Abstract
The last decade has seen computer security rise from a niche field to a household term. Previously, executive level responses to computer security were disbelief and dismissal, while today the responses are questions of budget and risk. Computer security is a complicated issue with many moving parts and it is difficult to present a coherent view of its issues and problems. We believe that computer security issues have their root in programming languages and language runtime decisions. We argue that computer intrusion, malware, and network security issues all fundamentally arise from tradeoffs made in programming language design and the structure of the benign programs that are exploited. We present a case for addressing fundamental computer security problems at this root, by using advancements in programming language technology. We also present a case against relying on advancements in programming language technology, arguing that even when using the most sophisticated programming language technology available today, attacks are still possible, and that the current state of research is insufficient to guarantee security. We also discuss practical issues relating to the implementation of large-scale reforms in software development based on advancements in programming language technology.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Abadi, Martin, Protection in Programming-Language Translations, Lecture Notes in Computer Science Volume 1603, 1999, pp 19–34
Abadi, Martín, et al. “Control-flow integrity.” Proceedings of the 12th ACM conference on Computer and communications security. ACM, 2005.
Benjamin C. Pierce. The SAFE Machine: An Architecture for Pervasive Information Flow, June 2013. Invited talk at Computer Security Foundations Symposium (CSF).
Bhargavan, Karthikeyan, et al. “Proving the TLS Handshake Secure (as it is).” IACR Cryptology ePrint Archive 2014 (2014): 182.
Bittau, Andrea, et al. “Hacking blind.” Proceedings of the 35th IEEE Symposium on Security and Privacy. 2014.
Fournet, Cedric; Swamy, Nikhil; Chen, Juan; Dagand, Pierre-Evariste; Strub, Pierre-Yves; Livshits, Benjamin, Fully Abstract Compilation to JavaScript, POPL 2013
Göktas, Enes, et al. “Out of control: Overcoming control-flow integrity.” IEEE S&P. 2014.
Guido, Dan “A Case Study of Intelligence-Driven Defense” IEEE Security & Privacy November/December 2011, p 67–70
Guido, Dan Elderwood and the Department of Labor Hack, May 13, 2013http://blog.trailofbits.com/2013/05/13/elderwood-and-the-department-of-labor-hack/
Hutchins, Eric M, Cloppert, Michael J, Amin, Rohan M “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”, Lockheed Martin Technical Report. 2011http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf
Jackson, Todd, et al. “Compiler-generated software diversity.” Moving Target Defense. Springer New York, 2011. 77–98.
Klein, Gerwin, et al. “seL4: Formal verification of an OS kernel.” Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles. ACM, 2009.
Mashable, April 9, 2014http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
McGraw, Gary; Felten, Edward Understanding the keys to Java security—the sandbox and authentication, JavaWorld May 1, 1997http://www.javaworld.com/article/2076945/java-security/understanding-the-keys-to-java-security—the-sandbox-and-authentication.html
Nagarakatte, Santosh, Milo MK Martin, and Steve Zdancewic. “WatchdogLite: Hardware-Accelerated Compiler-Based Pointer Checking.” Proceedings of Annual IEEE/ACM International Symposium on Code Generation and Optimization. ACM, 2014
Nagaraju, Swamy Shivaganga and Craioveanu, Cristian and Florio, Elia and Miller, Matt, Software Vulnerability Exploitation Trends, Microsoft, 2013
Oh Jeong Wook Recent Java exploitation trends and malware, Black Hat USA 2012https://media.blackhat.com/bh-us-12/Briefings/Oh/BH_US_12_Oh_Recent_Java_Exploitation_Trends_and_Malware_WP.pdf
Peter Bright, N.D. ArsTechnicahttp://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/. Accessed 15 Feb 2011
RSA FraudAction Research Labshttps://blogs.rsa.com/anatomy-of-an-attack. Accessed 01 April 2011
Yang, Xuejun; Chen, Yang; Edie, Eric; Regehr, John, Finding and Understanding Bugs in C Compilers, PLDI 2011http://www.cs.utah.edu/~regehr/papers/pldi11-preprint.pdf
Yang, Jean, Kuat Yessenov, and Armando Solar-Lezama. “A language for automatically enforcing privacy policies.” ACM SIGPLAN Notices. Vol. 47. No. 1. ACM, 2012.
Zamyatin, Igor, Intel® Memory Protection Extensions (Intel® MPX) support in the GNU toolchain, Intel July 22, 2013https://software.intel.com/en-us/blogs/2013/07/22/intel-memory-protection-extensions-intel-mpx-support-in-the-gnu-toolchain
Zhang, Chao, et al. “Practical control flow integrity and randomization for binary executables.” Security and Privacy (SP), 2013 IEEE Symposium on. IEEE, 2013.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Ruef, A., Rohlf, C. (2015). Programming Language Theoretic Security in the Real World: A Mirage or the Future?. In: Jajodia, S., Shakarian, P., Subrahmanian, V., Swarup, V., Wang, C. (eds) Cyber Warfare. Advances in Information Security, vol 56. Springer, Cham. https://doi.org/10.1007/978-3-319-14039-1_15
Download citation
DOI: https://doi.org/10.1007/978-3-319-14039-1_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-14038-4
Online ISBN: 978-3-319-14039-1
eBook Packages: Computer ScienceComputer Science (R0)