Browser Security Guarantees through Formal Shim Verification
|
|
- Delilah Melina Bennett
- 5 years ago
- Views:
Transcription
1 Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary Tatlock Sorin Lerner UC San Diego
2 Browsers: Critical Infrastructure Ubiquitous: many platforms, sensitive apps Vulnerable: Pwn2Own, just a click to exploit Reactive Defenses: many ad hoc, bug triage, regressions
3 Fully Formal Verification Code in language that eases reasoning Develop correctness proof in synch Fully formal, machine checkable proof
4 Fully Formal Verification Success story: CompCert C compiler Compiler Bugs Found GCC 122 LLVM 181 CompCert 0 [Yang et al. PLDI 11] OS (sel4), RDBMS & HTTPD (YNot) realistic implementations guaranteed bug free
5 Fully Formal Verification Success story: CompCert C compiler The Catch Compiler Bugs Found Throw away all your code GCC 100 Rewrite in unfamiliar language LLVM 150 Formally CompCert specify correctness 0? Prove every detail correct OS (sel4), Heroic DB, effort HTTPD (YNot) [Yang et al. PLDI 11] realistic implementations guaranteed bug free
6 Formally Verify a Browser?! Resources Complex parts Subtle interactions JPEG Decoder HTML Renderer Loose access policy JavaScript Interpreter Constant evolution
7 Formally Verify Shim a Browser?! Verification Resources Shim Isolate sandbox untrusted code JPEG Decoder JavaScript Interpreter HTML Renderer Insert shim guards resource access Verify shim prove security props
8 Formally Verify Shim a Browser?! Verification Resources QUARK Shim formally verified browser Security Props 1. Tab isolation JPEG Decoder HTML Renderer 2. Cookie integrity 3. Addr bar correctness JavaScript Interpreter Prove code correct machine checkable proof
9 Fully Formal Verification
10 Fully Formal Verification Code in language supporting reasoning
11 Fully Formal Verification Code Spec logical properties characterizing correctness
12 Fully Formal Verification Code Coq Theorem Prover Proof Assistant Spec
13 Fully Formal Verification Code Coq Theorem Prover Proof Assistant Spec interactively show code satisfies specification
14 Fully Formal Verification Code Proof Assistant ML x86 Spec compile down to machine code
15 Fully Formal Verification Code Proof Assistant ML x86 Spec Extremely strong guarantees about actual system!
16 Fully Formal Verification Code Rewrite entire system! Proof Assistant ML x86 Spec
17 Fully Formal Verification Code Rewrite entire system! Proof Assistant ML x86 Spec Prove every detail correct
18 Formal Shim Verification Resources Shim JPEG Decoder HTML Renderer JavaScript Interpreter
19 Formal Shim Verification Resources Adapt to sandbox request access via shim Shim Write shim design effective interface Sandbox.. Untrusted Code Formally verify shim ensure accesses secure
20 Formal Shim Verification Resources Key Insight Adapt to sandbox request access via shim Guarantee sec props Write for entire shimsystem Shim Only reason about small shim design effective interface Sandbox.. Radically ease verification burden Untrusted Prove actual code correct Code Formally verify shim ensure accesses secure
21 Quark: Verified Browser Resources Shim Sandbox.. Untrusted Code
22 Quark: Verified Browser Resources Shim Sandbox.. Untrusted Code
23 Quark: Verified Browser Resources Net network Shim persistent storage user interface Sandbox.. Untrusted Code
24 Quark: Verified Browser Net Resources Shim Sandbox.. Untrusted Code
25 Quark: Verified Browser Resources Net Shim Quark Kernel Quark browser kernel code, spec, proof in Coq Sandbox.. Untrusted Code
26 Quark: Verified Browser Resources Net Shim Quark Kernel Sandbox.. Untrusted Code
27 Quark: Verified Browser Resources Net Quark Kernel Shim Untrusted Code browser components Sandbox.. Untrusted Code run as separate procs strictly sandboxed
28 Quark: Verified Browser Resources Net Quark Kernel Shim Untrusted Code browser components Sandbox.. Untrusted Code run as separate procs strictly sandboxed talk to kernel over pipe
29 Quark: Verified Browser Resources Net Quark Kernel Shim Untrusted Code two component types Sandbox.. Untrusted Code
30 Quark: Verified Browser Resources Net Quark Kernel Shim Untrusted Code two component types WebKit Tab modified WebKit, intercept accesses
31 Quark: Verified Browser Resources Net Quark Kernel Shim Untrusted Code two component types WebKit Tab
32 Quark: Verified Browser Resources Net Quark Kernel Shim Untrusted Code two component types WebKit Tab Cookie Manager written in Python, manages single domain
33 Quark: Verified Browser Resources Net Quark Kernel Shim Untrusted Code two component types WebKit tabs WebKit Tab Cookie Manager cookie managers
34 Quark: Verified Browser Resources Net Quark Kernel Shim Untrusted Code two component types WebKit tabs WebKit WebKit WebKit Tab Tab Tab Cookie Cookie Manager cookie managers several instances each
35 Quark: Verified Browser Net Quark Kernel WebKit WebKit WebKit Tab Tab Tab Cookie Cookie Manager
36 Quark Kernel: Code, Spec, Proof Quark Kernel
37 Quark Kernel: Code, Spec, Proof
38 Quark Kernel: Code, Spec, Proof Definition kstep...
39 Quark Kernel: Code, Spec, Proof Definition kstep(focused_tab, tabs) :=... kernel state
40 Quark Kernel: Code, Spec, Proof Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs);... Unix-style select to find a component pipe ready to read
41 Quark Kernel: Code, Spec, Proof Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with Stdin => case: f is user input... Tab t => case: f is tab pipe...
