 } A partially annotated program is a triple � P , Φ , Ψ � s.t. ins k Φ is a precondition and Ψ is a postcondition { post } P is a sequence of possibly annotated instructions Gilles Barthe Language-based methods for software security

  34. Program Specification Assertions: formulae attached to a program point, { pre } characterizing the set of execution states at that point. ins 1 Instructions are possibly annotated : { ϕ 1 } ins 2 Possibly annotated instructions . . . ins ::= ins | � ϕ , ins � { ϕ 2 } A partially annotated program is a triple � P , Φ , Ψ � s.t. ins k Φ is a precondition and Ψ is a postcondition { post } P is a sequence of possibly annotated instructions Gilles Barthe Language-based methods for software security

  35. Program Specification Assertions: formulae attached to a program point, { pre } characterizing the set of execution states at that point. ins 1 Instructions are possibly annotated : { ϕ 1 } ins 2 Possibly annotated instructions . . . ins ::= ins | � ϕ , ins � { ϕ 2 } A partially annotated program is a triple � P , Φ , Ψ � s.t. ins k Φ is a precondition and Ψ is a postcondition { post } P is a sequence of possibly annotated instructions Gilles Barthe Language-based methods for software security

  36. Program Specification Assertions: formulae attached to a program point, { pre } characterizing the set of execution states at that point. ins 1 Instructions are possibly annotated : { ϕ 1 } ins 2 Possibly annotated instructions . . . ins ::= ins | � ϕ , ins � { ϕ 2 } A partially annotated program is a triple � P , Φ , Ψ � s.t. ins k Φ is a precondition and Ψ is a postcondition { post } P is a sequence of possibly annotated instructions Gilles Barthe Language-based methods for software security

  37. Building a certificate Certification of annotated programs is performed in three steps A verification condition generator fully annotates the program, 1 and extracts a set of verification conditions (a.k.a. proof obligations) verification conditions are discharged interactively 2 a certificate is built from proofs of verification conditions 3 Specification + Program Theorem Prover VCGen Proof Obligations Certificate Gilles Barthe Language-based methods for software security

  38. Weakest precondition calculus Computes an assertion for a given program node only if the corresponding assertion has been already computed for all successor nodes Gilles Barthe Language-based methods for software security

  39. Weakest precondition calculus Computes an assertion for a given program node only if the corresponding assertion has been already computed for all successor nodes Su ffi ciently annotated program All infinite paths must go through an annotated program point Gilles Barthe Language-based methods for software security

  40. Weakest precondition calculus Computes an assertion for a given program node only if the corresponding assertion has been already computed for all successor nodes Su ffi ciently annotated program All infinite paths must go through an annotated program point Gilles Barthe Language-based methods for software security

  41. Weakest precondition calculus Computes an assertion for a given program node only if the corresponding assertion has been already computed for all successor nodes Su ffi ciently annotated program All infinite paths must go through an annotated program point Weakest precondition wp L ( k ) of program point k wp L ( k ) = φ if P [ k ] = � φ , i � wp L ( k ) = wp i ( k ) otherwise Gilles Barthe Language-based methods for software security

  42. Weakest precondition calculus Computes an assertion for a given program node only if the corresponding assertion has been already computed for all successor nodes Su ffi ciently annotated program All infinite paths must go through an annotated program point Weakest precondition wp L ( k ) of program point k wp L ( k ) = φ if P [ k ] = � φ , i � wp L ( k ) = wp i ( k ) otherwise Gilles Barthe Language-based methods for software security

  43. Weakest precondition calculus Computes an assertion for a given program node only if the corresponding assertion has been already computed for all successor nodes Su ffi ciently annotated program All infinite paths must go through an annotated program point Weakest precondition wp L ( k ) of program point k wp L ( k ) = φ if P [ k ] = � φ , i � wp L ( k ) = wp i ( k ) otherwise Gilles Barthe Language-based methods for software security

  44. Weakest precondition calculus Computes an assertion for a given program node only if the corresponding assertion has been already computed for all successor nodes Su ffi ciently annotated program All infinite paths must go through an annotated program point Weakest precondition wp L ( k ) of program point k wp L ( k ) = φ if P [ k ] = � φ , i � wp L ( k ) = wp i ( k ) otherwise Gilles Barthe Language-based methods for software security

  45. Weakest precondition calculus Computes an assertion for a given program node only if the corresponding assertion has been already computed for all successor nodes Su ffi ciently annotated program All infinite paths must go through an annotated program point Weakest precondition wp L ( k ) of program point k wp L ( k ) = φ if P [ k ] = � φ , i � wp L ( k ) = wp i ( k ) otherwise Gilles Barthe Language-based methods for software security

  46. Assertions Annotations do not refer to stacks Intermediate assertions may do so Gilles Barthe Language-based methods for software security

  47. Assertions Annotations do not refer to stacks Intermediate assertions may do so Gilles Barthe Language-based methods for software security

  48. Assertions Annotations do not refer to stacks Intermediate assertions may do so { true } push 5 store x { x = 5 } Gilles Barthe Language-based methods for software security

  49. Assertions Annotations do not refer to stacks Intermediate assertions may do so { true } push 5 store x os [ ⊤ ] = 5 { x = 5 } Gilles Barthe Language-based methods for software security

  50. Assertions Annotations do not refer to stacks Intermediate assertions may do so { true } push 5 5 = 5 store x os [ ⊤ ] = 5 { x = 5 } Gilles Barthe Language-based methods for software security

  51. Assertions Annotations do not refer to stacks Intermediate assertions may do so Stack indices ⊤ | ⊤ − i k ::= { true } Expressions push 5 5 = 5 store x os [ ⊤ ] = 5 res | x ⋆ | x | c | e op e | os [ k ] e ::= { x = 5 } Assertions φ ::= e cmp e | ¬ φ | φ ∧ φ | φ ∨ φ | φ ⇒ φ ∀ x . φ | ∃ x . φ Gilles Barthe Language-based methods for software security

  52. Weakest precondition if P [ k ] = push n then wp i ( k ) = wp L ( k + 1 )[ n / os [ ⊤ ] , ⊤ / ⊤ − 1 ] if P [ k ] = binop op then wp i ( k ) = wp L ( k + 1 )[ os ( ⊤ − 1 ) op os [ ⊤ ] / os [ ⊤ ] , ⊤ − 1 / ⊤ ] if P [ k ] = load x then wp i ( k ) = wp L ( k + 1 )[ x / os [ ⊤ ] , ⊤ / ⊤ − 1 ] if P [ k ] = store x then wp i ( k ) = wp L ( k + 1 )[ os [ ⊤ ] / x , ⊤ − 1 / ⊤ ] if P [ k ] = if cmp l then wp i ( k ) = ( os [ ⊤ − 1 ] cmp os [ ⊤ ] ⇒ wp L ( k + 1 )[ ⊤ − 2 / ⊤ ]) ∧ ( ¬ ( os [ ⊤ − 1 ] cmp os [ ⊤ ]) ⇒ wp L ( l )[ ⊤ − 2 / ⊤ ]) if P [ k ] = goto l then wp i ( k ) = wp L ( l ) if P [ k ] = return then wp i ( k ) = Ψ [ os [ ⊤ ] / res ] Gilles Barthe Language-based methods for software security

  53. Verification conditions Proof obligations PO ( P , Φ , Ψ ) Precondition implies the weakest precondition of entry point: Φ ⇒ wp L ( 1 ) For all annotated program points ( P [ k ] = � ϕ , i � ), the annotation ϕ implies the weakest precondition of the instruction at k : ϕ ⇒ wp i ( k ) An annotated program is correct if its verification conditions are valid. Gilles Barthe Language-based methods for software security

  54. Soundness Define validity of assertions: s | = φ µ , s | = φ (shorthand µ , ν | = φ if φ does not contain stack indices) If ( P , Φ , Ψ ) is correct, and P , µ ⇓ ν , v µ | = Φ then µ , ν | = Ψ [ v / res ] Furthermore, all intermediate assertions are verified Proof idea: if s � s ′ and s · pc = k and s ′ · pc = k ′ , µ , s ′ | = wp L ( k ′ ) µ , s | = wp i ( k ) = ⇒ Gilles Barthe Language-based methods for software security

  55. Source language Same assertions, without stack expressions Annotated programs ( P , Φ , Ψ ) , with all loops annotated while I ( t ) { s } Weakest precondition wp S ( skip , post ) = post, ∅ wp S ( x := e , post ) = post [ e / x ] , ∅ wp S ( i t , post ) = φ t , θ t wp S ( i f , post ) = φ f , θ f wp S ( if ( t ) { i t }{ i f } , post ) = ( t ⇒ φ t ) ∧ ( ¬ t ⇒ φ t ) , θ t ∪ θ f wp S ( i , I ) = φ , θ wp S ( while I ( t ) { i } , post ) = I , { I ⇒ (( t ⇒ φ ) ∧ ( ¬ t ⇒ post )) } ∪ θ wp S ( i 2 , post ) = φ 2 , θ 2 wp S ( i 1 , φ 2 ) = φ 1 , θ 1 wp S ( i 1 ; i 2 , post ) = φ 1 , θ 1 ∪ θ 2 Gilles Barthe Language-based methods for software security

  56. Preservation of proof obligations Non-optimizing compiler Syntactically equal proof obligations PO ( P , φ , ψ ) = PO ([ [ P ] ] , φ , ψ ) Non−optimizing Source Program Compiled Execution Compiler Program VCGen VCGen Preservation of Verification Verification Proof Obligations Conditions Conditions Proof Prover Certificate Certificate OK Checker Producer Consumer Gilles Barthe Language-based methods for software security

  57. PPO: from (sequential) Java to JVM We prove PPO for idealized, sequential fragments of Java and the JVM Java vs JVM Verification methods for Java programs Statement language must address known issues with objects, (obviously) methods, exceptions. Naming convention We use standard techniques: pre- and Basic types (exceptional) post-conditions, behavioral Compiler does simple subtyping optimizations Gilles Barthe Language-based methods for software security

  58. Implementing a proof transforming compiler (work by J. Charles and H. Lehner, using Mobius verification infrastructure) Reflective Proof Carrying Code Programmed and formally verified a the verification condition generator against reference specification of sequential JVM We have built a proof transforming compiler that generates for each annotated program a prelude and a set of VCs prove equivalence between source VCs and bytecode VCs Lemma vc_equiv: vc_source <-> vc_bytecode. Java Source, ESC/Java2 Frontend, ESC/Java2 AST, Source Verification Code Specs (JML) Conditions (Coq) JML to FOL Transl. FOL Annotations VCGen Bicolano (Coq) javac Equivalence FOL Annotations (Coq) Bytecode Verification Java Bytecode Bico+ VCGen (Coq) Conditions (Coq) Gilles Barthe Language-based methods for software security

