Security Properties & Language-Based Security Andrew Myers The need for definitions • • • • Need a notion of what security means Drives design decisions Formal Assurance Candidates? Some security properties • Need higher-level descriptions • What can we specify? • What can we enforce? • Sweet spot? “System does what it’s supposed to” Digital Rights Privacy End-to-end confidentiality & integrity ‘Enforceable policies’ Access controls Encapsulation Type safety Memory safety SAFETY Performance Availability LIVENESS Language-based security • Moves the sweet spot – Program is no longer a black box – Can analyze fine-grained behavior – Not just safety properties • Connect formal definitions of security to formal models of execution • Might be cheaper too… The static analysis game |- M = “M passes the analysis” |- M M’ = “M’ is a transformation of M that passes the analysis M |= F = “M has security property F” Soundness: |- M => M |= F -- can prove it! Compositionality M1 |= F & M2 |= F does not mean M1 + M2 |= F But…define a static analysis so that |- M1 & |- M2 => |- M1+M2