Embed Size (px)
Citation preview
Computer Security Foundations
COS 597B
Prof David Walker
Welcome!
• Computer Security Foundations is for– students interested in programming languages
and how to apply them to solving systems security problems
– students interested in systems security problems and how to use programming languages to solve them
Class Style
• Some lectures given by me on technical topics
• Some discussions of papers on security– class participation is important
• Occasional 1-page writing assignment summarizing or critiquing a paper
• You can take this course for software systems competency
Background
• It will be useful to have some background in logic or language semantics– Appel’s theorem proving class
– Programming languages (COS 510 or 441)
• If you have never taken such courses I recommend– Benjamin Pierce “types and programming languages”
– Chapters 1-9 (approx 100 pages of fairly easy reading)
• I will try to fill in background as I go– Next Monday, we will have a tutorial on this
background material
Topics of Interest: Foundations
• what is security?– safety, liveness, secrecy, authenticity, integrity
• what principles are available that help us build secure systems?– open design, economy of mechanism, minimal
trusted computing base, etc
Topics of Interest: Language Mechanisms
• dynamic program monitoring– theory: what kind of properties can we
enforce?– practice: languages for writing program
monitors
• static program analysis– type systems for safe virtual machines– enforcing information flow properties
Topics of Interest: Logic and Security
• specifying security properties logically– authentication logics– proof-carrying authorization– security for distributed logic programs
Topics of Interest:Cryptographic Protocols
• Specification of cryptographic protocols– make assumptions about the power of
cryptographic primitives– nothing about cryptography itself (see Ed’s
course if you are interested in how cryptography works)
– reasoning about cryptographic protocols using types
Topics of Interest:Current Techniques
• Java security– class loaders, security managers, security policies for
Java– stack inspection: what is it? How does it work? What
kind of security does it really provide?
• Program analysis and security– model checkers: how to analyze one million lines of
code for security flaws!– language designs: CQual, Vault
Grading
• Taking the course for a grade:– course project, final report: approx 50%– assignments, project progress reports, pop
quizzes, class participation, class presentation: approx 50%
• Not taking the course for grade:– reading and class participation– a presentation on a topic of interest
Course Project
• A substantial project involving programming languages and security in some fashion– work in pairs– once you get started: work steadily every week
of the term (5-10 hours/week, perhaps more)• note: I deleted the journal idea
Course Project: Milestones• Sept 24: Form groups & pick area
• Oct 8: analysis of related work– ~ 5-page analysis of related work – minimum 2 papers/person (hand-in a joint summary)
• Nov 1: Progress Report I– ~ 5-page description of one component of the project– idea summary and justification, a partial formalization, a proof, a tool description and
performance evaluation, a language design and justification, a software design and explanation etc
• Nov 22: Progress Report II– ~ 5-page description of a second element of the work
• Last month of class: Presentation on research in your area– assign 1 or 2 papers to the class to read; give a lecture and discuss
• Jan 11, Deans date: Final submission– submit final report which includes introduction, problem description, technical
accomplishments, any code, performance evaluation, related work, and summary
Project Ideas
• The course web site contains a list of project ideas and some papers you can read as starting points;
• Feel free to choose an idea from the web site or try an idea of your own, possibly connected with other research in the department
• Some of the projects mentioned on the web site are very open-ended.– identify small subgoals that can be accomplished each
week or every two weeks– be sure to have multiple fall-back positions– plan realistically
Example Project
• Cryptographic programming in Jif: – Jif is a programming language based on Java equipped
with a type system for detecting information-flow.– Learn about how Jif works, its features and semantics– Use Jif:
• Design an interface to a cryptographic library using Jif's decentralized label model.
• Use the resulting library to implement the cryptographic protocols used in a secure client-server setting.
– Evaluate: What did you learn? Jif pros and cons?• Starting points on the projects page:
– eg: Jif Homepage http://www.cs.cornell.edu/jif/
Example Final Project Outline• Abstract • Section I: Introduction
– Motivation (argument that makes the contributions seem inevitable!)- Information security is important.- Cryptographic primitives are crucial for network-based security.- Language-based security is practical way to increase confidence in security - Current support for cryptographic primitives in languages is not good.