  59. The main tactic Ltac magickal := repeat match goal with | [ |- forall lv: LocalVar.t, _ ] =>let lv := fresh "lv" in intro lv; mklvget lv 0%N | [ H: forall lv: LocalVar.t, _ |- _ ] => mklvupd MDom.LocalVar.empty 0%N | [ |- forall os: OperandStack.t, _ ] => intro | [ H: forall os: OperandStack.t, _ |- _ ] => let H’ := fresh "H" in (assert (H’ := H OperandStack.empty); clear H) | [ H : forall y: Heap.t, _ |- forall x: Heap.t, _] => let x := fresh "h" in (intro x; let H1 := fresh "H" in (assert (H1 := H x); clear H; try (clear x))) | [ H : forall y: Int.t, _ |- forall x: Int.t, _] => let x := fresh "i" in (intro x; let H1 := fresh "H" in (assert (H1 := H x); clear H; try (clear x))) | [ H : _ -> _ |- _ -> _] => let A := fresh "H" in (intros A; let H1 := fresh "H" in (assert (H1 := H A); clear H; clear A)) | [ H : _ /\ _ |- _ /\ _] =>let A := fresh "H" in let B := fresh "H" in (destruct H as (A, B); split; [clear B | clear A]) end. Gilles Barthe Language-based methods for software security

  60. Optimizing Compilers Non−optimizing Source Program Compiled Execution Compiler Program VCGen VCGen Preservation of Verification Verification Proof Obligations Conditions Conditions Proof Prover Certificate Certificate OK Checker Producer Consumer Proofs obligations might not be preserved annotations might need to be modified (e.g. constant propagation) certificates for analyzers might be needed (certifying analyzer) analyses might need to be modified (e.g. dead variable elimination) Gilles Barthe Language-based methods for software security

  61. Optimizing Compilers Non−optimizing Source Program Optimized Execution Compiler Program VCGen VCGen Compiled Optimizer Program Preservation of Verification Verification Proof Obligations Conditions Conditions Proof Prover Certificate Certificate OK Checker Producer Consumer Proofs obligations might not be preserved annotations might need to be modified (e.g. constant propagation) certificates for analyzers might be needed (certifying analyzer) analyses might need to be modified (e.g. dead variable elimination) Gilles Barthe Language-based methods for software security

  62. Optimizing Compilers Non−optimizing Source Program Optimized Execution Compiler Program VCGen VCGen Compiled Optimizer Program Preservation of Verification Verification Proof Obligations Conditions Conditions Proof Prover Certificate Certificate OK Checker Producer Consumer Proofs obligations might not be preserved annotations might need to be modified (e.g. constant propagation) certificates for analyzers might be needed (certifying analyzer) analyses might need to be modified (e.g. dead variable elimination) Gilles Barthe Language-based methods for software security

  63. Certificate Translation with Certifying Analyzers Specification of f A ( RES A ) Optimizing Certifying Analyzer Compiler Analyzer Optimized Program f Program ¯ f Specification of f TCB Interactive Verification VC Gen Certificate for f Certificate for f A Certificate Translator Proof Checker Certificate for ¯ f Gilles Barthe Language-based methods for software security

  64. Motivating example { j = 0 } Program { j = ( b + 0 ) ∗ 0 ∧ b � ( b + 0 ) ∧ 0 � 0 } + i := 0; Specification { j = ( b + i ) ∗ i ∧ b � ( b + i ) ∧ 0 � i } x := b + i ; { Inv : j = x ∗ i ∧ b � x ∧ 0 � i } while ( i ! = n ) Weakest { x ∗ ( c + i ) = x ∗ ( c + i ) ∧ b � x ∧ 0 � c + i } Precondition i := c + i (no fixpoint to compute) { x ∗ i = x ∗ i ∧ b � x ∧ 0 � i } j := x ∗ i ; { j = x ∗ i ∧ b � x ∧ 0 � i } Fully Annotated endwhile ; Program { n ∗ b � j } Gilles Barthe Language-based methods for software security

  65. Motivating example { j = 0 } Program { j = ( b + 0 ) ∗ 0 ∧ b � ( b + 0 ) ∧ 0 � 0 } + i := 0; Specification { j = ( b + i ) ∗ i ∧ b � ( b + i ) ∧ 0 � i } x := b + i ; { Inv : j = x ∗ i ∧ b � x ∧ 0 � i } while ( i ! = n ) Weakest { x ∗ ( c + i ) = x ∗ ( c + i ) ∧ b � x ∧ 0 � c + i } Precondition i := c + i (no fixpoint to compute) { x ∗ i = x ∗ i ∧ b � x ∧ 0 � i } j := x ∗ i ; { j = x ∗ i ∧ b � x ∧ 0 � i } Fully Annotated endwhile ; Program { n ∗ b � j } Gilles Barthe Language-based methods for software security

  66. Motivating example { j = 0 } Program { j = ( b + 0 ) ∗ 0 ∧ b � ( b + 0 ) ∧ 0 � 0 } + i := 0; Specification { j = ( b + i ) ∗ i ∧ b � ( b + i ) ∧ 0 � i } x := b + i ; { Inv : j = x ∗ i ∧ b � x ∧ 0 � i } while ( i ! = n ) Weakest { x ∗ ( c + i ) = x ∗ ( c + i ) ∧ b � x ∧ 0 � c + i } Precondition i := c + i (no fixpoint to compute) { x ∗ i = x ∗ i ∧ b � x ∧ 0 � i } j := x ∗ i ; { j = x ∗ i ∧ b � x ∧ 0 � i } Fully Annotated endwhile ; Program { n ∗ b � j } Gilles Barthe Language-based methods for software security

  67. Motivating example { j = 0 } Program { j = ( b + 0 ) ∗ 0 ∧ b � ( b + 0 ) ∧ 0 � 0 } + i := 0; Specification { j = ( b + i ) ∗ i ∧ b � ( b + i ) ∧ 0 � i } x := b + i ; { Inv : j = x ∗ i ∧ b � x ∧ 0 � i } while ( i ! = n ) Weakest { x ∗ ( c + i ) = x ∗ ( c + i ) ∧ b � x ∧ 0 � c + i } Precondition i := c + i (no fixpoint to compute) { x ∗ i = x ∗ i ∧ b � x ∧ 0 � i } j := x ∗ i ; { j = x ∗ i ∧ b � x ∧ 0 � i } Fully Annotated endwhile ; Program { n ∗ b � j } Gilles Barthe Language-based methods for software security

  68. Motivating example { j = 0 } Program { j = ( b + 0 ) ∗ 0 ∧ b � ( b + 0 ) ∧ 0 � 0 } + i := 0; Specification { j = ( b + i ) ∗ i ∧ b � ( b + i ) ∧ 0 � i } x := b + i ; { Inv : j = x ∗ i ∧ b � x ∧ 0 � i } while ( i ! = n ) Weakest { x ∗ ( c + i ) = x ∗ ( c + i ) ∧ b � x ∧ 0 � c + i } Precondition i := c + i (no fixpoint to compute) { x ∗ i = x ∗ i ∧ b � x ∧ 0 � i } j := x ∗ i ; { j = x ∗ i ∧ b � x ∧ 0 � i } Fully Annotated endwhile ; Program { n ∗ b � j } Gilles Barthe Language-based methods for software security

  69. Motivating example { j = 0 } Program { j = ( b + 0 ) ∗ 0 ∧ b � ( b + 0 ) ∧ 0 � 0 } + i := 0; Specification { j = ( b + i ) ∗ i ∧ b � ( b + i ) ∧ 0 � i } x := b + i ; { Inv : j = x ∗ i ∧ b � x ∧ 0 � i } while ( i ! = n ) Weakest { x ∗ ( c + i ) = x ∗ ( c + i ) ∧ b � x ∧ 0 � c + i } Precondition i := c + i (no fixpoint to compute) { x ∗ i = x ∗ i ∧ b � x ∧ 0 � i } j := x ∗ i ; { j = x ∗ i ∧ b � x ∧ 0 � i } Fully Annotated endwhile ; Program { n ∗ b � j } Gilles Barthe Language-based methods for software security

  70. Motivating example { j = 0 } { j = ( b + 0 ) ∗ 0 ∧ b � ( b + 0 ) ∧ 0 � 0 } i := 0; { j = ( b + i ) ∗ i ∧ b � ( b + i ) ∧ 0 � i } x := b + i ; { Inv : j = x ∗ i ∧ b � x ∧ 0 � i } while ( i ! = n ) { x ∗ ( c + i ) = x ∗ ( c + i ) ∧ b � x ∧ 0 � c + i } i := c + i j := x ∗ i ; endwhile ; { n ∗ b � j } Set of Proof Obligations: j = 0 ⇒ j = ( b + 0 ) ∗ 0 ∧ b � ( b + 0 ) ∧ 0 � 0 j = x ∗ i ∧ b � x ∧ 0 � i ∧ i � n ⇒ x ∗ ( c + i ) = x ∗ ( c + i ) ∧ b � x ∧ 0 � c + i j = x ∗ i ∧ b � x ∧ 0 � i ∧ i = n ⇒ n ∗ b � j Gilles Barthe Language-based methods for software security

  71. Constant propagation analysis { j = 0 } { j = b ∗ 0 ∧ b � b ∧ 0 � 0 } i := 0; { j = b ∗ i ∧ b � b ∧ 0 � i } ( i , 0 ) → x := b + i ; { Inv : j = x ∗ i ∧ b � x ∧ 0 � i } ( x , b ) → while ( i ! = n ) { b ∗ ( c + i ) = x ∗ ( c + i ) ∧ b � x ∧ 0 � c + i } ( x , b ) → i := c + i { b ∗ i = x ∗ i ∧ b � x ∧ 0 � i } ( x , b ) → j := x ∗ i ; { j = x ∗ i ∧ b � x ∧ 0 � i } endwhile ; { n ∗ b � j } Gilles Barthe Language-based methods for software security

  72. Program transformation { j = 0 } { j = b ∗ 0 ∧ b � b ∧ 0 � 0 } i := 0; { j = b ∗ i ∧ b � b ∧ 0 � i } ( i , 0 ) → x := b ; { Inv : j = x ∗ i ∧ b � x ∧ 0 � i } ( x , b ) → while ( i ! = n ) { b ∗ ( c + i ) = x ∗ ( c + i ) ∧ b � x ∧ 0 � c + i } ( x , b ) → i := c + i { b ∗ i = x ∗ i ∧ b � x ∧ 0 � i } ( x , b ) → j := x ∗ i ; { j = x ∗ i ∧ b � x ∧ 0 � i } endwhile ; { n ∗ b � j } Gilles Barthe Language-based methods for software security

  73. Program transformation { j = 0 } { j = b ∗ 0 ∧ b � b ∧ 0 � 0 } i := 0; { j = b ∗ i ∧ b � b ∧ 0 � i } ( i , 0 ) → x := b ; { Inv : j = x ∗ i ∧ b � x ∧ 0 � i } ( x , b ) → while ( i ! = n ) { b ∗ ( c + i ) = x ∗ ( c + i ) ∧ b � x ∧ 0 � c + i } ( x , b ) → i := c + i { b ∗ i = x ∗ i ∧ b � x ∧ 0 � i } ( x , b ) → j := b ∗ i ; { j = x ∗ i ∧ b � x ∧ 0 � i } endwhile ; { n ∗ b � j } Gilles Barthe Language-based methods for software security

  74. WP Computation of optimized program { j = 0 } { j = b ∗ 0 ∧ b � b ∧ 0 � 0 } i := 0; { j = b ∗ i ∧ b � b ∧ 0 � i } ( i , 0 ) → x := b ; { Inv : j = x ∗ i ∧ b � x ∧ 0 � i } ( x , b ) → while ( i ! = n ) { b ∗ ( c + i ) = x ∗ ( c + i ) ∧ b � x ∧ 0 � c + i } ( x , b ) → i := c + i { b ∗ i = x ∗ i ∧ b � x ∧ 0 � i } ( x , b ) → j := b ∗ i ; { j = x ∗ i ∧ b � x ∧ 0 � i } endwhile ; { n ∗ b � j } Gilles Barthe Language-based methods for software security

  75. WP Computation of optimized program { j = 0 } { j = b ∗ 0 ∧ b � b ∧ 0 � 0 } i := 0; { j = b ∗ i ∧ b � b ∧ 0 � i } ( i , 0 ) → x := b ; { Inv : j = x ∗ i ∧ b � x ∧ 0 � i } ( x , b ) → while ( i ! = n ) { b ∗ ( c + i ) = x ∗ ( c + i ) ∧ b � x ∧ 0 � c + i } ( x , b ) → i := c + i { b ∗ i = x ∗ i ∧ b � x ∧ 0 � i } ( x , b ) → j := b ∗ i ; { j = x ∗ i ∧ b � x ∧ 0 � i } endwhile ; { n ∗ b � j } Gilles Barthe Language-based methods for software security

  76. WP Computation of optimized program { j = 0 } { j = b ∗ 0 ∧ b � b ∧ 0 � 0 } i := 0; { j = b ∗ i ∧ b � b ∧ 0 � i } ( i , 0 ) → x := b ; { Inv : j = x ∗ i ∧ b � x ∧ 0 � i } ( x , b ) → while ( i ! = n ) { b ∗ ( c + i ) = x ∗ ( c + i ) ∧ b � x ∧ 0 � c + i } ( x , b ) → i := c + i { b ∗ i = x ∗ i ∧ b � x ∧ 0 � i } ( x , b ) → j := b ∗ i ; { j = x ∗ i ∧ b � x ∧ 0 � i } endwhile ; { n ∗ b � j } Gilles Barthe Language-based methods for software security

  77. WP Computation of optimized program { j = 0 } { j = b ∗ 0 ∧ b � b ∧ 0 � 0 } i := 0; { j = b ∗ i ∧ b � b ∧ 0 � i } ( i , 0 ) → x := b ; { Inv : j = x ∗ i ∧ b � x ∧ 0 � i } ( x , b ) → while ( i ! = n ) { b ∗ ( c + i ) = x ∗ ( c + i ) ∧ b � x ∧ 0 � c + i } ( x , b ) → i := c + i { b ∗ i = x ∗ i ∧ b � x ∧ 0 � i } ( x , b ) → j := b ∗ i ; { j = x ∗ i ∧ b � x ∧ 0 � i } endwhile ; { n ∗ b � j } Gilles Barthe Language-based methods for software security

  78. WP Computation of optimized program { j = 0 } { j = b ∗ 0 ∧ b � b ∧ 0 � 0 } i := 0; { j = b ∗ i ∧ b � b ∧ 0 � i } ( i , 0 ) → x := b ; { Inv : j = x ∗ i ∧ b � x ∧ 0 � i } ( x , b ) → while ( i ! = n ) { b ∗ ( c + i ) = x ∗ ( c + i ) ∧ b � x ∧ 0 � c + i } ( x , b ) → i := c + i { b ∗ i = x ∗ i ∧ b � x ∧ 0 � i } ( x , b ) → j := b ∗ i ; { j = x ∗ i ∧ b � x ∧ 0 � i } endwhile ; { n ∗ b � j } Gilles Barthe Language-based methods for software security

  79. Proof Obligations { j = 0 } { j = b ∗ 0 ∧ b � b ∧ 0 � 0 } i := 0; { j = b ∗ i ∧ b � b ∧ 0 � i } x := b ; { Inv : j = x ∗ i ∧ b � x ∧ 0 � i } while ( i ! = n ) { b ∗ ( c + i ) = x ∗ ( c + i ) ∧ b � x ∧ 0 � c + i } i := c + i { b ∗ i = x ∗ i ∧ b � x ∧ 0 � i } j := b ∗ i ; { j = x ∗ i ∧ b � x ∧ 0 � i } endwhile ; { n ∗ b � j } Proof Obligations: j = 0 ⇒ j = b ∗ 0 ∧ b � b ∧ 0 � 0 1 j = x ∗ i ∧ b � x ∧ 0 � i ∧ i � n 2 ⇒ b ∗ ( c + i ) = x ∗ ( c + i ) ∧ b � x ∧ 0 � c + i j = x ∗ i ∧ b � x ∧ 0 � i ∧ i = n ⇒ n ∗ b � j 3 Gilles Barthe Language-based methods for software security

  80. Proof Obligations { j = 0 } { j = b ∗ 0 ∧ b � b ∧ 0 � 0 } i := 0; { j = b ∗ i ∧ b � b ∧ 0 � i } x := b ; { Inv : j = x ∗ i ∧ b � x ∧ 0 � i } while ( i ! = n ) { b ∗ ( c + i ) = x ∗ ( c + i ) ∧ b � x ∧ 0 � c + i } i := c + i { b ∗ i = x ∗ i ∧ b � x ∧ 0 � i } j := b ∗ i ; { j = x ∗ i ∧ b � x ∧ 0 � i } endwhile ; { n ∗ b � j } Proof Obligations: j = 0 ⇒ j = b ∗ 0 ∧ b � b ∧ 0 � 0 1 j = x ∗ i ∧ b � x ∧ 0 � i ∧ i � n Unprovable 2 ⇒ b ∗ ( c + i ) = x ∗ ( c + i ) ∧ b � x ∧ 0 � c + i without knowing j = x ∗ i ∧ b � x ∧ 0 � i ∧ i = n ⇒ n ∗ b � j 3 x = b Gilles Barthe Language-based methods for software security

  81. Proof Obligations { j = 0 } { j = b ∗ 0 ∧ b � b ∧ 0 � 0 } i := 0; { j = b ∗ i ∧ b � b ∧ 0 � i } x := b ; { Inv : j = x ∗ i ∧ b � x ∧ 0 � i ∧ x = b } while ( i ! = n ) { b ∗ ( c + i ) = x ∗ ( c + i ) ∧ b � x ∧ 0 � c + i } i := c + i { b ∗ i = x ∗ i ∧ b � x ∧ 0 � i } j := b ∗ i ; { j = x ∗ i ∧ b � x ∧ 0 � i } endwhile ; { n ∗ b � j } Proof Obligations: j = 0 ⇒ j = b ∗ 0 ∧ b � b ∧ 0 � 0 1 j = x ∗ i ∧ b � x ∧ 0 � i ∧ x = b ∧ i � n Solution: 2 ⇒ b ∗ ( c + i ) = x ∗ ( c + i ) ∧ b � x ∧ 0 � c + i strengthen annotations j = x ∗ i ∧ b � x ∧ 0 � i ∧ i = n ⇒ n ∗ b � j 3 Gilles Barthe Language-based methods for software security

  82. Strengthening annotations allows to verify proof obligations of original program but also introduces new proof obligations S 1 S 1 { ϕ 1 } { ϕ 1 ∧ ψ 1 } S 2 S 2 { ϕ 2 } { ϕ 2 ∧ ψ 2 } � S 3 S 3 { ϕ 3 } { ϕ 3 ∧ ψ 3 } ϕ 1 ⇒ wp ( S 1 , ϕ 2 ) ϕ 1 ∧ ψ 1 ⇒ wp ( S 1 , ϕ 2 ∧ ψ 2 ) ϕ 2 ⇒ wp ( S 2 , ϕ 3 ) ϕ 2 ∧ ψ 2 ⇒ wp ( S 2 , ϕ 3 ∧ ψ 3 ) If the analysis is correct, ψ 1 ⇒ wp ( S 1 , ψ 2 ) ψ 2 ⇒ wp ( S 2 , ψ 3 ) are valid proof obligations. Gilles Barthe Language-based methods for software security

  83. Strengthening annotations allows to verify proof obligations of original program but also introduces new proof obligations S 1 S 1 { ϕ 1 } { ϕ 1 ∧ ψ 1 } S 2 S 2 { ϕ 2 } { ϕ 2 ∧ ψ 2 } � S 3 S 3 { ϕ 3 } { ϕ 3 ∧ ψ 3 } ϕ 1 ⇒ wp ( S 1 , ϕ 2 ) ϕ 1 ∧ ψ 1 ⇒ wp ( S 1 , ϕ 2 ∧ ψ 2 ) ϕ 2 ⇒ wp ( S 2 , ϕ 3 ) ϕ 2 ∧ ψ 2 ⇒ wp ( S 2 , ϕ 3 ∧ ψ 3 ) If the analysis is correct, ψ 1 ⇒ wp ( S 1 , ψ 2 ) ψ 2 ⇒ wp ( S 2 , ψ 3 ) are valid proof obligations. Gilles Barthe Language-based methods for software security

