Vivek’s Soapbox » Programming Languages

My dissertation

19.3.2006 / Programming Languages, Security, Trusted Computing / Comments (1)

I finally submitted my dissertation to the UC Irvine library on Friday. After my final defense, this was the last hurdle to jump, and I have now officially completed my doctorate.

Here’s my dissertation. (PDF, 3.5 MB)

To cut a long story short, here is my thesis:

Remote attestation, one of the core mechanisms of Trusted Computing, can be
performed in a way that:

reasons expressively about program behavior and dynamic properties
enables a flexible, graded notion of trust
avoids intractable management problems at both the client and server end
does not tie attestation to a specific executable binary

In short, remote attestation can attest program properties, rather than program
binaries. I call this semantic remote attestation.

Developing web mashups with spotty connectivity

17.2.2006 / Programming Languages / Comments (0)

One downside of developing on top of Web-based APIs like Yahoo! Maps Web Services
is that your coding pretty much comes to a halt when you don’t have net access.

How about every web service providing a stub proxy server that runs on your local development machine? It doesn’t have to give full or correct results, just spit out some representative result that you can code against.

Talking about semantic remote attestation

14.2.2006 / Programming Languages, Security, Trusted Computing / Comments (0)

Problem with regular remote attestation

I gave a talk on semantic remote attestation in the language-based security seminar class today. Here are the slides for the talk.

There were many questions from the audience.

One of the questions — “Isn’t all this just about DRM?”

Unfortunately, while DRM is one of the possible applications of having a TPM in your machine, that is not the only thing about Trusted Computing. By itself, the TPM is a completely passive device. All it does is measure software, and then reliably and accurately report those measurements. It is policy-neutral. Policy is what is done in higher levels of software, like the OS, or a media player, based on the measurements reported by the TPM.

The central problem, in my opinion, is to have a trusted entity to vouch for software that is outside software, since software cannot vouch for itself.

There was also much discussion about the attack model. The TPM’s attack model only aims to protect against software attacks — with physical attacks all bets are off.

An interesting point, raised by Christian Stork: why can’t I load my own root keys into the TPM (as opposed to the manufacturer-certified keys that are embedded in every TPM), self-certify them, and then use them within my own PGP-like web of trust? Honestly, I don’t know. Maybe because the TPM designers think that web-of-trust models won’t work with the mass-deployment scenario they have in mind.

There was aso a lot of discussion about security policies. This is a recurring theme in almost all security research. The techniques are, relatively speaking, easy. The hard part is to specify a policy.

Oh — and going off topic — since I hand-wrote these slides on my Tablet PC, people are always surprised by the novelty of seeing hand-written slides on a PowerPoint presentation. Like my officemate, Andreas Gal, said: “We started with handwritten transparencies, then PowerPoint decks, and now we’re back to handwriting”. I said, “Yeah — but this time, it’s been done right!”

Talk on web application security

19.1.2006 / Programming Languages, Security / Comments (2)

First slide of the talk

I’m going to give a talk about web application security in a seminar class held by my advisor Prof. Michael Franz later this afternoon. This blog post is supposed to be the accompanying “see here for more” link for the talk. Here are a few resources and pointers to go look at if you want to dive deeper into some of the topics I’m going to talk about.

The OWASP page is a great resource for web app security in general. It’s the home of the top ten web vulnerabilities, as well as WebGoat and WebScarab.

I maintain a list of research papers on the topic of web application security, with a strong tilt towards beating command injection attacks. There’s also a related doodle of the various proposed solutions. This area has gotten a lot of attention from CS researchers lately.

Here at UCIrvine, we’ve done some work on hardening the JVM against attacks on web applications. I presented a paper on this at the last ACSAC. Here’s the paper (Taint Propagation for Java - PDF), and here are the slides for that talk (PDF).

Finally, here are the slides of the talk. (PDF)

9.1.2006 / Links, Programming Languages / Comments (0)

Links — a programming language for the web.

9.1.2006 / Links, Programming Languages, Security / Comments (0)

Philip Wadler’s blog.

Research on Web Application Security

21.12.2005 / Links, Programming Languages, Security / Comments (5)

This is my list of research in web application security. It is
incomplete and ever-growing.. Send me mail if you think
something should be added here.

Web Application Security Research
Paper	Authors	Language/platform	Links
Finding Security Vulnerabilities in Java Applications with Static Analysis, USENIX Security 2005.	Benjamin Livshits and Monica S. Lam	Java Virtual Machine
Finding Application Errors and Security Flaws Using PQL: a Program Query Language, OOPSLA 2005.	Michael Martin, Benjamin Livshits, and Monica S. Lam	Java Virtual Machine
WebSSARI — Web application Security via Static Analysis and Runtime Inspection	Yao-Wen Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, Der-Tsai Lee, Sy-Yen Kuo	PHP	WWW ‘04 paper
AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks, ASE 2005.	W. Halfond and A. Orso	Java Virtual Machine
The Essence of Command Injection Attacks in Web Applications, POPL 2006.	Zhendong Su and Gary Wassermann	Language agnostic, but evaluated with JSP and PHP.
Static analysis of role-based access control in J2EE applications, TAVWEB 2004	Gleb Naumovich and Paolina Centonze	Java Virtual Machine
Automatically Hardening Web Applications using Precise Tainting.	Anh Nguyen-Tuong, Salvatore Guarnieri, Doug Green, Jeffrey Shirley, David Evans.	PHP
How safe is it out there?	Moran Surf and Amichai Shulman.		Study of web app security
OWASP Top Ten Vulnerabilities in Web Applications	Open Web Application Security Project
Java String Analyzer	Aske Simon Christensen, Anders Mller and Michael I. Schwartzbach		SAS’03 paper
Static Detection of Security Vulnerabilities in Scripting Languages	Yichen Xie and Alex Aiken	PHP
A Learning-Based Approach to the Detection of SQL Attacks	F. Valeur, D. Mutz, and G. Vigna.	Languge-agnostic — works at DB level.	In Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), Vienna, Austria, July 2005.
Using Generalization and Characterization Techniques in the Anomaly-based Detection of Web Attacks	W. Robertson, G. Vigna, C. Kruegel, R. Kemmerer.	Languge-agnostic — works at DB level.	In the Proceedings of the 13th Annual Network and Distributed System Security Symposium (NDSS)
Defending against Injection Attacks through Context-Sensitive String Evaluation	Tadeusz Pietraszek, Chris Vanden Berghe	At the VM level (PHP and JVM)	Project webpage
Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software.	James Newsome and Dawn Song.	x86 ISA	In Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS ’05), February 2005.
Taint Propagation for Java, ACSAC 2005.	Vivek Haldar, Deepak Chandra and Michael Franz	Java Virtual Machine	Slides of talk

20.12.2005 / Links, Programming Languages, Security / Comments (0)

Demo of our taint propagation scheme.

Talking about taint propagation for Java at Acsac

15.12.2005 / Programming Languages, Security / Comments (3)

I presented our paper on taint
propagation for Java at Acsac this
past week. My co-authors were
fellow grad student Deepak Chandra
and our advisor Prof. Michael Franz.

The questions and feedback I
got sometimes caught me unawares
and made me think about
things I hadn’t considered so far.
Many thanks to Scott Stoller ,
David A. Wheeler and
Dave Wichers for their questions
and comments. And, of course, to
the anonymous reviewers too, of
which there were no less than
four.

Quick summary: our goal is
to combat vulnerabilities in web
applications arising from improperly
validated input. This, by the
way, is the largest single source
of security holes in web applications.
We have built a runtime
mechanism for the Java virtual
machine that marks untrusted
input as “tainted” and,
until it is cleaned
by some validation routine,
prohibits its use in security
sensitive methods, such as those
for executing SQL queries.
This is very much like
the taint mode in Perl, and
in fact, that was the original
inspiration for our work (though
we came at it from a totally
different perspective—see
this paper for background).
But our technique is more
flexible because the sources of
tainted data and the methods
where tainted data must not
be used (sinks) , are not
hard-coded into the interpreter
(like Perl), but are
independently specified.

This is a problem that is the
target of much research right now.
Proposed solutions include purely
static analysis techniques, purely
runtime techniques (like ours)
and every thing in between,
each with its own unique
trade offs.

The paper:

Taint Propagation for Java
by Vivek Haldar, Deepak.
Chandra and Michael Franz

Sides from the talk I gave.

12.12.2005 / Links, Programming Languages / Comments (0)

Smalltalk blog