Security Properties &
Language-Based Security
Andrew Myers
The need for definitions
•
•
•
•
Need a notion of what security means
Drives design decisions
Formal  Assurance
Candidates?
Some security properties
• Need
higher-level
descriptions
• What can
we specify?
• What can
we enforce?
• Sweet spot?
“System does what it’s supposed to”
Digital Rights
Privacy
End-to-end confidentiality
& integrity
‘Enforceable policies’
Access controls
Encapsulation
Type safety
Memory safety
SAFETY
Performance
Availability
LIVENESS
Language-based security
• Moves the sweet spot
– Program is no longer a black box
– Can analyze fine-grained behavior
– Not just safety properties
• Connect formal definitions of security to
formal models of execution
• Might be cheaper too…
The static analysis game
|- M = “M passes the analysis”
|- M  M’ = “M’ is a transformation of M that
passes the analysis
M |= F = “M has security property F”
Soundness:
|- M => M |= F
-- can prove it!
Compositionality
M1 |= F & M2 |= F does not mean
M1 + M2 |= F
But…define a static analysis so that
|- M1 & |- M2 => |- M1+M2