  84. Strengthening annotations allows to verify proof obligations of original program but also introduces new proof obligations S 1 S 1 { ϕ 1 } { ϕ 1 ∧ ψ 1 } S 2 S 2 { ϕ 2 } { ϕ 2 ∧ ψ 2 } � S 3 S 3 { ϕ 3 } { ϕ 3 ∧ ψ 3 } ϕ 1 ⇒ wp ( S 1 , ϕ 2 ) ϕ 1 ∧ ψ 1 ⇒ wp ( S 1 , ϕ 2 ∧ ψ 2 ) ϕ 2 ⇒ wp ( S 2 , ϕ 3 ) ϕ 2 ∧ ψ 2 ⇒ wp ( S 2 , ϕ 3 ∧ ψ 3 ) If the analysis is correct, ψ 1 ⇒ wp ( S 1 , ψ 2 ) ψ 2 ⇒ wp ( S 2 , ψ 3 ) are valid proof obligations. Gilles Barthe Language-based methods for software security

Recommend

Language-based methods for software security Gilles Barthe IMDEA Software, Madrid, Spain Part 1

Language-based methods for software security Gilles Barthe IMDEA Software, Madrid, Spain Part 1

Language-based methods for software security Gilles Barthe IMDEA Software, Madrid, Spain Part 1 Motivation Mobile code is ubiquitous: large distributed networks of JVM devices aimed at providing a global and uniform access to services provide

1.52k views • 136 slides
Course outline: the four hours 1. Language-Based Security: motivation 2. Language-Based

Course outline: the four hours 1. Language-Based Security: motivation 2. Language-Based

Course outline: the four hours 1. Language-Based Security: motivation 2. Language-Based Information-Flow Security: the big picture 3. Dimensions and principles of declassification 4. Dynamic vs. static security enforcement 1 Dimensions of

449 views • 30 slides
Course outline 1. Language-Based Security: motivation 2. Language-Based Information-Flow Security:

Course outline 1. Language-Based Security: motivation 2. Language-Based Information-Flow Security:

Course outline 1. Language-Based Security: motivation 2. Language-Based Information-Flow Security: the big picture 3. Dimensions and principles of declassification 4. Dynamic vs. static security enforcement 5. Tracking information flow in web

641 views • 30 slides
Event-based Methods for Security Protocols Federico Crazzolara C&amp;C Laboratories, NEC Europe

Event-based Methods for Security Protocols Federico Crazzolara C&amp;C Laboratories, NEC Europe

Event-based Methods for Security Protocols Federico Crazzolara C&amp;C Laboratories, NEC Europe (joint work with G. Winskel while at BRICS) DIMACS, July 8, 2003 Road map 1) Security Protocol Language (SPL) Transition vs.

591 views • 25 slides
Language/OS Based Security 1 Infrastructure 2 Security Abstraction Layers 3 OS Security

Language/OS Based Security 1 Infrastructure 2 Security Abstraction Layers 3 OS Security

Language/OS Based Security 1 Infrastructure 2 Security Abstraction Layers 3 OS Security Control 4 Abstraction Imperfections OS: Each process has exclusive access to its own CPU and memory Illusion!! A process may be able to

429 views • 21 slides
deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security

deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security

Software and Web Security deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security vulnerabilities esp in systems accessible via a network part 1 security problems in machine code, compiled from C(++)

1.35k views • 67 slides
Software Security VMI (Virtual Machine Introspection) / VMM-based Intrusion Prevention Julian

Software Security VMI (Virtual Machine Introspection) / VMM-based Intrusion Prevention Julian

Software Security VMI (Virtual Machine Introspection) / VMM-based Intrusion Prevention Julian Vetter Prof. Jean-Pierre Seifert Security in Telecommunications TU Berlin SoSe 2016 julian (sect) Software Security SoSe 2016 1 / 21

220 views • 21 slides
Language-Based Information-Flow Security Presenter: Yiming Zhang Goal of this paper? This is a

Language-Based Information-Flow Security Presenter: Yiming Zhang Goal of this paper? This is a

Language-Based Information-Flow Security Presenter: Yiming Zhang Goal of this paper? This is a survey paper that studies the research on information-flow security, especially on work that uses static program analysis. Why language-based

585 views • 24 slides
Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software

Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software

1 Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software is the main source of security vulnerabilities esp in systems accessible via a network i t ibl i t k part 1 part 1 security problems

672 views • 65 slides
Overview of Language-Based Security Bibliography Dan Grossman 13 October 2004 Papers are

Overview of Language-Based Security Bibliography Dan Grossman 13 October 2004 Papers are

Overview of Language-Based Security Bibliography Dan Grossman 13 October 2004 Papers are organized by topic, in the order of the presentation. There are more papers here than discussed in the presentation. Language-based security is a big

373 views • 8 slides
INF 111 / CSE 121: Software Tools and Methods Software Tools and Methods Lecture Notes for

INF 111 / CSE 121: Software Tools and Methods Software Tools and Methods Lecture Notes for

INF 111 / CSE 121: Software Tools and Methods Software Tools and Methods Lecture Notes for Summer, 2008 Michele Rousseau Lecture Note 10 Effort Estimation Announcements Assignment #3 is due on Monday Quiz #3 regrades are due today