42 Quark Kernel: Code, Spec, Proof Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with Stdin => cmd <- read_cmd(stdin);... read command from user over stdin Tab t =>...
43 Quark Kernel: Code, Spec, Proof Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with Stdin => cmd <- read_cmd(stdin); match cmd with AddTab =>... user wants to create... Tab t =>... and focus a new tab
44 Quark Kernel: Code, Spec, Proof Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with Stdin => cmd <- read_cmd(stdin); match cmd with AddTab => t <- mk_tab(); Tab t =>... create a new tab
45 Quark Kernel: Code, Spec, Proof Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with Stdin => cmd <- read_cmd(stdin); match cmd with AddTab => t <- mk_tab(); write_msg(t, Render); tell new tab to Tab t => render itself...
46 Quark Kernel: Code, Spec, Proof Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with Stdin => cmd <- read_cmd(stdin); match cmd with AddTab => t <- mk_tab(); write_msg(t, Render); return (t, t::tabs)... Tab t => return updated state...
47 Quark Kernel: Code, Spec, Proof Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with Stdin => cmd <- read_cmd(stdin); match cmd with AddTab => t <- mk_tab(); write_msg(t, Render); return (t, t::tabs)... handle other Tab t =>... user commands
48 Quark Kernel: Code, Spec, Proof Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with Stdin => cmd <- read_cmd(stdin); match cmd with AddTab => t <- mk_tab(); write_msg(t, Render); return (t, t::tabs) handle requests... from tabs Tab t =>...
49 Quark Kernel: Code, Spec, Proof Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with Stdin => cmd <- read_cmd(stdin); match cmd with AddTab => t <- mk_tab(); write_msg(t, Render); return (t, t::tabs)... Tab t =>...
50 Quark Kernel: Code, Spec, Proof
51 Quark Kernel: Code, Spec, Proof Specify correct behavior wrt syscall seqs read(), write(), open(), write(),...
52 Quark Kernel: Code, Spec, Proof Specify correct behavior wrt syscall seqs trace: all syscalls made by Quark kernel during execution
53 Quark Kernel: Code, Spec, Proof Specify correct behavior wrt syscall seqs kstep() kstep() kstep() kstep()
54 Quark Kernel: Code, Spec, Proof Specify correct behavior wrt syscall seqs structure of produceable traces supports spec & proof
55 Quark Kernel: Code, Spec, Proof Specify correct behavior wrt syscall seqs structure of produceable traces supports spec & proof Example: address bar correctness
56 Quark Kernel: Code, Spec, Proof Specify correct behavior wrt syscall seqs structure of produceable traces supports spec & proof Example: address bar correctness forall trace tab domain,... for any trace, tab, and domain where trace is a sequence of syscalls
57 Quark Kernel: Code, Spec, Proof Specify correct behavior wrt syscall seqs structure of produceable traces supports spec & proof Example: address bar correctness forall trace tab domain, quark_produced(trace) /\... if Quark could have produced this trace
58 Quark Kernel: Code, Spec, Proof Specify correct behavior wrt syscall seqs structure of produceable traces supports spec & proof Example: address bar correctness forall trace tab domain, quark_produced(trace) /\ tab = cur_tab(trace) /\... and tab is the selected tab in this trace
59 Quark Kernel: Code, Spec, Proof Specify correct behavior wrt syscall seqs structure of produceable traces supports spec & proof Example: address bar correctness forall trace tab domain, and domain displayed in address bar for this trace quark_produced(trace) /\ tab = cur_tab(trace) /\ domain = addr_bar(trace) ->...
60 Quark Kernel: Code, Spec, Proof Specify correct behavior wrt syscall seqs structure of produceable traces supports spec & proof Example: address bar correctness forall trace tab domain, quark_produced(trace) /\ tab = cur_tab(trace) /\ domain = addr_bar(trace) -> domain = tab_domain(tab) then domain is the domain of the focused tab
61 Quark Kernel: Code, Spec, Proof Specify correct behavior wrt syscall seqs structure of produceable traces supports spec & proof Example: address bar correctness forall trace tab domain, quark_produced(trace) /\ tab = cur_tab(trace) /\ domain = addr_bar(trace) -> domain = tab_domain(tab)
62 Quark Kernel: Code, Spec, Proof Formal Security Properties Tab Non-Interference no tab affects kernel interaction with another tab Cookie Confidentiality and Integrity cookies only accessed by tabs of same domain Address Bar Integrity and Correctness address bar accurate, only modified by user action
63 Quark Kernel: Code, Spec, Proof
64 Quark Kernel: Code, Spec, Proof Prove kernel code satisfies sec props by induction on traces Quark can produce
65 Quark Kernel: Code, Spec, Proof Prove kernel code satisfies sec props by induction on traces Quark can produce induction hypothesis: trace valid up to this point
66 Quark Kernel: Code, Spec, Proof Prove kernel code satisfies sec props by induction on traces Quark can produce +? induction hypothesis: trace valid up to this point proof obligation: still valid after step?
