The Principle of Least Privilege suggests that software should be executed with no more authority than it requires to accomplish its task. Current security tools make it difficult to apply this principle: they either require significant modifications to applications or do not facilitate reasoning about combining untrustworthy components.� In this talk, I present Shill, a secure shell scripting language. Shill scripts enable compositional reasoning about security through contracts that limit the effects of script execution, including the effects of programs invoked by the script. Shill contracts are declarative security policies that act as documentation for consumers of Shill scripts, and are enforced through a combination of language design and sandboxing.� We have implemented a prototype of Shill for FreeBSD and used it for several case studies including a grading script and a script to download, compile, and install software. Our experience indicates that Shill is a practical and useful system security tool, and can provide fine-grained security guarantees.
{"title":"Language-based capabilities","authors":"Stephen Chong","doi":"10.1145/2687148.2687149","DOIUrl":"https://doi.org/10.1145/2687148.2687149","url":null,"abstract":"The Principle of Least Privilege suggests that software should be executed with no more authority than it requires to accomplish its task. Current security tools make it difficult to apply this principle: they either require significant modifications to applications or do not facilitate reasoning about combining untrustworthy components.\u0000 In this talk, I present Shill, a secure shell scripting language. Shill scripts enable compositional reasoning about security through contracts that limit the effects of script execution, including the effects of programs invoked by the script. Shill contracts are declarative security policies that act as documentation for consumers of Shill scripts, and are enforced through a combination of language design and sandboxing.\u0000 We have implemented a prototype of Shill for FreeBSD and used it for several case studies including a grading script and a script to download, compile, and install software. Our experience indicates that Shill is a practical and useful system security tool, and can provide fine-grained security guarantees.","PeriodicalId":433332,"journal":{"name":"PSP '14","volume":"10 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-10-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125195939","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Web applications must ultimately command systems like web browsers and database engines using strings. Strings derived from improperly sanitized user input can as a result be a vector for command injection attacks. In this paper, we introduce regular string types, which classify strings constrained statically to be in a regular language specified by a regular expression. Regular strings support standard string operations like concatenation and substitution, as well as safe coercions, so they can be used to implement, in an essentially conventional manner, the pieces of a web application or framework that handle strings arising from user input. Simple type annotations at function interfaces can be used to statically verify that sanitization has been performed correctly without introducing redundant run-time checks. We specify this type system first as a minimal typed lambda calculus, lambdaRS. To be practical, adopting a specialized type system like this should not require the adoption of a new programming language. Instead, we advocate for extensible type systems: new type system fragments like this should be implemented as libraries atop a mechanism that guarantees that they can be safely composed. We support this with two contributions. First, we specify a translation from lambdaRS to a calculus with only standard strings and regular expressions. Then, taking Python as a language with these constructs, we implement the type system together with the translation as a library using typy, an extensible static type system for Python.
{"title":"Statically typed string sanitation inside a python","authors":"Nathan Fulton, Cyrus Omar, Jonathan Aldrich","doi":"10.1145/2687148.2687152","DOIUrl":"https://doi.org/10.1145/2687148.2687152","url":null,"abstract":"Web applications must ultimately command systems like web browsers and database engines using strings. Strings derived from improperly sanitized user input can as a result be a vector for command injection attacks. In this paper, we introduce regular string types, which classify strings constrained statically to be in a regular language specified by a regular expression. Regular strings support standard string operations like concatenation and substitution, as well as safe coercions, so they can be used to implement, in an essentially conventional manner, the pieces of a web application or framework that handle strings arising from user input. Simple type annotations at function interfaces can be used to statically verify that sanitization has been performed correctly without introducing redundant run-time checks. We specify this type system first as a minimal typed lambda calculus, lambdaRS. To be practical, adopting a specialized type system like this should not require the adoption of a new programming language. Instead, we advocate for extensible type systems: new type system fragments like this should be implemented as libraries atop a mechanism that guarantees that they can be safely composed. We support this with two contributions. First, we specify a translation from lambdaRS to a calculus with only standard strings and regular expressions. Then, taking Python as a language with these constructs, we implement the type system together with the translation as a library using typy, an extensible static type system for Python.","PeriodicalId":433332,"journal":{"name":"PSP '14","volume":"74 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-10-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132001578","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Research on differential privacy is generally concerned with examining data sets that are static. Because the data sets do not change, every computation on them produces "one-shot" query results; the results do not change aside from randomness introduced for privacy. There are many circumstances, however, where this model does not apply, or is simply infeasible. Data streams are examples of non-static data sets where results may change as more data is streamed. Theoretical support for differential privacy with data streams has been researched in the form of differentially private streaming algorithms. In this paper, we present a practical framework for which a non-expert can perform differentially private operations on data streams. The system is built as an extension to PINQ (Privacy Integrated Queries), a differentially private programming framework for static data sets. The streaming extension provides a programmatic interface for the different types of streaming differential privacy from the literature so that the privacy trade-offs of each type of algorithm can be understood by a non-expert programmer.
{"title":"Privacy integrated data stream queries","authors":"Lucas Waye","doi":"10.1145/2687148.2687150","DOIUrl":"https://doi.org/10.1145/2687148.2687150","url":null,"abstract":"Research on differential privacy is generally concerned with examining data sets that are static. Because the data sets do not change, every computation on them produces \"one-shot\" query results; the results do not change aside from randomness introduced for privacy. There are many circumstances, however, where this model does not apply, or is simply infeasible. Data streams are examples of non-static data sets where results may change as more data is streamed. Theoretical support for differential privacy with data streams has been researched in the form of differentially private streaming algorithms. In this paper, we present a practical framework for which a non-expert can perform differentially private operations on data streams. The system is built as an extension to PINQ (Privacy Integrated Queries), a differentially private programming framework for static data sets. The streaming extension provides a programmatic interface for the different types of streaming differential privacy from the literature so that the privacy trade-offs of each type of algorithm can be understood by a non-expert programmer.","PeriodicalId":433332,"journal":{"name":"PSP '14","volume":"8 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-10-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121816849","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
In this paper, we introduce a formal framework for ensuring the correctness of security patches. We discuss the issues and provide a sketch of how one could implement a system that proves (in many cases) or provides robust evidence (in other cases) that a security patch fixes a bug, and changes nothing else about the semantics of a program. We make use of an analysis of "bug surfaces" the set of inputs that trigger a bug, to give a type theoretic characterization of the non-buggy surface of a program. We thus give credence to the Langsec notion that security flaws are often about input handling, and show how formal patch and bug analysis can be used to define a more correct input type for a program.
{"title":"Verifying security patches","authors":"J. Gallagher, Robin Gonzalez, M. Locasto","doi":"10.1145/2687148.2687151","DOIUrl":"https://doi.org/10.1145/2687148.2687151","url":null,"abstract":"In this paper, we introduce a formal framework for ensuring the correctness of security patches. We discuss the issues and provide a sketch of how one could implement a system that proves (in many cases) or provides robust evidence (in other cases) that a security patch fixes a bug, and changes nothing else about the semantics of a program. We make use of an analysis of \"bug surfaces\" the set of inputs that trigger a bug, to give a type theoretic characterization of the non-buggy surface of a program. We thus give credence to the Langsec notion that security flaws are often about input handling, and show how formal patch and bug analysis can be used to define a more correct input type for a program.","PeriodicalId":433332,"journal":{"name":"PSP '14","volume":"4 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-10-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128086692","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: