language-based security
DESCRIPTION
Language-based Security. Jay Ligatti University of South Florida. Outline. Introduction to software security Constructing secure languages Typing rules Execution rules Type safety Extensions Summary. Software Security. How can we constrain the behavior of our software ?. - PowerPoint PPT PresentationTRANSCRIPT
04/22/2304/22/23 11/32/32
Language-based Language-based SecuritySecurity
Jay LigattiJay LigattiUniversity of South FloridaUniversity of South Florida
04/22/2304/22/23 22/32/32
OutlineOutline
Introduction to software securityIntroduction to software security Constructing secure languagesConstructing secure languages
– Typing rulesTyping rules– Execution rulesExecution rules– Type safetyType safety
ExtensionsExtensions SummarySummary
04/22/2304/22/23 33/32/32
Software SecuritySoftware Security How can we How can we constrainconstrain the behavior the behavior
of our of our softwaresoftware??
04/22/2304/22/23 44/32/32
Software SecuritySoftware Security How can we How can we constrainconstrain the behavior the behavior
of our of our softwaresoftware??– In the presence of (malicious) attackersIn the presence of (malicious) attackers
E.g.: Log-in program must lock out users after E.g.: Log-in program must lock out users after three failed attemptsthree failed attempts
04/22/2304/22/23 55/32/32
Software SecuritySoftware Security How can we How can we constrainconstrain the behavior of the behavior of
our our softwaresoftware??– In the presence of (malicious) attackersIn the presence of (malicious) attackers
E.g.: Log-in program must lock out users after E.g.: Log-in program must lock out users after three failed attemptsthree failed attempts
– Even in the absence of attackersEven in the absence of attackers E.g.: Email program must not send invitations E.g.: Email program must not send invitations
to my drunken myspace page to my professors to my drunken myspace page to my professors
(a privacy constraint)(a privacy constraint)
04/22/2304/22/23 66/32/32
Software SecuritySoftware Security Obtaining these constraints requires Obtaining these constraints requires
first obtaining a more common first obtaining a more common constraint:constraint:
Memory access control (MAC)Memory access control (MAC)– Data in memory can only be read and Data in memory can only be read and
written in authorized wayswritten in authorized ways
04/22/2304/22/23 77/32/32
Software SecuritySoftware Security Memory access control (MAC)Memory access control (MAC)
– Data in memory can only be read and Data in memory can only be read and written in authorized wayswritten in authorized ways
Type checkingType checking provides MAC provides MAC– Strong checking controls all memory Strong checking controls all memory
accessesaccesses ML, Java, C#, Haskell, ...ML, Java, C#, Haskell, ...
– Weak checking leaves holes openWeak checking leaves holes open C++, C, machine code, …C++, C, machine code, …
04/22/2304/22/23 88/32/32
Type CheckingType Checking Well-typed programs provide Well-typed programs provide proofs proofs
that programs are properly constrained that programs are properly constrained (i.e., access memory correctly)(i.e., access memory correctly)
Type-checker Type-checker verifiesverifies the the proofsproofs
Static analysis of code Static analysis of code guaranteesguarantees run- run-time constraintstime constraints
04/22/2304/22/23 99/32/32
Type CheckingType Checking A foundational security toolA foundational security tool
– Model of type checking is very generalModel of type checking is very general Programs come with proofs of good behavior; Programs come with proofs of good behavior;
anyone can verify the proofsanyone can verify the proofs– Underappreciated security toolUnderappreciated security tool
Java’s superior security over C/C++ is Java’s superior security over C/C++ is primarily due to type checkingprimarily due to type checking
But how does it work?But how does it work?
04/22/2304/22/23 1010/32/32
OutlineOutline
Introduction to software securityIntroduction to software security Constructing secure languagesConstructing secure languages
– Typing rulesTyping rules– Execution rulesExecution rules– Type safetyType safety
ExtensionsExtensions SummarySummary
04/22/2304/22/23 1111/32/32
A Simple LanguageA Simple Language Consider a programming language with Consider a programming language with
integers, booleans, and if-then-else’sintegers, booleans, and if-then-else’s
ExampleExampleif (if true then false else true) then 6 if (if true then false else true) then 6 else 8else 8
Evaluates to?Evaluates to?
