Cited By
View all- Melicher DXu AZhao VPotanin AAldrich J(2022)Bounded Abstract EffectsACM Transactions on Programming Languages and Systems10.1145/349242744:1(1-48)Online publication date: 12-Jan-2022
A case study in language-based security: building an I/O library for Wyvern
Pages 34 - 47
Abstract
As the impact of vulnerabilities increases in practice, it is imperative for programming languages to include security as a first-class design consideration. While a number of security-related language features have been proposed to address this need, in many cases, we do not know enough about whether it is practical and useful to build software systems in languages with these features.
In this paper, we begin to investigate this question, using a case study methodology. The setting of our case study is Wyvern, a recently designed language we selected because it incorporates three advanced security-related features: capability safety for enforcing the principle of least privilege, an effect system for tracking the secure use of resources, and a language extension feature that mitigates command injection. In our case study, we built a small standard I/O library, seeking to use the new language features to create a library that is less vulnerable to misuse and can serve as a building block for more secure programs, compared to conventional I/O library designs. Our study suggests that these features are indeed practicable and useful, and thus potentially promising for inclusion in other future language designs. It also sheds light on the value and cost of these features and suggests directions for future research on security-focused language design.
Supplementary Material
New language-based security features are being proposed; are they practical? This talk, covering our Onward! 2020 paper, explores three such features of the Wyvern language: capability safety for enforcing the principle of least privilege, an effect system for tracking the secure use of resources, and a language extension feature that mitigates command injection. We perform a case study building a small standard I/O library for Wyvern that is less vulnerable to misuse and can serve as a building block for more secure programs, compared to conventional I/O library designs. Our study suggests that these features are indeed practicable and useful, and thus potentially promising for inclusion in other future language designs. It also sheds light on the value and cost of these features and suggests directions for future research on security-focused language design.
- Download
- 43.06 MB
Presentation Videos
- Download
- 34.01 MB
References
[1]
Aslan Askarov and Andrei Sabelfeld. 2005. Security-Typed Languages for Implementation of Cryptographic Protocols: A Case Study. In Computer Security-ESORICS 2005, Sabrina de Capitani di Vimercati, Paul Syverson, and Dieter Gollmann (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 197-221. htps://doi.org/10.1007/11555827_12
[2]
J. M. Bishop. 1998. Java as a Systems Programming Language: Three Case Studies. In Proceedings of the IFIP TC2 WG2.4 Working Conference on Systems Implementation 2000 : Languages, Methods and Tools.
[3]
Joshua Bloch. 2007. How To Design A Good API and Why it Matters. htps://www.youtube.com/watch?v=heh4OeB9A-c
[4]
Gilad Bracha, Peter Von Der Ahé, Vassili Bykov, Yaron Kashai, William Maddox, and Eliot Miranda. 2010. Modules as objects in newspeak. In European Conference on Object-Oriented Programming. Springer, 405-428.
[5]
Matthew Flatt. 2012. Creating Languages in Racket. Commun. ACM 55, 1 (Jan. 2012 ), 48-56. htps://doi.org/10.1145/2063176.2063195
[6]
Daniel B. Gifin, Amit Levy, Deian Stefan, David Terei, David Mazières, John C. Mitchell, and Alejandro Russo. 2012. Hails: Protecting Data Privacy in Untrusted Web Applications. In Proceedings of the 10th USENIX Conference on Operating Systems Design and Implementation (Hollywood, CA, USA) ( OSDI'12). USENIX Association, USA, 47-60.
[7]
Li Gong. 2011. Java Security Architecture Revisited. Queue 9, 9 (Sept. 2011 ), 30-36. htps://doi.org/10.1145/2030256.2034639
[8]
Li Gong, Marianne Mueller, Hemma Prafullchandra, and Roland Schemers. 1997. Going beyond the Sandbox: An Overview of the New Security Architecture in the JavaTM Development Kit 1.2. In Proceedings of the USENIX Symposium on Internet Technologies and Systems on USENIX Symposium on Internet Technologies and Systems (Monterey, California) ( USITS'97). USENIX Association, USA, 10.
[9]
Dexter Kozen. 1999. Language-based security. In International Symposium on Mathematical Foundations of Computer Science. Springer, 284-298.
[10]
Joseph Lee, Jonathan Aldrich, Troy Shaw, and Alex Potanin. 2015. A Theory of Tagged Objects. In 29th European Conference on ObjectOriented Programming (ECOOP 2015 ) (Leibniz International Proceedings in Informatics (LIPIcs), Vol. 37 ), John Tang Boyland (Ed.). Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik, Dagstuhl, Germany, 174-197. htps://doi.org/10.4230/LIPIcs.ECOOP. 2015.174
[11]
Daan Leijen. 2014. Koka: Programming with Row Polymorphic Efect Types, In Mathematically Structured Functional Programming. htps://www.microsoft.com/en-us/research/publication/kokaprogramming-with-row-polymorphic-efect-types-2/
[12]
D. Liebgold. 2011. Functional mzScheme DSLs in game development. ( 2011 ). Presented at Commercial Users of Functional Programming.
[13]
John M. Lucassen. 1987. Types and Efects towards the Integration of Functional and Imperative Programming. Ph.D. Dissertation. Massachusetts Institute of Technology.
[14]
Julian Mackay, Alex Potanin, Jonathan Aldrich, and Lindsay Groves. 2019. Decidable Subtyping for Path Dependent Types. Proc. ACM Program. Lang. 4, POPL, Article 66 ( Dec. 2019 ), 27 pages. htps://doi. org/10.1145/3371134
[15]
Darya Melicher, Yangqingwei Shi, Alex Potanin, and Jonathan Aldrich. 2017. A Capability-Based Module System for Authority Control. In 31st European Conference on Object-Oriented Programming (ECOOP 2017 ) (Leibniz International Proceedings in Informatics (LIPIcs), Vol. 74 ), Peter Müller (Ed.). Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik, Dagstuhl, Germany, 20 : 1-20 : 27. htps://doi.org/10.4230/LIPIcs. ECOOP. 2017.20
[16]
Adrian Mettler, David Wagner, and Tyler Close. 2010. Joe-E: A SecurityOriented Subset of Java. In Network and Distributed System Security Symposium.
[17]
Mark Miller, Ka-Ping Yee, Jonathan Shapiro, and Combex Inc. 2003. Capability Myths Demolished. Technical Report.
[18]
Mark Samuel Miller. 2006. Robust composition: Towards a unified approach to access control and concurrency control. PhD dissertation. Johns Hopkins University.
[19]
Andrew C. Myers. 1999. JFlow: Practical Mostly-Static Information Flow Control. In Proceedings of the 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (San Antonio, Texas, USA) ( POPL '99). Association for Computing Machinery, New York, NY, USA, 228-241. htps://doi.org/10.1145/292540.292561
[20]
Max S. New, Dustin Jamner, and Amal Ahmed. 2019. Graduality and Parametricity: Together Again for the First Time. Proc. ACM Program. Lang. 4, POPL, Article 46 ( Dec. 2019 ), 32 pages. htps://doi.org/10. 1145/3371114
[21]
Cyrus Omar, Darya Kurilova, Ligia Nistor, Benjamin Chung, Alex Potanin, and Jonathan Aldrich. 2014. Safely Composable Type-Specific Languages. In Proceedings of the 28th European Conference on ECOOP 2014-Object-Oriented Programming-Volume 8586. Springer-Verlag, Berlin, Heidelberg, 105-130. htps://doi.org/10.1007/978-3-662-44202-9_5
[22]
Oracle. 2014. Permissions in the Java Development Kit (JDK). htps://docs.oracle.com/javase/8/docs/technotes/guides/security/ permissions.html
[23]
Oracle. 2014. SecurityManager (Java Platform SE 8 ). htps://docs. oracle.com/javase/8/docs/api/java/lang/SecurityManager.html
[24]
OWASP. 2015. Format string attack. htps://www.owasp.org/index. php/Format_string_atack
[25]
OWASP. 2020. OWASP Top 10 Web Application Security Risks. htps: //owasp.org /www-project-top-ten/
[26]
Daniel Patterson and Amal Ahmed. 2017. Linking Types for MultiLanguage Software: Have Your Cake and Eat It Too. In 2nd Summit on Advances in Programming Languages (SNAPL 2017 ) (Leibniz International Proceedings in Informatics (LIPIcs), Vol. 71 ), Benjamin S. Lerner, Rastislav Bodík, and Shriram Krishnamurthi (Eds.). Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik, Dagstuhl, Germany, 12 : 1-12 : 15. htps://doi.org/10.4230/LIPIcs.SNAPL. 2017.12
