David Evans evans@cs.virginia cs.virginia/~evans

  • View

  • Download

Embed Size (px)


The Bugs and the Bees Research in Programming Languages and Security. David Evans evans@cs.virginia.edu http://www.cs.virginia.edu/~evans. University of Virginia Department of Computer Science. Background. Joined UVA, November 1999 BS/MS ‘94, and PhD ‘2000 from MIT - PowerPoint PPT Presentation

Text of David Evans evans@cs.virginia cs.virginia/~evans

  • David Evansevans@cs.virginia.eduhttp://www.cs.virginia.edu/~evans

    The Bugs and the BeesResearch in Programming Languages and SecurityUniversity of VirginiaDepartment of Computer Science

    David Evans

  • BackgroundJoined UVA, November 1999BS/MS 94, and PhD 2000 from MITFunding for three new students (but will probably only accept 1 or 2)CoursesSecurity (CS551)Grad. Programming Languages (CS655)

  • MenuThe Bugs

    The Bees - Programming the SwarmHow do we help good people write better programs?How do we prevent bad programs from doing bad things?

    How can we program large collections of devices?

  • A Gross OversimplificationEffort RequiredLowUnfathomableFormal VerifiersBugs DetectednoneallCompilers


  • RequirementsNo interaction required as easy to use as a compilerFast checking as fast as a compilerGradual Learning/Effort CurveLittle needed to startClear payoff relative to user effort

  • ApproachProgrammers add annotations (formal specifications)Simple and preciseDescribe programmers intent:Types, memory management, data hiding, aliasing, modification, null-ity, etc.LCLint detects inconsistencies between annotations and codeSimple (fast!) dataflow analyses

  • Sample Annotation: onlyReference (return value) owns storageNo other persistent (non-local) references to itImplies obligation to transfer ownershipTransfer ownership by:Assigning it to an external only referenceReturn it as an only resultPass it as an only parameter: e.g., extern void free (only void *);extern only char *gptr;extern only out null void *malloc (int);

  • Example1int dummy (void) {2 int *ip= (int *) malloc (sizeof (int));3 *ip = 3;4 return *ip;5 }extern only null void *malloc (int); in libraryLCLint output:dummy.c:3:4: Dereference of possibly null pointer ip: *ip dummy.c:2:13: Storage ip may become nulldummy.c:4:14: Fresh storage ip not released before returndummy.c:2:43: Fresh storage ip allocated

  • LCLint StatusPublic distribution since 1993Effective checking >100K line programs (checks about 1K lines per second) Detects lots of real bugs in real programs (including itself, of course)Thousands of users, Linux Journal, etc.Checks include type abstractions, modifications, globals, memory leaks, dead storage, naming conventions, undefined behavior, incomplete definition...

  • Where do we go from here?Extensible CheckingAllow users to define new annotations and associated checkingIntegrate run-time checkingCombine static and run-time checking to enable additional checking and completeness guaranteesGeneralize frameworkSupport static checking for multiple source languages in a principled way

  • LCLint More information: lclint.cs.virginia.eduPATV 2000, PLDI 96, FSE94Students: David Larochelle, Chris Barker, Vic LudwigCurrent Funding: NASA (joint with John Knight)Previous funding: DARPA, NSF, ONR, DEC

  • UntrustedProgramSafeProgram

  • Naccio MotivationWeaknesses in existing code safety systems:Limited range of policiesPolicy definition is ad hoc and platform dependentEnforcement is tied to a particular architectureCan we solve them without sacrificing efficiency or convenience? Yes!