04/22/2304/22/23 1212/32/32
Typing RulesTyping Rules For every expression, what’s its For every expression, what’s its
type?type?1)1) true : booltrue : bool [“true has type [“true has type
bool”]bool”]2)2) false : boolfalse : bool3)3) n : int (when n is any integer)n : int (when n is any integer)4)4) if e1 then e2 else e3 : ??if e1 then e2 else e3 : ??
04/22/2304/22/23 1313/32/32
Typing RulesTyping Rules4)4) if e1 then e2 else e3 : ?? if e1 then e2 else e3 : ??Answer: Whatever types e2 and e3 Answer: Whatever types e2 and e3
havehave
04/22/2304/22/23 1414/32/32
Typing RulesTyping Rules4)4) if e1 then e2 else e3 : ?? if e1 then e2 else e3 : ??Answer: Whatever types e2 and e3 Answer: Whatever types e2 and e3
havehave
if true then true else false : boolif true then true else false : boolif true then 4 else 5 : intif true then 4 else 5 : int
04/22/2304/22/23 1515/32/32
Typing RulesTyping Rules4)4) If (e1:bool and e2:T and e3:T) If (e1:bool and e2:T and e3:T)
Then (if e1 then e2 else e3:T)Then (if e1 then e2 else e3:T)
04/22/2304/22/23 1616/32/32
Typing RulesTyping Rules4)4) If (e1:bool and e2:T and e3:T) If (e1:bool and e2:T and e3:T)
Then (if e1 then e2 else e3:T)Then (if e1 then e2 else e3:T)
if (if true then false else true) then 6 if (if true then false else true) then 6 else 8 : ??else 8 : ??
04/22/2304/22/23 1717/32/32
Typing RulesTyping Rules4)4) If (e1:bool and e2:T and e3:T) If (e1:bool and e2:T and e3:T)
Then (if e1 then e2 else e3:T)Then (if e1 then e2 else e3:T)
if (if true then 6 else 8) then false else if (if true then 6 else 8) then false else true : ??true : ??
04/22/2304/22/23 1818/32/32
Execution RulesExecution Rules For every expression, how does it For every expression, how does it
execute (i.e., “take a step”)?execute (i.e., “take a step”)?0)0) true, false, and integers are final true, false, and integers are final
answers and do not execute furtheranswers and do not execute further1)1) if true then e1 else e2 => e1if true then e1 else e2 => e12)2) if false then e1 else e2 => e2if false then e1 else e2 => e23)3) (assuming e1 is neither true nor false)(assuming e1 is neither true nor false)
if e1 then e2 else e3 => ??if e1 then e2 else e3 => ??
04/22/2304/22/23 1919/32/32
Execution RulesExecution Rules3)3) (assuming e1 is neither true nor false) (assuming e1 is neither true nor false)
if e1 then e2 else e3 => ??if e1 then e2 else e3 => ??
Answer: Execute e1 firstAnswer: Execute e1 first
if (if true then false else true) then 6 else 8if (if true then false else true) then 6 else 8=> if (false) then 6 else 8=> if (false) then 6 else 8
04/22/2304/22/23 2020/32/32
Execution RulesExecution Rules3)3) (assuming e1 is neither true nor (assuming e1 is neither true nor
false)false) If (e1=>e1’)If (e1=>e1’) Then (if e1 then e2 else e3 =>Then (if e1 then e2 else e3 =>
if e1’ then e2 else e3) if e1’ then e2 else e3)
04/22/2304/22/23 2121/32/32
Type SafetyType Safety With typing and execution rules With typing and execution rules
defined, we can prove a type-safety defined, we can prove a type-safety theoremtheorem
Type safety: Type safety:
Well-typed programs will Well-typed programs will onlyonly obey the obey the safesafe and expectedand expected rules of execution rules of execution
04/22/2304/22/23 2222/32/32
Type SafetyType Safety Well-typed programs are Well-typed programs are
constrainedconstrained by the rules of by the rules of executionexecution
How have we constrained well-typed How have we constrained well-typed programs in our simple language?programs in our simple language?