– Contributions- Design of a cryptographic library in Jif- Show how type system can encode desirable invariants- Investigation of event driven vs. threaded programs with information flow- Implementation of a (reasonably) substantial system using Jif
• Section II: Background material – Jif and Decentralized Label Model
- Important features (label abstraction, first-class principals, declassification, endorsement), syntax, semantics
– Cryptographic operations
Example Final Project Outline• Section III: Design of the Cryptographic Library
– Problems: Keeping keys secret; Dependency between keys and encrypted values; Authentication information encoded in the types; Integrity Constraints in Jif
– Solutions: Dynamic Principals; Label polymorphism; Fancy programming
• Section IV: Evaluation of the Library – Description of the test case
- Bank/ATM simulation with interesting authentication protocols- Taken from CSE331 course implementation
– Implementation details/examples – Insights learned? Design choices you would have changed?
• Section V: Related Work • Section VI: Conclusion
– Summarize introduction– Reiterate contributions
Other Project Topics
• secure distributed programming & PlanetLab– implement a service for PlanetLab using an interesting
programming model• tuple spaces (see Klaim for Java)
• join calculus (see JoCaml)
• distributed logic programming (see SD3, Sophia)
– consider the security threats and the mechanisms necessary to compensate
– implement a security monitoring service (as opposed to an arbitrary service)
Other Project Topics
• security monitors– a security monitor watches a program, virtual machine or
distributed system and interrupts the system when it detects a security violation
– consider security monitors based on transactions• theory of what is enforceable in the transactional model• practice of implementing the system
– consider concurrent or distributed security monitors– consider hardware/compiler support for parallelizing
execution of security monitors with the mainline application
– consider type-system support for making security monitors compose with one another; implement it in the context of Polymer
Other Project Topics
• Verifying availability properties– recently, researchers have a great progress
verifying cryptographic protocols and establishing authenticity & secrecy properties
• Multi-set writing protocols (Cervesato et al.)• Types for protocols (Gordon & Jeffrey)
– can we do the same for availability properties and developing robust distributed algorithms?
• eg: can we developed techniques for verifying consensus and other group communication protocols? Under what failure models?
Other Project Topics
• Study the effectiveness of security analysis tools– How do we evaluate security analysis tools to
determine how effective they are?– What properties should they have?– What metrics can we use to analyze tools?– Can we develop a benchmark for testing these
tools?– Take two or more existing tools and analyze them.
Extend a programming language
• Polymer is a compiler framework for extending Java– add some form of program monitors based on automata
– add Cryptic-like support to Java for verifying cryptographic protocols
• Binder is a logic-programming language with built-in secuiry– implement a linear-logic programming version of
binder
Other Project Topics
• information flow– consider tracking information flow in a unique
programming model• tuple space model
• distributed logic programming model
• typed assembly language
Other Project Topics
• Survey paper option– choose a relatively broad area and do an in-depth
analysis of the research in the area• come up with a creative way to classify the work in the area
• summarize the major contributions
• determine the most important avenues for future research
– focus on producing a particularly well-written report by working on multiple drafts
– eg: software program monitors; hardware support for security; security in distributed programming models
Other Project Topics
• Come up with a own topic related to your own research
• Good topics may bridge gaps between areas– Networking & distributed programming– Algorithms for reliable computing and
cryptography & languages to support their implementation or verification
– Architecture or compilers to improve performance of security mechanisms
Your Job
• In the next two weeks, figure out who you want to work with and what general topic you want to work on– work with someone who has the same level of
commitment to the course– cross-area partnerships can be a great idea (eg: PL
person with a systems person or algorithms person)– visit the course web page for ideas; talk with your
friends or other people in the department; skim a couple of papers
– meet with me 22-24th of September • set up an appointment by e-mail
