Computer Security Foundations
COS 597B
Prof David Walker
Welcome!
• Computer Security Foundations is for
– students interested in programming languages
and how to apply them to solving systems
security problems
– students interested in systems security problems
and how to use programming languages to
solve them
Class Style
• Some lectures given by me on technical topics
• Some discussions of papers on security
– class participation is important
• Occasional 1-page writing assignment summarizing
or critiquing a paper
• You can take this course for software systems
competency
Background
• It will be useful to have some background in logic
or language semantics
– Appel’s theorem proving class
– Programming languages (COS 510 or 441)
• If you have never taken such courses I recommend
– Benjamin Pierce “types and programming languages”
– Chapters 1-9 (approx 100 pages of fairly easy reading)
• I will try to fill in background as I go
– Next Monday, we will have a tutorial on this
background material
Topics of Interest:
Foundations
• what is security?
– safety, liveness, secrecy, authenticity, integrity
• what principles are available that help us
build secure systems?
– open design, economy of mechanism, minimal
trusted computing base, etc
Topics of Interest:
Language Mechanisms
• dynamic program monitoring
– theory: what kind of properties can we
enforce?
– practice: languages for writing program
monitors
• static program analysis
– type systems for safe virtual machines
– enforcing information flow properties
Topics of Interest:
Logic and Security
• specifying security properties logically
– authentication logics
– proof-carrying authorization
– security for distributed logic programs
Topics of Interest:
Cryptographic Protocols
• Specification of cryptographic protocols
– make assumptions about the power of
cryptographic primitives
– nothing about cryptography itself (see Ed’s
course if you are interested in how
cryptography works)
– reasoning about cryptographic protocols using
types
Topics of Interest:
Current Techniques
• Java security
– class loaders, security managers, security policies for
Java
– stack inspection: what is it? How does it work? What
kind of security does it really provide?
• Program analysis and security
– model checkers: how to analyze one million lines of
code for security flaws!
– language designs: CQual, Vault
Grading
• Taking the course for a grade:
– course project, final report: approx 50%
– assignments, project progress reports, pop
quizzes, class participation, class presentation:
approx 50%
• Not taking the course for grade:
– reading and class participation
– a presentation on a topic of interest
Course Project
• A substantial project involving
programming languages and security in
some fashion
– work in pairs
– once you get started: work steadily every week
of the term (5-10 hours/week, perhaps more)
• note: I deleted the journal idea
Course Project: Milestones
• Sept 24: Form groups & pick area
• Oct 8: analysis of related work
– ~ 5-page analysis of related work
– minimum 2 papers/person (hand-in a joint summary)
• Nov 1: Progress Report I
– ~ 5-page description of one component of the project
– idea summary and justification, a partial formalization, a proof, a tool description and
performance evaluation, a language design and justification, a software design and
explanation etc
• Nov 22: Progress Report II
– ~ 5-page description of a second element of the work
• Last month of class: Presentation on research in your area
– assign 1 or 2 papers to the class to read; give a lecture and discuss
• Jan 11, Deans date: Final submission
– submit final report which includes introduction, problem description, technical
accomplishments, any code, performance evaluation, related work, and summary
Project Ideas
• The course web site contains a list of project ideas
and some papers you can read as starting points;
• Feel free to choose an idea from the web site or try
an idea of your own, possibly connected with
other research in the department
• Some of the projects mentioned on the web site
are very open-ended.
– identify small subgoals that can be accomplished each
week or every two weeks
– be sure to have multiple fall-back positions
– plan realistically
Example Project
• Cryptographic programming in Jif:
– Jif is a programming language based on Java equipped
with a type system for detecting information-flow.
– Learn about how Jif works, its features and semantics
– Use Jif:
• Design an interface to a cryptographic library using Jif's
decentralized label model.
• Use the resulting library to implement the cryptographic
protocols used in a secure client-server setting.
– Evaluate: What did you learn? Jif pros and cons?
• Starting points on the projects page:
– eg: Jif Homepage http://www.cs.cornell.edu/jif/
Example Final Project Outline
• Abstract
• Section I: Introduction
– Motivation (argument that makes the contributions seem inevitable!)
