Skip to main content
Springer Nature Link
Log in

Safe Code – It’s Not Just for Applets Anymore

  • Conference paper
Modular Programming Languages (JMLC 2003)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 2789))

Included in the following conference series:

Abstract

Despite numerous “trusted systems” initiatives, current systems software continues to be riddled with errors. The recent “Slammer Worm” incident shows that an adversary exploiting just one such error (a “buffer overrun”) can cause tens of thousands of hosts to fail around the world in just minutes. Even more suprisingly, for this particular vulnerability there had been a patch available more than six months earlier, and yet even many of the OS manufacturer’s (Microsoft’s) own computers succumbed to the attack.

Two facts are becoming increasingly evident: First, operating systems (and increasingly also application programs) are becoming so large and evolving so quickly that it is getting prohibitively expensive to manually inspect every line of code for the absence of errors. Second, the current approach of “patching” errors as they are discovered is failing us – on one hand, we now have attacks that can spread worldwide in minutes. On the other hand, if not even Microsoft can keep its own computers current, then how can one expect that other organizations will apply all patches immediately as they are released, and in the correct order?

While the situation looks dire in the short term, there is encouraging news for the longer term: Recent research results from the mobile-code community indicate that the underlying problem can be solved in a fundamental manner, using type-safe programming languages in conjunction with code verification techniques. In many mobile-code systems, incoming programs from untrusted hosts are verified prior to execution. Verification means that the code itself is automatically examined before it is executed – this is very different from (cryptographic) code signing, in which only the transport envelope of the code is checked and the code is trusted blindly if the check succeeds.

We envision a future in which even the operating system is verified prior to every execution and have begun implementing such a solution as a proof of concept. The only thing that needs to be trusted in our architecture is a minimal safe-code platform core (encompassing a verifier and a small dynamic code generator), small enough to be manually audited using techniques appropriate for mission-critical software, such as fly-by-wire control systems. The core is sealed along with the processing unit into a tamper-proof hardware implement. Everything above this layer is verified, i.e., even the code in the root directory of the local hard drive need no longer be trusted.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Austin, T.M., Breach, S.E., Sohi, G.S.: Efficient Detection of All Pointer and Array Access Errors. In: Proceedings of the ACM SIGPLAN 1994 Conference on Programming Language Design and Implementation (PLDI), Orlando, Florida, June 20–24. SIGPLAN Notices, vol. 29(6) (1994)

    Google Scholar 

  2. Amme, W., Dalton, N., Frohlich, P.H., Haldar, V., Hous el, P.S., von Ronn, J., Stork, C.H., Zhenochin, S., Franz, M.: Project transPROse: Reconciling Mobile-Code Security with Execution Efficiency. In: DARPA Information Survivability Conference and Exposition (June 2001)

    Google Scholar 

  3. Amme, W., Dalton, N., von Ronne, J., Franz, M.: SafeTSA: A type safe and referentially secure mobile-code representation based on sta tic single assignment form. In: Proceedings of the ACM SIGPLAN 2001 Conference on Programming Language Design and Implementation, May 2001. SIGPLAN Notices, vol. 36(5), pp. 137–147 (May 2001)

    Google Scholar 

  4. Defense Advanced Research Project Agency. Program Composition of Embedded Systems (PCES), SOL BAA 02-25 (2002), http://www.darpa.mil/baa/baa02-25.htm

  5. BSD. Trusted BSD Project, http://www.trustedbsd.org/

  6. CERT Advisories (2001), http://www.cert.org/advisories

  7. Cowan, C., Pu, C., Maier, D., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q., Hinton, H.: StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In: Proceedings of the 7th USENIX Security Conference, San Antonio, Texas, January 1998, pp. 63–78 (1998)

    Google Scholar 

  8. Debian. Trusted Debian Project, http://www.trusteddebian.org/

  9. DeLine, R., Fähndrich, M.: Enforcing High-Level Protocols in Low-Level Software. In: Proceedings of the ACMSIGPLAN 2001 Conference on Programming Language Design and Implementation PLD 2001, May 2001. SIGPLAN Notices, vol. 36(5), pp. 59–69 (2001)

    Google Scholar 

  10. Engler, D., Chelf, B., Chou, A., Hallem, S.: Checking system rules using system-specific, programmer-written compiler extensions. In: Symposium on Operating Systems Design and Implementation (OSDI 2000), San Diego, CA, October 23–25 (2000)

    Google Scholar 

  11. Erlingsson, U., Schneider, F.B.: SASI Enforcement of Security Policies: A Retrospective. In: New Security Paradigms Workshop, Ontario, Canada. ACM SIGSAC, pp. 87–95. ACM Press, New York (1999)

    Google Scholar 

  12. Franz, M., Chandra, D., Gal, A., Haldar, V., Reig, F., Wang, N.: Aportable virtual machine target for proof-carrying code. In: Proceedings of the ACM SIGPLAN 2003 Workshop on Interpreters, Virtual Machines and Emulators (IVME 2003), San Diego, California (June 2003)

    Google Scholar 

  13. Haldar, V., Stork, C.H., Franz, M.: The Source is the Proof. In: New Security Paradigms Workshop (September 2002)

    Google Scholar 

  14. Kozen, D.: Language-Based Security. Mathematical Foundations of Computer Science, 284–298 (1999)

    Google Scholar 

  15. Lindholm, T., Yellin, F.: The JavaVirtual Machine Specification, 2nd edn. The Java Series. Addison Wesley Longman, Inc., Amsterdam (1999)

    Google Scholar 

  16. Morrisett, G., Crary, K., Glew, N., Walker, D.W.: Stack-Based Typed Assembly Language. In: Leroy, X., Ohori, A. (eds.) TIC 1998. LNCS, vol. 1473, pp. 28–52. Springer, Heidelberg (1998)

    Chapter  Google Scholar 

  17. Meijer, E., Gough, J.: Technical Overview of the Common Language Runtime (2001), http://research.microsoft.com/~emeijer/papers/clr.pdf

  18. Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: The Spread of the Sapphire/Slammer Worm (2003), http://www.silicondefense.com/research/sapphire/

  19. Morrisett, G., Walker, D., Crary, K., Glew, N.: From System F to Typed Assembly Language. ACM Transactions on Programming Languages and Systems 21(3), 527–568 (1999)

    Article  Google Scholar 

  20. Myers, A.C.: JFlow: Practical Mostly-Static Information Flow Control. In: Conference Record of POPL 1999: The 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, San Antonio, Texas, January 20–22, pp. 228–241 (1999)

    Google Scholar 

  21. Necula, G.C.: Proof-Carrying Code. In: Conference Record of POPL 1997: The 24th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, Paris, France, January 15–17, pp. 106–119 (1997)

    Google Scholar 

  22. Necula, G.C., Lee, P.: Safe, untrusted agents using proof-carrying code. In: Vigna, G. (ed.) Mobile Agents and Security. LNCS, vol. 1419, pp. 61–91. Springer, Heidelberg (1998)

    Chapter  Google Scholar 

  23. Necula, G., McPeak, S., Weimer, W.: CCured: Type-Safe Retrofitting of Legacy Code. In: Principles of Programming Languages (2002)

    Google Scholar 

  24. National Security Agency. Security Enhanced Linux, http://www.nsa.gov/selinux/

  25. Proceedings of the ACM SIGPLAN 2001 Conference on Programming Language Design and Implementation, Snowbird, Utah, June 20-22, SIGPLAN Notices, vol. 36(5) (May 2001)

    Google Scholar 

  26. Schneider, F.B.: Enforceable Security Policies. ACM Transactions on Information and System Security 3(1), 30–50 (2000)

    Article  Google Scholar 

  27. Schneider, F.B., Morrisett, J.G., Harper, R.: A Language-Based Approach to Security. Informatics, 86–101 (2001)

    Google Scholar 

  28. Wagner, D., Foster, J.S., Brewer, E.A., Aiken, A.: A First Step towards Automated Detection of Buffer Overrun Vulnerabilities. In: Network and Distributed System Security Symposium, San Diego, CA, pp. 3–17 (2000)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of California, Irvine

    Michael Franz

Authors
  1. Michael Franz
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. No Affiliation,  

    László Böszörményi

  2. fürWirtschaftswissenschaften und Informatik, Universität Klagenfurt, Fakultät, Universitätsstraße 65-67, 9020, Klagenfurt, Austria

    Peter Schojer

Rights and permissions

Reprints and permissions

Copyright information

© 2003 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Franz, M. (2003). Safe Code – It’s Not Just for Applets Anymore. In: Böszörményi, L., Schojer, P. (eds) Modular Programming Languages. JMLC 2003. Lecture Notes in Computer Science, vol 2789. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-45213-3_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-45213-3_2

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-40796-6

  • Online ISBN: 978-3-540-45213-3

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics