CS 7301: Seminar on Language-based Security

Course Information

Title: CS 7301: Language-based Security
Course Registration Number: 13769
Times: TR 11:30-12:45
Location: ECSS 2.311
Instructor: Dr. Kevin Hamlen (hamlen AT utdallas)
Office Hour: TR 1:00-2:00

Course Summary

This course will introduce and survey the emerging field of "Language-based Security", in which techniques from compilers and programming language theory are leveraged to address issues in computer security. Topics include: Proof-Carrying Code, In-lined Reference Monitoring, Typed Intermediate Languages, Typed Assembly Language, Certifying Compilers, and Software Fault Isolation.

The aim of the course is to allow each student to develop a solid understanding of at least one of these topics, along with a more general familiarity with the range of research in the field. In-course discussion will highlight opportunities for cutting-edge research in each area. If your research involves computer security, this course will provide you with an array of powerful tools for addressing software security issues. If your research involves programming languages and compilers, this course will show you how to take techniques that you might already know and apply them in new and interesting ways.

The course is open to Ph.D. students, and to Masters students with permission of instructor.

Suggested prerequisite: CS 6371 Advanced Programming Languages (or concurrently), or a basic familiarity with type theory. (If not, the student is advised to consult one of the texts on type theory listed later on this page.)

Grading

Homework: Homeworks will consist of assigned readings—approximately two papers per class session. Material presented in class will assume that students have read the assigned material before coming to class, so please do the readings ahead of time!

Presentations (40%): Each student will be assigned two days during the semester during which they will present to the class a summary of the assigned readings for that day. The presentation should provide a technical overview of the paper, a description of how the paper fits into the broader context of the material covered in the course, and should pose some interesting questions or challenges for in-class discussion.

Class Participation (20%): Students are expected to come to each class having read the assigned papers, and prepared with questions, critiques, and discussion topics. Regular participation in in-class discussion will count 20% towards students' grades in the course.

Projects (40%): Students taking the course for a letter grade will work individually or in a team of two to four to complete a course-related project. All project ideas are individually approved by the instructor. Proposals are due by mid-semester. A typical project would involve implementing one of the concepts described in one of the assigned readings, or using one or more of the research-level software packages covered in class to do an interesting program analysis or to address a non-trivial security vulnerability.

Texts

The course has no required textbook, but several of the course topics will draw heavily from material in:

Benjamin C. Pierce, ed., Advanced Topics in Types and Programming Languages. MIT Press, Cambridge, MA, 2005. (available online from UTD computers)

The following are also useful references for those not already familiar with type theory and/or security:

Benjamin C. Pierce. Types and Programming Languages. MIT Press, Cambridge, MA, 2002.
Glynn Winskel. The Formal Semantics of Programming Languages. MIT Press, Cambridge, MA, 1993.
Matt Bishop. Computer Security: Art and Science. Addison-Wesley, 2003. (available online from UTD computers)