67 Quark Kernel: Code, Spec, Proof +? induction hypothesis: trace valid up to this point proof obligation: still valid after step? Proceed by case analysis on kstep() what syscalls can be appended to trace? will they still satisfy all security properties? prove each case using interactive proof assistant
68 Quark Kernel: Code, Spec, Proof Key Insight Guarantee sec props for browser Use state-of-the-art components Only prove simple browser kernel
69 Usability Demo Video
70 Trusted Computing Base Infrastructure we assume correct any bugs here can invalidate our formal guarantees Fundamental Statement of security properties Coq (soundness, proof checker) Eventually Verified [active research] OCaml [VeriML] Tab Sandbox [RockSalt] Operating System [sel4]...
71 Security Analysis Formally prove important sec props WebKit defenses remain in effect Other desirable security policies
72 Future Work Filesystem access, sound, history could be implemented w/out major redesign Finer grained resource accesses support mashups and plugins Liveness properties formally prove that kernel never blocks
73 Conclusion Formal Shim Verification Guarantee sec props for entire system Only reason about small shim Radically ease verification burden Quark: Verified Browser Guarantee sec props for browser Only prove simple browser kernel Use state-of-the-art components
Verdi: A Framework for Implementing and Formally Verifying Distributed Systems
Verdi: A Framework for Implementing and Formally Verifying Distributed Systems Key-value store VST James R. Wilcox, Doug Woos, Pavel Panchekha, Zach Tatlock, Xi Wang, Michael D. Ernst, Thomas Anderson
More informationFunctional Programming in Coq. Nate Foster Spring 2018
Functional Programming in Coq Nate Foster Spring 2018 Review Previously in 3110: Functional programming Modular programming Data structures Interpreters Next unit of course: formal methods Today: Proof
More informationTurning proof assistants into programming assistants
Turning proof assistants into programming assistants ST Winter Meeting, 3 Feb 2015 Magnus Myréen Why? Why combine proof- and programming assistants? Why proofs? Testing cannot show absence of bugs. Some
More informationHyperkernel: Push-Button Verification of an OS Kernel
Hyperkernel: Push-Button Verification of an OS Kernel Luke Nelson, Helgi Sigurbjarnarson, Kaiyuan Zhang, Dylan Johnson, James Bornholt, Emina Torlak, and Xi Wang The OS Kernel is a critical component Essential
More informationAdam Chlipala University of California, Berkeley ICFP 2006
Modular Development of Certified Program Verifiers with a Proof Assistant Adam Chlipala University of California, Berkeley ICFP 2006 1 Who Watches the Watcher? Program Verifier Might want to ensure: Memory
More informationFormal verification of an optimizing compiler
Formal verification of an optimizing compiler Xavier Leroy INRIA Rocquencourt RTA 2007 X. Leroy (INRIA) Formal compiler verification RTA 2007 1 / 58 The compilation process General definition: any automatic
More informationReusable Tools for Formal Modeling of Machine Code
Reusable Tools for Formal Modeling of Machine Code Gang Tan (Lehigh University) Greg Morrisett (Harvard University) Other contributors: Joe Tassarotti Edward Gan Jean-Baptiste Tristan (Oracle Labs) @ PiP;
More informationGraphene-SGX. A Practical Library OS for Unmodified Applications on SGX. Chia-Che Tsai Donald E. Porter Mona Vij
Graphene-SGX A Practical Library OS for Unmodified Applications on SGX Chia-Che Tsai Donald E. Porter Mona Vij Intel SGX: Trusted Execution on Untrusted Hosts Processing Sensitive Data (Ex: Medical Records)
More informationSandboxing untrusted code: policies and mechanisms
Sandboxing untrusted code: policies and mechanisms Frank Piessens (Frank.Piessens@cs.kuleuven.be) Secappdev 2011 1 Overview Introduction Java and.net Sandboxing Runtime monitoring Information Flow Control
More informationStatic and User-Extensible Proof Checking. Antonis Stampoulis Zhong Shao Yale University POPL 2012
Static and User-Extensible Proof Checking Antonis Stampoulis Zhong Shao Yale University POPL 2012 Proof assistants are becoming popular in our community CompCert [Leroy et al.] sel4 [Klein et al.] Four-color
More informationFormal methods for software security
Formal methods for software security Thomas Jensen, INRIA Forum "Méthodes formelles" Toulouse, 31 January 2017 Formal methods for software security Formal methods for software security Confidentiality
More informationMechanized Operational Semantics
Mechanized Operational Semantics J Strother Moore Department of Computer Sciences University of Texas at Austin Marktoberdorf Summer School 2008 (Lecture 3: Direct Proofs) 1 Fact 1 Given an operational
More informationBlockchains: new home for proven-correct software. Paris, Yoichi Hirai formal verification engineer, the Ethereum Foundation
Blockchains: new home for proven-correct software Paris, 2017-2-17 Yoichi Hirai formal verification engineer, the Ethereum Foundation Lyon: 2014 January Have you heard of a web site where you can get Bitcoin
More informationAutomated verification of termination certificates