647 views • 21 slides
Secure Web Application Development METHODOLOGIES AND AUTOMATED TOOLS MURAT KAYA SOFTWARE

Secure Web Application Development METHODOLOGIES AND AUTOMATED TOOLS MURAT KAYA SOFTWARE

Secure Web Application Development METHODOLOGIES AND AUTOMATED TOOLS MURAT KAYA SOFTWARE SECURITY SPECIALIST Agenda Software Security Overview Software Security Methodologies Security Test Methods Analysis Tools Tools

497 views • 25 slides
Language Information Retrieval applications: integration of ontology-based methods and Linguistic

Language Information Retrieval applications: integration of ontology-based methods and Linguistic

technology from seed Multi-word processing in domain specific Cross- Language Information Retrieval applications: integration of ontology-based methods and Linguistic resources Johanna Monti UNISS Maria Pia di Buono UNISA Mario

312 views • 3 slides
Institute for Cyber Security Towards An Attribute Based Constraints Specification Language

Institute for Cyber Security Towards An Attribute Based Constraints Specification Language

Institute for Cyber Security Towards An Attribute Based Constraints Specification Language Khalid Zaman Bijon, Ram Krishnan and Ravi Sandhu Institute for Cyber Security University of Texas at San Antonio September 11, 2013 2013 ASE/IEEE

425 views • 17 slides
Natural language is a programming language: Applying natural language processing to software

Natural language is a programming language: Applying natural language processing to software

Natural language is a programming language: Applying natural language processing to software development Michael D. Ernst Presented by: Tomas Geffner, Subendhu Rongali &amp; Natcha Simsiri Before we start, what is software? Not just code/AST

438 views • 23 slides
Clustering ! Hierarchical methods ! Model-based methods ! Density-based methods 1 2 What is

Clustering ! Hierarchical methods ! Model-based methods ! Density-based methods 1 2 What is

Preview ! Introduction Lecture 10 ! Partitioning methods Clustering ! Hierarchical methods ! Model-based methods ! Density-based methods 1 2 What is Clustering? Examples of Clustering Applications ! Cluster: a collection of data objects !

301 views • 8 slides
Second year review WP3 overview HW/SW-based methods Trento October 17th, 2008 Goal

Second year review WP3 overview HW/SW-based methods Trento October 17th, 2008 Goal

Second year review WP3 overview HW/SW-based methods Trento October 17th, 2008 Goal Investigate the combination of hardware- and software based software protection techniques in order to implement the remote entrusting principle 2

705 views • 48 slides
Annotation methods to develop and evaluate an expert system based on natural language processing

Annotation methods to develop and evaluate an expert system based on natural language processing

Annotation methods to develop and evaluate an expert system based on natural language processing in electronic medical records Q. GICQUEL, I KERGOURLAY, S GERBIER-COLOMBAN, S CHARIOUT, A BITTAR, F SEGOND, S DARMONI, MH METZGER MIE, Istanbul 2

432 views • 11 slides
INF 111 / CSE 121: Software Tools and Methods Software Tools and Methods Lecture Notes for

INF 111 / CSE 121: Software Tools and Methods Software Tools and Methods Lecture Notes for

INF 111 / CSE 121: Software Tools and Methods Software Tools and Methods Lecture Notes for Summer Quarter 2008 Michele Rousseau Lecture Notes 7 - UML Announcements Quiz #3- Thursday What will it cover? All readings assigned since

711 views • 44 slides
Risk-based Security BARRY KOUNS CEO AT RISK BASED SECURITY Session Overview Warm-up Quiz

Risk-based Security BARRY KOUNS CEO AT RISK BASED SECURITY Session Overview Warm-up Quiz

Risk Assessment the Heart of Risk-based Security BARRY KOUNS CEO AT RISK BASED SECURITY Session Overview Warm-up Quiz Introduction to our security challenge What is Risk-based Security? The language of risk some

787 views • 53 slides
Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security

Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security

Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security Ahmed Rezine IDA, Linkpings Universitet Hsttermin 2020 Outline Overview Symbolic Execution Hoare Triples and Deductive Reasoning Outline

767 views • 33 slides
CS573 Data Privacy and Security Anonymization methods Anonymization methods Li Xiong Today

CS573 Data Privacy and Security Anonymization methods Anonymization methods Li Xiong Today

CS573 Data Privacy and Security Anonymization methods Anonymization methods Li Xiong Today Clustering based anonymization (cont) Permutation based anonymization Other privacy principles Microaggregation/Clustering Two steps:

879 views • 52 slides
Using Action Research Methods to Early childhood language abilities are strongly associated with

Using Action Research Methods to Early childhood language abilities are strongly associated with

The Problem Using Action Research Methods to Early childhood language abilities are strongly associated with subsequent Infuse Evidence-Based Language academic success Facilitation Practices in Head Start Two populations served through Head

311 views • 6 slides
CS573 Data Privacy and Security Anonymization methods Anonymization methods Li Xiong Today

CS573 Data Privacy and Security Anonymization methods Anonymization methods Li Xiong Today

CS573 Data Privacy and Security Anonymization methods Anonymization methods Li Xiong Today Permutation based anonymization methods (cont.) Other privacy principles for microdata publishing publishing Statistical databases

986 views • 51 slides

More recommend