- Information security is important.
- Cryptographic primitives are crucial for network-based security.
- Language-based security is practical way to increase confidence in security
- Current support for cryptographic primitives in languages is not good.
– Contributions
- Design of a cryptographic library in Jif
- Show how type system can encode desirable invariants
- Investigation of event driven vs. threaded programs with information flow
- Implementation of a (reasonably) substantial system using Jif
• Section II: Background material
– Jif and Decentralized Label Model
- Important features (label abstraction, first-class principals, declassification,
endorsement), syntax, semantics
– Cryptographic operations
Example Final Project Outline
• Section III: Design of the Cryptographic Library
– Problems: Keeping keys secret; Dependency between keys and
encrypted values; Authentication information encoded in the types;
Integrity Constraints in Jif
– Solutions: Dynamic Principals; Label polymorphism; Fancy
programming
• Section IV: Evaluation of the Library
– Description of the test case
- Bank/ATM simulation with interesting authentication protocols
- Taken from CSE331 course implementation
– Implementation details/examples
– Insights learned? Design choices you would have changed?
• Section V: Related Work
• Section VI: Conclusion
– Summarize introduction
– Reiterate contributions
Other Project Topics
• secure distributed programming & PlanetLab
– implement a service for PlanetLab using an interesting
programming model
• tuple spaces (see Klaim for Java)
• join calculus (see JoCaml)
• distributed logic programming (see SD3, Sophia)
– consider the security threats and the mechanisms necessary
to compensate
– implement a security monitoring service (as opposed to an
arbitrary service)
Other Project Topics
• security monitors
– a security monitor watches a program, virtual machine or
distributed system and interrupts the system when it
detects a security violation
– consider security monitors based on transactions
• theory of what is enforceable in the transactional model
• practice of implementing the system
– consider concurrent or distributed security monitors
– consider hardware/compiler support for parallelizing
execution of security monitors with the mainline
application
– consider type-system support for making security monitors
compose with one another; implement it in the context of
Polymer
Other Project Topics
• Verifying availability properties
– recently, researchers have a great progress
verifying cryptographic protocols and establishing
authenticity & secrecy properties
• Multi-set writing protocols (Cervesato et al.)
• Types for protocols (Gordon & Jeffrey)
– can we do the same for availability properties and
developing robust distributed algorithms?
• eg: can we developed techniques for verifying
consensus and other group communication protocols?
Under what failure models?
Other Project Topics
• Study the effectiveness of security analysis
tools
– How do we evaluate security analysis tools to
determine how effective they are?
– What properties should they have?
– What metrics can we use to analyze tools?
– Can we develop a benchmark for testing these
tools?
– Take two or more existing tools and analyze them.
Extend a programming language
• Polymer is a compiler framework for extending
Java
– add some form of program monitors based on automata
– add Cryptic-like support to Java for verifying
cryptographic protocols
• Binder is a logic-programming language with
built-in secuiry
– implement a linear-logic programming version of
binder
Other Project Topics
• information flow
– consider tracking information flow in a unique
programming model
• tuple space model
• distributed logic programming model
• typed assembly language
Other Project Topics
• Survey paper option
– choose a relatively broad area and do an in-depth
analysis of the research in the area
• come up with a creative way to classify the work in the area
• summarize the major contributions
• determine the most important avenues for future research
– focus on producing a particularly well-written report
by working on multiple drafts
– eg: software program monitors; hardware support for
security; security in distributed programming models
Other Project Topics
• Come up with a own topic related to your
own research
• Good topics may bridge gaps between areas
– Networking & distributed programming
– Algorithms for reliable computing and
cryptography & languages to support their
implementation or verification
– Architecture or compilers to improve
performance of security mechanisms
Your Job
• In the next two weeks, figure out who you want to
work with and what general topic you want to
work on
– work with someone who has the same level of
commitment to the course
– cross-area partnerships can be a great idea (eg: PL
person with a systems person or algorithms person)
– visit the course web page for ideas; talk with your
friends or other people in the department; skim a couple
of papers
– meet with me 22-24th of September
• set up an appointment by e-mail