Tentative Course Schedule

Date	Topic	Presenter(s)
Introduction and Review
Tue 1/9	Course overview and introduction to Language-based Security Fred B. Schneider, Greg Morrisett, Robert Harper. A language-based approach to security. Informatics: 10 Years Back, 10 Years Ahead, Lecture Notes in Computer Science, Vol. 2000, Springer-Verlag, Heidelberg, 86-101.	Instructor
Thur 1/11	A Crash Course in Type Theory: Part I Simple Types, Operational Semantics Properties of Type Systems: Preservation, Progress, Soundness, Completeness Suggested (non-mandatory) readings: Glynn Winskel. The Formal Semantics of Programming Languages: Chapter 2. MIT Press, Cambridge, MA, 1993. Benjamin C. Pierce. Types and Programming Languages: Chapters 8 and 11. MIT Press, Cambridge, MA, 2002.	Instructor
Tue 1/16	A Crash Course in Type Theory: Part II First-class Functions, Parametric Polymorphism, and Dependent Types Types as Logical Predicates: Hoare Logic, Curry-Howard Isomorphism Suggested (non-mandatory) readings: Benjamin C. Pierce. Types and Programming Languages: Chapters 23 and 24. MIT Press, Cambridge, MA, 2002. Benjamin C. Pierce, ed., Advanced Topics in Types and Programming Languages: Chapter 2. MIT Press, Cambridge, MA, 2005. (available online from UTD computers) Glynn Winskel. The Formal Semantics of Programming Languages: Chapter 6. MIT Press, Cambridge, MA, 2002.	Instructor
Thur 1/18	A Crash Course in Computer Security Security Goals: Confidentiality, Integrity, Availability Security Principles: Least Privilege, Minimal Trusted Computing Base Security Policies: Memory Safety, Control Flow Safety, Coarse-grained RBAC Attacks: Buffer Overrun, Privilege Escalation, Denial of Service, Dictionary Attacks, Phishing Suggested (non-mandatory) readings: Matt Bishop. Computer Security: Art and Science: Chapter 1. Addison-Wesley, 2003. (available online from UTD computers)	Instructor
Memory Safety and Control-Flow Safety
Tue 1/23	Software Fault Isolation Robert Wahbe, Steven Lucco, Thomas E. Anderson, and Susan L. Graham. Efficient Software-Based Fault Isolation. ACM SIGOPS Operating Systems Review, 27(5):203-216, December 1993. Stephen McCamant and Greg Morrisett. Evaluating SFI for a CISC Architecture. In Proceedings of the 15th USENIX Security Symposium, Vancouver, BC, August 2006.	Sandeep
Thur 1/25	Control Flow Integrity Martín Abadi, Mihai Budiu, Úlfar Erlingsson, Jay Ligatti. Control-Flow Integrity: Principles, Implementations, and Applications. ACM Conference on Computer and Communication Security, Alexandria, VA, November 2005. Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. A Theory of Secure Control-Flow. International Conference on Formal Engineering Methods, Manchester, UK, November 2005.	Nathalie
Minimizing the Trusted Computing Base
Tue 1/30	Proof-Carrying Code George Necula. Proof-Carrying Code. In Benjamin C. Pierce, ed., Advanced Topics in Types and Programming Languages: Chapter 5, MIT Press, Cambridge, MA, 2005. (available online from UTD computers)	Instructor
Thur 2/1	Proof-Carrying Code George Necula. Proof-Carrying Code. In Proceedings of the 24th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL'97), Paris, France, January 1997. See also: George Necula's PCC Page	Srividya
Tue 2/6	Typed Assembly Language Greg Morrsett. Typed Assembly Language. In Benjamin C. Pierce, ed., Advanced Topics in Types and Programming Languages: Chapters 4.1-4.5, MIT Press, Cambridge, MA, 2005. (available online from UTD computers)	Instructor
Thur 2/8	Dependently Typed Assembly Language David Aspinall and Martin Hofmann. Dependent Types. In Benjamin C. Pierce, ed., Advanced Topics in Types and Programming Languages: Chapter 2.1, pp. 45-47 (up to exercise 2.1.1), MIT Press, Cambridge, MA, 2005. (available online from UTD computers) Hongwei Xi and Robert Harper. A Dependently Typed Assembly Language. In Proceedings of the International Conference on Functional Programming (ICFP'01), Florence, Italy, September 2001.	Ryan
Tue 2/13	Foundational Proof-Carrying Code Andrew W. Appel. Foundational Proof-Carrying Code. In Proceedings of the 16th Annual IEEE Symposium on Logic in Computer Science (LICS'01), Boston, MA, June 2001.	Instructor
Thur 2/15	Combining TAL and PCC Nadeem A. Hamid, Zhong Shao, Valery Trifonov, Stefan Monnier, and Zhaozhong Ni. A Syntactic Approach to Foundational Proof-Carrying Code. In Proceedings of the 17th Annual IEEE Symposium on Logic in Computer Science (LICS'02), Copenhagen, Denmark, July 2002.	Jungin
Securing Legacy Code
Tue 2/20	Cyclone: A TAL-Targeting, C-like Language Trevor Jim, Greg Morrisett, Dan Grossman, Michael Hicks, James Cheney, and Yanling Wang. Cyclone: A Safe Dialect of C. In Proceedings of the USENIX Annual Technical Conference, Monterey, CA, June 2002. Michael Hicks, Greg Morrisett, Dan Grossman, and Trevor Jim. Experience with Safe Manual Memory-management in Cyclone. In Proceedings of the 4th International Symposium on Memory Management, Vancouver, BC, 2004.	Ryan
Thur 2/22	CCured: A PCC-Targeting, C-like Language George C. Necula, Scott McPeak, Westley Weimer. CCured: Type-Safe Retrofitting of Legacy Code. In Proceedings of the 29th ACM Symposium on Principles of Programming Languages (POPL'02). Portland, OR, 2002. Jeremy Condit, Matthew Harren, Scott McPeak, George C. Necula, Westley Weimer. CCured in the Real World. In Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI'03), San Diego, CA, June 2003.	Srividya
In-lined Reference Monitors
Tue 2/27	In-lined Reference Monitoring Úlfar Erlingsson and Fred B. Schneider. SASI Enforcement of Security Policies: A Retrospective. In Proceedings of the New Security Paradigms Workshop, Caledon Hills, ON, September 1999. Úlfar Erlingsson and Fred B. Schneider. IRM Enforcement of Java Stack Inspection. In Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, May 2000.	Sandeep
Thur 3/1	Certified In-lined Reference Monitoring Kevin W. Hamlen, Greg Morrisett, and Fred B. Schneider. Certified In-lined Reference Monitoring on .NET. In Proceedings of the ACM Workshop on Programming Languages and Analysis for Security, Ottawa, ON, June 2006. Kevin W. Hamlen. Security Policy Enforcement by Automated Program-rewriting: Chapter 3. PhD Thesis, Cornell University, August 2006.	Instructor
Tue 3/6	Spring Break	N/A
Thur 3/8	Spring Break	N/A
Tue 3/13	Composable Policies Lujo Bauer, Jay Ligatti, and David Walker. Composing Security Policies with Polymer. In Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI'05), June 2005. Lujo Bauer, Jarred Ligatti, and David Walker. Types and Effects for Non-interfering Program Monitors. In Software Security—Theories and Systems. Mext-NSF-JSPS International Symposium, Lecture Notes in Computer Science, Vol. 2609, Tokyo, Japan, November 2002.	Ajay
Thur 3/15	Computational Theory of In-lined Reference Monitors Fred B. Schneider. Enforceable Security Policies. ACM Transactions on Information and System Security, 3(1):30-50, February 2000. Kevin W. Hamlen, Greg Morrisett, and Fred B. Schneider. Computability Classes for Enforcement Mechanisms. ACM Transactions on Programming Languages and Systems, 28(1):175-205, January 2006.	Instructor
Information Flow
Tue 3/20	Overview of Language-based Information Flow Andrei Sabelfeld and Andrew C. Myers. Language-Based Information-Flow Security. IEEE Journal on Selected Areas in Communications, 21(1):5-19, January 2003. Lantian Zheng and Andrew C. Myers. End-to-End Availability Policies and Noninterference. In Proceedings of the 18th IEEE Computer Security Foundations Workshop (CSFW'05), 272-286, June 2005.	Ajay
Thur 3/22	Information Flow for Java Andrew C. Myers. JFlow: Practical Mostly-Static Information Flow Control. In Proceedings of the 26th ACM Symposium on Principles of Programming Languages (POPL'99), San Antonio, TX, January 1999. Christian Grothoff, Jens Palsberg, and Jan Vitek. Encapsulating Objects with Confined Types. In Proceedings of the ACM Conference on Object-Oriented Programming Languages, Systems, and Applications (OOPSLA'01), Tampa Bay, FL, October 2001.	Nathalie
Tue 3/27	Distributed Information Flow Lantian Zheng, Stephen Chong, Steve Zdancewic, and Andrew C. Myers. Using Replication and Partitioning to Build Secure Distributed Systems. In Proceedings of the IEEE 2003 Symposium on Security and Privacy, Oakland CA, May 2003. Stephen Chong and Andrew C. Myers. Decentralized Robustness. In Proceedings of the 19th IEEE Computer Security Foundations Workshop (CSFW'06), July 2006.	Jungin
Obfuscation and Randomization
Thur 3/29	Address Space Randomization The PaX Team. PaX Documentation: Address Space Layout Randomization. http://pax.grsecurity.net/docs/aslr.txt, May 2003. Hovav Shacham, Matthew Page, Ben Pfaff, Eu-Jin Goh, Nagendra Modadugu, and Dan Boneh. On the Effectiveness of Address-Space Randomization. In Proceedings of the 11th ACM Conference on Computer and Communications Security, October 2004.	Vishwath
Tue 4/3	Instruction Set Randomization Nora Sovarel, David Evans, and Nathanael Paul. Where's the FEEB? The Effectiveness of Instruction Set Randomization. In Proceedings of the 14th USENIX Security Symposium, Baltimore MD, August 2005.	Vishwath
Thur 4/5	Obfuscation and Type Systems Fred B. Schneider and Riccardo Pucella. Independence from Obfuscation: A Semantic Framework for Diversity. In Proceedings of the 19th IEEE Computer Security Foundations Workshops, Venice, Italy, July 2006.	Mohammad
Wrap-up and Conclusions
Tue 4/10	Course Evaluations Course summary, Q&A, Extended discussion	Instructor
Thur 4/12	Guest speaker: Dr. Gopal Gupta Buffer overflow protection research at UTD	Dr. Gupta
Tue 4/17	Project Presentations Slot 1: Mohammad Slot 2: Ryan Slot 3: Jungin	Various
Thur 4/19	Project Presentations Slot 4: Vishwath Slot 5: Ajay & Srividya Slot 6: Sandeep	Various

Announcement

The HARD deadline for final projects is Monday, April 30th, 5:00pm. I will base your project grades on whatever I have from you at that point. Students are therefore strongly encouraged to submit their projects before the hard deadline (preferably during the last week of April) to allow for submission errors. For example, if I discover before the deadline that I can't open your .zip file or something won't compile, I will email you to let you know and you can submit a correction. I will grade projects in the order that I receive them, so the earlier you submit, the more flexibility you will have. When submitting, you should email me the following:

a 5-10 page write-up,
source code (and binary code if necessary), and
clear instructions on how I can compile and execute your code to duplicate any results reported in your write-up.

UTD's email system bounces email messages containing .zip, .exe, .bat, and lots of other files with known extensions. (Optional homework: Explain why this is an extremely ineffective method of protecting a system against malicious mobile code!) To bypass this restriction, I recommend renaming your file extensions to .xxx before attaching them. Tell me in the body of your email what the "real" extensions should be so I can rename them after downloading.