04/22/2304/22/23 2323/32/32
Type Safety in Simple Type Safety in Simple LanguageLanguage
Programs that pass our type checker Programs that pass our type checker will will onlyonly branch on a branch on a truetrue or a or a falsefalse valuevalue
Will never try to execute anything like:Will never try to execute anything like:“if 5 then 6 else 8”“if 5 then 6 else 8”
Doing so would require an Doing so would require an unsafeunsafe andand unexpectedunexpected execution rule execution rule
04/22/2304/22/23 2424/32/32
Type Safety in Simple Type Safety in Simple LanguageLanguage
Programs that pass our type checker Programs that pass our type checker will will onlyonly branch on a branch on a truetrue or a or a falsefalse valuevalue
Memory access control (MAC)Memory access control (MAC)– A well-typed program will never read an A well-typed program will never read an
intint in memory when it should read a in memory when it should read a boolbool
intbool
04/22/2304/22/23 2525/32/32
Type Safety in GeneralType Safety in General
Well-typed programs will only read Well-typed programs will only read and write memory in “appropriate” and write memory in “appropriate” waysways
““Appropriate” means whatever is Appropriate” means whatever is allowed by rules of executionallowed by rules of execution
04/22/2304/22/23 2626/32/32
OutlineOutline
Introduction to software securityIntroduction to software security Constructing secure languagesConstructing secure languages
– Typing rulesTyping rules– Execution rulesExecution rules– Type safetyType safety
ExtensionsExtensions SummarySummary
04/22/2304/22/23 2727/32/32
Type SafetyType Safety
Could add features to language and prove:Could add features to language and prove:– Only memory containing code get executedOnly memory containing code get executed– Only in-bounds array elements get read/writtenOnly in-bounds array elements get read/written– Only correctly typed pointers get dereferenced Only correctly typed pointers get dereferenced
(e.g., return addresses really are return (e.g., return addresses really are return addresses)addresses)
– Only public methods in objects can be executed Only public methods in objects can be executed by other objectsby other objects
04/22/2304/22/23 2828/32/32
Type SafetyType Safety
Could add features to language and prove:Could add features to language and prove:– Only memory containing code get executedOnly memory containing code get executed– Only in-bounds array elements get read/writtenOnly in-bounds array elements get read/written– Only correctly typed pointers get dereferenced Only correctly typed pointers get dereferenced
(e.g., return addresses really are return addresses)(e.g., return addresses really are return addresses)– Only public methods in objects can be executed by Only public methods in objects can be executed by
other objectsother objects Memory access is constrained by execution Memory access is constrained by execution
rulesrules
04/22/2304/22/23 2929/32/32
Run-time-checks ExtensionRun-time-checks Extension Type safety provides a foundation forType safety provides a foundation for
higher-level constraintshigher-level constraints
Can add run-time checks to constrain Can add run-time checks to constrain software furthersoftware further– E.g., to lock out users after failed logins, or to E.g., to lock out users after failed logins, or to
refuse to email myspace invitations to professorsrefuse to email myspace invitations to professors
Type safety ensures that run-time checks Type safety ensures that run-time checks alwaysalways work correctly (cannot be attacked work correctly (cannot be attacked successfully)successfully)
04/22/2304/22/23 3030/32/32
OutlineOutline
Introduction to software securityIntroduction to software security Constructing secure languagesConstructing secure languages
– Typing rulesTyping rules– Execution rulesExecution rules– Type safetyType safety
ExtensionsExtensions SummarySummary
04/22/2304/22/23 3131/32/32
SummarySummary
Well-typed programs have constrained run-Well-typed programs have constrained run-time behaviorstime behaviors– Only execute according to safe and expected rulesOnly execute according to safe and expected rules=> Will never access memory inappropriately=> Will never access memory inappropriately
Programming in strongly typed languages like Programming in strongly typed languages like ML and Java is a good basis for writing secure ML and Java is a good basis for writing secure codecode
04/22/2304/22/23 3232/32/32
ThanksThanks
Questions?Questions?