Automated verification of termination certificates Frédéric Blanqui and Kim Quyen Ly Frédéric Blanqui and Kim Quyen Ly Automated verification of termination certificates 1 / 22 Outline 1 Software certification
More informationFormal Methods for Aviation Software Design and Certification
Formal Methods for Aviation Software Design and Certification PART II: Formal Methods Gordon Stewart COUNT Short Course Series May 24-26 RUSS COLLEGE OF ENGINEERING AND TECHNOLOGY DO- 333: What Are Formal
More informationSafeDispatch Securing C++ Virtual Calls from Memory Corruption Attacks by Jang, Dongseok and Tatlock, Zachary and Lerner, Sorin
SafeDispatch Securing C++ Virtual Calls from Memory Corruption Attacks by Jang, Dongseok and Tatlock, Zachary and Lerner, Sorin in NDSS, 2014 Alexander Hefele Fakultät für Informatik Technische Universität
More informationLanguage Techniques for Provably Safe Mobile Code
Language Techniques for Provably Safe Mobile Code Frank Pfenning Carnegie Mellon University Distinguished Lecture Series Computing and Information Sciences Kansas State University October 27, 2000 Acknowledgments:
More informationProvably Correct Software
Provably Correct Software Max Schäfer Institute of Information Science/Academia Sinica September 17, 2007 1 / 48 The Need for Provably Correct Software BUT bugs are annoying, embarrassing, and cost gazillions
More informationHow much is a mechanized proof worth, certification-wise?
How much is a mechanized proof worth, certification-wise? Xavier Leroy Inria Paris-Rocquencourt PiP 2014: Principles in Practice In this talk... Some feedback from the aircraft industry concerning the
More informationAdvanced Systems Security: Virtual Machine Systems
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationTranslation Validation for a Verified OS Kernel
To appear in PLDI 13 Translation Validation for a Verified OS Kernel Thomas Sewell 1, Magnus Myreen 2, Gerwin Klein 1 1 NICTA, Australia 2 University of Cambridge, UK L4.verified sel4 = a formally verified
More informationAssuring Software Protection in Virtual Machines
Assuring Software Protection in Virtual Machines Andrew W. Appel Princeton University 1 Software system built from components Less-trusted components More-trusted components (non-core functions) INTERFACE
More informationAdvanced Systems Security: Virtual Machine Systems
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationFormal verification of program obfuscations
Formal verification of program obfuscations Sandrine Blazy joint work with Roberto Giacobazzi and Alix Trieu IFIP WG 2.11, 2015-11-10 1 Background: verifying a compiler Compiler + proof that the compiler
More informationFormal proofs of code generation and verification tools
Formal proofs of code generation and verification tools Xavier Leroy To cite this version: Xavier Leroy. Formal proofs of code generation and verification tools. Dimitra Giannakopoulou and Gwen Salaün.
More informationSandboxing Untrusted Code: Software-Based Fault Isolation (SFI)
Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI) Brad Karp UCL Computer Science CS GZ03 / M030 9 th December 2011 Motivation: Vulnerabilities in C Seen dangers of vulnerabilities: injection
More informationFormal Verification. Lecture 10
Formal Verification Lecture 10 Formal Verification Formal verification relies on Descriptions of the properties or requirements of interest Descriptions of systems to be analyzed, and rely on underlying
More informationProgramming Languages
: Winter 2010 Principles of Programming Languages Lecture 1: Welcome, etc. Ranjit Jhala UC San Diego Computation & Interaction Precisely expressed by PL Dependence means need for analysis Safety Security
More informationA Certified Implementation of a Distributed Security Logic
A Certified Implementation of a Distributed Security Logic Nathan Whitehead University of California, Santa Cruz nwhitehe@cs.ucsc.edu based on joint work with Martín Abadi University of California, Santa
More informationIntrinsically Typed Reflection of a Gallina Subset Supporting Dependent Types for Non-structural Recursion of Coq
Intrinsically Typed Reflection of a Gallina Subset Supporting Dependent Types for Non-structural Recursion of Coq Akira Tanaka National Institute of Advanced Industrial Science and Technology (AIST) 2018-11-21
More informationDesigning Systems for Push-Button Verification
Designing Systems for Push-Button Verification Luke Nelson, Helgi Sigurbjarnarson, Xi Wang Joint work with James Bornholt, Dylan Johnson, Arvind Krishnamurthy, EminaTorlak, Kaiyuan Zhang Formal verification
More informationEfficient Software Based Fault Isolation. Software Extensibility
Efficient Software Based Fault Isolation Robert Wahbe, Steven Lucco Thomas E. Anderson, Susan L. Graham Software Extensibility Operating Systems Kernel modules Device drivers Unix vnodes Application Software
More informationA Formally-Verified C static analyzer
A Formally-Verified C static analyzer David Pichardie joint work with J.-H. Jourdan, V. Laporte, S.Blazy, X. Leroy, presented at POPL 15!! How do you trust your software? bug finders sound verifiers verified
More informationLecture Notes for 04/04/06: UNTRUSTED CODE Fatima Zarinni.
Lecture Notes for 04/04/06 UNTRUSTED CODE Fatima Zarinni. Last class we started to talk about the different System Solutions for Stack Overflow. We are going to continue the subject. Stages of Stack Overflow
More informationOAuth 2 and Native Apps
OAuth 2 and Native Apps Flows While all OAuth 2 flows can be used by native apps, only the user delegation flows will be considered in this document: Web Server, User-Agent and Device flows. The Web Server
More informationISOLATION DEFENSES GRAD SEC OCT
ISOLATION DEFENSES GRAD SEC OCT 03 2017 ISOLATION Running untrusted code in a trusted environment Setting Possibly with multiple tenants OS: users / processes Browser: webpages / browser extensions Cloud:
More informationConfinement (Running Untrusted Programs)
Confinement (Running Untrusted Programs) Chester Rebeiro Indian Institute of Technology Madras Untrusted Programs Untrusted Application Entire Application untrusted Part of application untrusted Modules
More informationSandboxing. CS-576 Systems Security Instructor: Georgios Portokalidis Spring 2018
Sandboxing CS-576 Systems Security Instructor: Georgios Portokalidis Sandboxing Means Isolation Why? Software has bugs Defenses slip Untrusted code Compartmentalization limits interference and damage!
More informationFormal Methods at Scale in Microsoft
Formal Methods at Scale in Microsoft Thomas Ball http://research.microsoft.com/rise Microsoft Research 4 October 2017 Code Integ. Tests Unit Test Testing-based Development Commit, Build Review Web app
More informationHow Can You Trust Formally Verified Software?
How Can You Trust Formally Verified Software? Alastair Reid Arm Research @alastair_d_reid Formal verification Of libraries and apps Of compilers Of operating systems 2 Fonseca et al., An Empirical Study
More informationImplementing a Verified On-Disk Hash Table
Implementing a Verified On-Disk Hash Table Stephanie Wang Abstract As more and more software is written every day, so too are bugs. Software verification is a way of using formal mathematical methods to
More informationFormally Certified Satisfiability Solving
SAT/SMT Proof Checking Verifying SAT Solver Code Future Work Computer Science, The University of Iowa, USA April 23, 2012 Seoul National University SAT/SMT Proof Checking Verifying SAT Solver Code Future
More informationMachine-checked proofs of program correctness
Machine-checked proofs of program correctness COS 326 Andrew W. Appel Princeton University slides copyright 2013-2015 David Walker and Andrew W. Appel In this course, you saw how to prove that functional
More informationSoftware Security: Vulnerability Analysis
Computer Security Course. Software Security: Vulnerability Analysis Program Verification Program Verification How to prove a program free of buffer overflows? Precondition Postcondition Loop invariants
More informationExploring Chrome Internals. Darin Fisher May 28, 2009
Exploring Chrome Internals Darin Fisher May 28, 2009 Simple interface, powerful core Modern browsers resemble the cooperatively multi-tasked operating systems of the past. Guiding sentiment, 2006 Goals
More informationŒuf: Minimizing the Coq Extraction TCB
Œuf: Minimizing the Coq Extraction TCB Eric Mullen University of Washington, USA USA Abstract Zachary Tatlock University of Washington, USA USA Verifying systems by implementing them in the programming
More informationAn Extensible Programming Language for Verified Systems Software. Adam Chlipala MIT CSAIL WG 2.16 meeting, 2012
An Extensible Programming Language for Verified Systems Software Adam Chlipala MIT CSAIL WG 2.16 meeting, 2012 The status quo in computer system design DOM JS API Web page Network JS API CPU Timer interrupts
More informationTopic 16: Validation. CITS3403 Agile Web Development. Express, Angular and Node, Chapter 11
Topic 16: Validation CITS3403 Agile Web Development Getting MEAN with Mongo, Express, Angular and Node, Chapter 11 Semester 1, 2018 Verification and Validation Writing a bug free application is critical
More informationIdentity-based Access Control
Identity-based Access Control The kind of access control familiar from operating systems like Unix or Windows based on user identities This model originated in closed organisations ( enterprises ) like
More informationHow Can You Trust Formally Verified Software?