  • Naccio OverviewGeneral method for defining policiesAbstract resourcesPlatform independentSystem architecture for enforcing policiesPrototypes for JavaVM classes, Win32 executablesProgramSafe ProgramSafetyPolicy

  • ProblemUsers ViewFilesResourcesPolicySystem ViewWriteFile (fHandle, )DiskProgramSystem LibraryOS Kerneltar cf *Platform Interface

  • Safety Policy DefinitionResource descriptions: abstract operational descriptions of resources (files, network, threads, display, )Platform interface: mapping between system events (e.g., Java API calls, Win32 API calls) and abstract resources

    Resource use policy: constraints on manipulating those resources

  • Naccio ArchitecturePolicy description fileApplication transformerProgramVersion of program that: Uses policy-enforcing system library Satisfies low-level code safetyCurrent Platforms: JavaVM program is collection of Java classesWin32 program is Win32 executable and DLLsPer applicationPolicy compilerSafety policy definitionPolicy-enforcing system libraryPer policy

  • Open IssuesLow-Level Code Safety for Win32How can you prevent malicious programmer from tampering with checking code?Policy DevelopmentWhat is the correct policy for different environments?User InterfaceHow can you present policy violations to naive users in a sensible way?

  • Naccio SummaryMethod for defining large class of policiesUsing abstract resourcesGeneral architecture for code safety Encouraging results so farWin32 (Andrew Twyman, MIT MEng99): need to implement low-level safetyJavaVM: believed to be secureFor more information:http://naccio.cs.virginia.eduIEEE Security & Privacy `99, my PhD thesis

  • Programming the Swarm

  • 1950s: Programming in the small...Programmable computersLearned the programming is hardBirth of higher-order languagesTools for reasoning about trivial programsReally Brief History of Computer Science1970s: Programming in the large... Abstraction, objectsMethodologies for developmentTools for reasoning about component-based systems2000s: Programming in the Swarm!

  • Programming the Swarm: Long-Range GoalCement10 GFlop

  • Whats ChangingExecution PlatformsNot computers (98% of microprocessors sold this year) Small and cheapExecution environmentInteract with physical worldUnpredictable, dynamicProgramsOld style of programming wont workIs there a new paradigm?

  • Swarm ProgrammingPrimitives describe group behaviorsWhat are the primitives?How are they specified?Important to understand both functional (how the state changes) and non-functional (power use, robustness, efficiency, etc.) propertiesConstruct complex behaviors by composing primitivesPredict behavior of resultPick the right primitives based on description of desired non-functional properties

  • Group Behaviorsmarter devicessmarter behaviorBee house-huntingStadium WaveJazz OctetAnt RoutingCanada GeeseManchester UnitedConcrete BridgeDisperse (demo)CS IM Team

  • Finding an AdvisorDont rely on the matching processThis is the last resort!Find someone with whom you can wellCant tell this from one breakout sessionMeet at least twice with potential advisors before matching forms

  • Summary Project Decision TreePeople are basically good?Sign up for meetingtimes (form going around).


    Thesis work on policy-directed code safety.

    Goal:Prevent programs from doing bad things but allow good programs to do useful work.State of the world before LCLint (gross simplification)Static checking as part of compilers or standard lintFormal verification tools range from fiendishly expensive to unfathomablenot used much except in academic research projects and when taxpayers are paying

    Just to prove I have some powerpoint animation skills, even if they arent as impressive as Nick McKeowns

    Note:user didnt have to write any annotations to discover these bugs!

    Going to tell you about system I designed to do that.ConceptuallyTwo things left to do:Define a policy main contribution of my work in terms of abstract resource manipulationsNot much use to define unless can enforceLets take a closer look at that architecture.Policy Authorunderstands resources like files, network, etc.System view:program manipulates resources by calling system library functionsProblem: need to enforce policy at level of code and system calls.Describe policy a level author understands, enforce at system level.[click]Split policies into 3 components

    PFI & res desc: fixed for most policies; cant change one without changing the other

    Most policies: author looks at resource descswrites a resource use policy

    Next: examples

    Divide task into two piecesLeft-side: run by policy authoronce per-policy, per-platformTakes safety policy definition,Produces pdf and p-e library

    Right-side: run to prepare program to enforce a policysatisfies necessary low-level safety properties to prevent a program from circumventing h-l mechanisms.More about these pieces laterClose to practical implementations

    Invite you to visit the Naccio web site.Page where you can upload program, run it on my machine with a safety policy.

    /u/evs/thesis.texDetails in IEEE paper.Questions