[27]
Simon L. Peyton Jones and Philip Wadler. 1993. Imperative Functional Programming. In Proceedings of the 20th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (Charleston, South Carolina, USA) ( POPL '93). Association for Computing Machinery, New York, NY, USA, 71-84. htps://doi.org/10.1145/158511.158524
[28]
J. H. Saltzer and M. D. Schroeder. 1975. The protection of information in computer systems. Proc. IEEE 63, 9 (Sep. 1975 ), 1278-1308. htps: //doi.org/10.1109/PROC. 1975.9939
[29]
August Schwerdfeger and Eric Van Wyk. 2009. Verifiable Composition of Deterministic Grammars. In Proc. of ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI). ACM.
[30]
Ankur Taly Sergio Mafeis, John C. Mitchell. 2010. Object Capabilities and Isolation of Untrusted Web Applications. In IEE Symposium on Security and Privacy.
[31]
Deian Stefan, Alejandro Russo, John C. Mitchell, and David Mazières. 2011. Flexible Dynamic Information Flow Control in Haskell. SIGPLAN Not. 46, 12 (Sept. 2011 ), 95-106. htps://doi.org/10.1145/2096148. 2034688
[32]
Joel Kamdem Teto, Ruth Bearden, and Dan Chia-Tien Lo. 2017. The Impact of Defensive Programming on I/O Cybersecurity Attacks. In Proceedings of the SouthEast Conference (Kennesaw, GA, USA) ( ACM SE '17). ACM, New York, NY, USA, 102-111. htps://doi.org/10.1145/ 3077286.3077571
[33]
Franklyn A. Turbak and David K. Giford. 2008. Design Concepts in Programming Languages. The MIT Press.
Index Terms
- A case study in language-based security: building an I/O library for Wyvern
Recommendations
Wyvern: Impacting Software Security via Programming Language Design
PLATEAU '14: Proceedings of the 5th Workshop on Evaluation and Usability of Programming Languages and ToolsBreaches of software security affect millions of people, and therefore it is crucial to strive for more secure software systems. However, the effect of programming language design on software security is not easily measured or studied. In the absence of ...
SugarJ: library-based syntactic language extensibility
OOPSLA '11: Proceedings of the 2011 ACM international conference on Object oriented programming systems languages and applicationsExisting approaches to extend a programming language with syntactic sugar often leave a bitter taste, because they cannot be used with the same ease as the main extension mechanism of the programming language - libraries. Sugar libraries are a novel ...
SugarJ: library-based syntactic language extensibility
OOPSLA '11Existing approaches to extend a programming language with syntactic sugar often leave a bitter taste, because they cannot be used with the same ease as the main extension mechanism of the programming language - libraries. Sugar libraries are a novel ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
November 2020
208 pages
Copyright © 2020 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 17 November 2020
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- United States Department of Defense
- AFRL and DARPA
Conference
SPLASH '20
Sponsor:
SPLASH '20: Conference on Systems, Programming, Languages, and Applications, Software for Humanity
November 18 - 20, 2020
Virtual, USA
Acceptance Rates
Overall Acceptance Rate 40 of 105 submissions, 38%
Upcoming Conference
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 621Total Downloads
- Downloads (Last 12 months)135
- Downloads (Last 6 weeks)19
Reflects downloads up to 08 Feb 2025
Other Metrics
Citations
Cited By
View all- Melicher DXu AZhao VPotanin AAldrich J(2022)Bounded Abstract EffectsACM Transactions on Programming Languages and Systems10.1145/349242744:1(1-48)Online publication date: 12-Jan-2022
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in