How Can You Trust Formally Verified Software? Alastair Reid Arm Research @alastair_d_reid Buffer over-read vulnerabilities Use after free s e i t i l i b a r e n l u v r o r r e c Logi Buffer overflow
More informationlogistics CHALLENGE assignment take-home portion of the final next class final exam review
Sandboxing 1 logistics 2 CHALLENGE assignment take-home portion of the final next class final exam review CHALLENGE (1) 3 expect to release before Saturday; due by written final probably complete all but
More informationVerified compilers. Guest lecture for Compiler Construction, Spring Magnus Myréen. Chalmers University of Technology
Guest lecture for Compiler Construction, Spring 2015 Verified compilers Magnus Myréen Chalmers University of Technology Mentions joint work with Ramana Kumar, Michael Norrish, Scott Owens and many more
More informationProgramming and Proving with Distributed Protocols Disel: Distributed Separation Logic.
Programming and Proving with Distributed Protocols Disel: Distributed Separation Logic ` {P } c {Q} http://distributedcomponents.net Ilya Sergey James R. Wilcox Zach Tatlock Distributed Systems Distributed
More informationseccomp-nurse Nicolas Bareil ekoparty 2010 EADS CSC Innovation Works France seccomp-nurse: sandboxing environment
Nicolas Bareil 1/25 seccomp-nurse Nicolas Bareil EADS CSC Innovation Works France ekoparty 2010 Nicolas Bareil 2/25 Sandbox landscape Executive summary New sandboxing environment on Linux Focusing on headless
More informationVirtual machines (e.g., VMware)
Case studies : Introduction to operating systems principles Abstraction Management of shared resources Indirection Concurrency Atomicity Protection Naming Security Reliability Scheduling Fairness Performance
More informationPackaging Theories of Higher Order Logic
Packaging Theories of Higher Order Logic Joe Hurd Galois, Inc. joe@galois.com Theory Engineering Workshop Tuesday 9 February 2010 Joe Hurd Packaging Theories of Higher Order Logic 1 / 26 Talk Plan 1 Introduction
More informationReducing Fair Stuttering Refinement of Transaction Systems
Reducing Fair Stuttering Refinement of Transaction Systems Rob Sumners Advanced Micro Devices robert.sumners@amd.com November 16th, 2015 Rob Sumners (AMD) Transaction Progress Checking November 16th, 2015
More informationDongseok Jang Zachary Tatlock. UC San Diego Washington
Dongseok Jang Zachary Tatlock UC San Diego University of Washington Sorin Lerner UC San Diego e l b a r e n l Vu Control Flow Hijacking Lead Program to Jump to Unexpected Code That does what a7acker wants
More informationWork-in-progress: Verifying the Glasgow Haskell Compiler Core language
Work-in-progress: Verifying the Glasgow Haskell Compiler Core language Stephanie Weirich Joachim Breitner, Antal Spector-Zabusky, Yao Li, Christine Rizkallah, John Wiegley May 2018 Verified compilers and
More informationAnalysis of Hypertext Isolation Techniques for Cross-site Scripting Prevention. Mike Ter Louw Prithvi Bisht V.N. Venkatakrishnan
Analysis of Hypertext Isolation Techniques for Cross-site Scripting Prevention Mike Ter Louw Prithvi Bisht V.N. Venkatakrishnan Outline Motivation Hypertext isolation Design challenges Conclusion Quote
More informationProtection. Thierry Sans
Protection Thierry Sans Protecting Programs How to lower the risk of a program security flaw resulting from a bug? 1. Build better programs 2. Build better operating systems Build Better Programs Why are
More informationWEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang
WEB SECURITY WORKSHOP TEXSAW 2014 Presented by Solomon Boyd and Jiayang Wang Introduction and Background Targets Web Applications Web Pages Databases Goals Steal data Gain access to system Bypass authentication
More information4. Jump to *RA 4. StackGuard 5. Execute code 5. Instruction Set Randomization 6. Make system call 6. System call Randomization
04/04/06 Lecture Notes Untrusted Beili Wang Stages of Static Overflow Solution 1. Find bug in 1. Static Analysis 2. Send overflowing input 2. CCured 3. Overwrite return address 3. Address Space Randomization
More informationChapter 1. Introduction
1 Chapter 1 Introduction An exciting development of the 21st century is that the 20th-century vision of mechanized program verification is finally becoming practical, thanks to 30 years of advances in
More informationLecture 11 Lecture 11 Nov 5, 2014
Formal Verification/Methods Lecture 11 Lecture 11 Nov 5, 2014 Formal Verification Formal verification relies on Descriptions of the properties or requirements Descriptions of systems to be analyzed, and
More informationAn experiment with variable binding, denotational semantics, and logical relations in Coq. Adam Chlipala University of California, Berkeley
A Certified TypePreserving Compiler from Lambda Calculus to Assembly Language An experiment with variable binding, denotational semantics, and logical relations in Coq Adam Chlipala University of California,
More informationThe Multi-Principal OS Construction of the Gazelle Web Browser. Helen J. Wang, Chris Grier, Alex Moshchuk, Sam King, Piali Choudhury, Herman Venter
The Multi-Principal OS Construction of the Gazelle Web Browser Helen J. Wang, Chris Grier, Alex Moshchuk, Sam King, Piali Choudhury, Herman Venter Browser as an application platform Single stop for many
More informationA Coq Framework For Verified Property-Based Testing (part of QuickChick)
A Coq Framework For Verified Property-Based Testing (part of QuickChick) Cătălin Hrițcu INRIA Paris-Rocquencourt (Prosecco team, Place d Italie office) Problem: proving in Coq is very costly My proofs
More informationMatching Logic A New Program Verification Approach
Matching Logic A New Program Verification Approach Grigore Rosu and Andrei Stefanescu University of Illinois at Urbana-Champaign (work started in 2009 with Wolfram Schulte at MSR) Usable Verification Relatively
More informationHigh-Assurance Cyber Space Systems (HACSS) for Small Satellite Mission Integrity
Distribution A: SSC17-V-01 High-Assurance Cyber Space Systems (HACSS) for Small Satellite Mission Integrity Daria C. Lane, Enrique S. Leon, Francisco C. Tacliad, Dexter H. Solio, Ian L. Rodney, Dmitriy
More informationProgramming with dependent types: passing fad or useful tool?
Programming with dependent types: passing fad or useful tool? Xavier Leroy INRIA Paris-Rocquencourt IFIP WG 2.8, 2009-06 X. Leroy (INRIA) Dependently-typed programming 2009-06 1 / 22 Dependent types In
More informationSemantics-Based Program Verifiers for All Languages
Language-independent Semantics-Based Program Verifiers for All Languages Andrei Stefanescu Daejun Park Shijiao Yuwen Yilong Li Grigore Rosu Nov 2, 2016 @ OOPSLA 16 Problems with state-of-the-art verifiers
More informationA Roadmap for High Assurance Cryptography
A Roadmap for High Assurance Cryptography Harry Halpin harry.halpin@inria.fr @harryhalpin (Twitter) NEXTLEAP (nextleap.eu) Harry Halpin Prosecco Thanks to Peter Schwabe (Radboud University) Harry.halpin@inria.fr
More informationOMOS: A Framework for Secure Communication in Mashup Applications
: A Framework for in Mashup Applications Saman Zarandioon Danfeng (Daphne) Yao Vinod Ganapathy Department of Computer Science Rutgers University Piscataway, NJ 08854 {samanz,danfeng,vinodg}@cs.rutgers.edu
More informationSpecifying the Ethereum Virtual Machine for Theorem Provers
1/28 Specifying the Ethereum Virtual Machine for Theorem Provers Yoichi Hirai Ethereum Foundation Cambridge, Sep. 13, 2017 (FC 2017 + some updates) 2/28 Outline Problem Motivation EVM as a Machine Wanted
More informationFormal C semantics: CompCert and the C standard
Formal C semantics: CompCert and the C standard Robbert Krebbers 1, Xavier Leroy 2, and Freek Wiedijk 1 1 ICIS, Radboud University Nijmegen, The Netherlands 2 Inria Paris-Rocquencourt, France Abstract.
More informationSJTU SUMMER 2014 SOFTWARE FOUNDATIONS. Dr. Michael Clarkson
SJTU SUMMER 2014 SOFTWARE FOUNDATIONS Dr. Michael Clarkson e Story Begins Gottlob Frege: a German mathematician who started in geometry but became interested in logic and foundations of arithmetic. 1879:
More informationOutline. software testing: search bugs black-box and white-box testing static and dynamic testing
Outline 1 Verification Techniques software testing: search bugs black-box and white-box testing static and dynamic testing 2 Programming by Contract assert statements in Python using preconditions and
More informationCombining program verification with component-based architectures. Alexander Senier BOB 2018 Berlin, February 23rd, 2018
Combining program verification with component-based architectures Alexander Senier BOB 2018 Berlin, February 23rd, 2018 About Componolit 2 What happens when we use what's best? 3 What s Best? Mid-90ies:
More informationCoq. LASER 2011 Summerschool Elba Island, Italy. Christine Paulin-Mohring
Coq LASER 2011 Summerschool Elba Island, Italy Christine Paulin-Mohring http://www.lri.fr/~paulin/laser Université Paris Sud & INRIA Saclay - Île-de-France September 2011 Lecture 4 : Advanced functional
More informationSugar: Secure GPU Acceleration in Web Browsers
Sugar: Secure GPU Acceleration in Web Browsers Zhihao Yao, Zongheng Ma, Yingtong Liu, Ardalan Amiri Sani, Aparna Chandramowlishwaran Trustworthy Systems Lab, UC Irvine 1 WebGL was released in 2011 2 Source:
More informationThe design of a programming language for provably correct programs: success and failure
The design of a programming language for provably correct programs: success and failure Don Sannella Laboratory for Foundations of Computer Science School of Informatics, University of Edinburgh http://homepages.inf.ed.ac.uk/dts
More informationWhy. an intermediate language for deductive program verification
Why an intermediate language for deductive program verification Jean-Christophe Filliâtre CNRS Orsay, France AFM workshop Grenoble, June 27, 2009 Jean-Christophe Filliâtre Why tutorial AFM 09 1 / 56 Motivations
More informationBehavioral Equivalence
Behavioral Equivalence Prof. Clarkson Fall 2016 Today s music: Soul Bossa Nova by Quincy Jones Review Previously in 3110: Functional programming Modular programming & software engineering Interpreters
More informationBehavioral Equivalence
Behavioral Equivalence Prof. Clarkson Fall 2015 Today s music: Soul Bossa Nova by Quincy Jones Review Previously in 3110: Functional programming Modular programming Interpreters Imperative and concurrent
More informationIronclad Apps: End-to-End Security via Automated Full-System Verification. Danfeng Zhang
Ironclad Apps: End-to-End Security via Automated Full-System Verification Chris Hawblitzel Jon Howell Jay Lorch Arjun Narayan Bryan Parno Danfeng Zhang Brian Zill Online and Mobile Security Chase Online,
More informationAN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE
AN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE Nicholas Carlini, Adrienne Porter Felt, David Wagner University of California, Berkeley CHROME EXTENSIONS CHROME EXTENSIONS servers servers
More informationInduction in Coq. Nate Foster Spring 2018
Induction in Coq Nate Foster Spring 2018 Review Previously in 3110: Functional programming in Coq Logic in Coq Curry-Howard correspondence (proofs are programs) Today: Induction in Coq REVIEW: INDUCTION
More informationExtensible Untrusted Code Verification. Robert Richard Schneck. B.S. (Duke University) 1997
Extensible Untrusted Code Verification by Robert Richard Schneck B.S. (Duke University) 1997 A dissertation submitted in partial satisfaction of the requirements for the degree of Doctor of Philosophy
More informationUnit- and Sequence Test Generation with HOL-TestGen
Unit- and Sequence Test Generation with HOL-TestGen Tests et Methodes Formelles Prof. Burkhart Wolff Univ - Paris-Sud / LRI 16.6.2015 B.Wolff - HOL-TestGen 1 Overview HOL-TestGen and its Business-Case
More informationControl Flow Integrity & Software Fault Isolation. David Brumley Carnegie Mellon University
Control Flow Integrity & Software Fault Isolation David Brumley Carnegie Mellon University Our story so far Unauthorized Control Information Tampering http://propercourse.blogspot.com/2010/05/i-believe-in-duct-tape.html
More informationDeductive Verification in Frama-C and SPARK2014: Past, Present and Future
Deductive Verification in Frama-C and SPARK2014: Past, Present and Future Claude Marché (Inria & Université Paris-Saclay) OSIS, Frama-C & SPARK day, May 30th, 2017 1 / 31 Outline Why this joint Frama-C
More informationRely-Guarantee References for Refinement Types over Aliased Mutable Data
Rely-Guarantee References for Refinement Types over Aliased Mutable Data Colin S. Gordon, Michael D. Ernst, and Dan Grossman University of Washington PLDI 2013 Static Verification Meets Aliasing 23 x:ref
More informationAn External Integrity Checker for Increasing Security of Open Source Operating Systems
An External Integrity Checker for Increasing Security of Open Source Operating Systems Hiromasa Shimada, Tsung-Han Lin, Ning Li Distributed and Ubiquitous Computing Lab., Waseda University, Japan Background!
More informationType Theory meets Effects. Greg Morrisett
Type Theory meets Effects Greg Morrisett A Famous Phrase: Well typed programs won t go wrong. 1. Describe abstract machine: M ::= 2. Give transition relation: M 1 M 2
More informationValidating LR(1) parsers
Validating LR(1) parsers Jacques-Henri Jourdan François Pottier Xavier Leroy INRIA Paris-Rocquencourt, projet Gallium Journées LTP/MTVV, 2011-10-28 Parsing: recap text or token stream abstract syntax tree
More informationSECOMP Efficient Formally Secure Compilers to a Tagged Architecture. Cătălin Hrițcu INRIA Paris
SECOMP Efficient Formally Secure Compilers to a Tagged Architecture Cătălin Hrițcu INRIA Paris 1 SECOMP Efficient Formally Secure Compilers to a Tagged Architecture Cătălin Hrițcu INRIA Paris 5 year vision
More informationA Structural Operational Semantics for JavaScript
Dept. of Computer Science, Stanford University Joint work with Sergio Maffeis and John C. Mitchell Outline 1 Motivation Web Security problem Informal and Formal Semantics Related work 2 Formal Semantics
More informationOutline. Analyse et Conception Formelle. Lesson 7. Program verification methods. Disclaimer. The basics. Definition 2 (Specification)
Outline Analyse et Conception Formelle Lesson 7 Program verification methods 1 Testing 2 Model-checking 3 Assisted proof 4 Static Analysis 5 A word about protoypes/models, accuracy, code generation T.
More informationTheorem proving. PVS theorem prover. Hoare style verification PVS. More on embeddings. What if. Abhik Roychoudhury CS 6214
Theorem proving PVS theorem prover Abhik Roychoudhury National University of Singapore Both specification and implementation can be formalized in a suitable logic. Proof rules for proving statements in
More information