The Role of Domain-Specific Techniques in Designed-In Security
Presented as part of the 2012 HCSS conference.
Abstract:
Functionality and security are in natural tension with one another. Functionality is about letting things happen. Security is about preventing them. So it is not surprising that programming methods that emphasize raw functionality lead to all manner of security problems. The power of general purpose languages — so useful when I want to explore a new idea — is the very thing that opens up so many opportunities for exploit. This is particularly acute when combined with the desire for efficiency. If I want to get people onto a plane as quickly as possible, then many of them might get through with very little checking. And if I want to process the elements of an array as quickly as possible, then maybe I'll forgo the bounds check. Oh yes, and to make sure the control-flow within the program is as efficient as possible, I won't check that the return address on the stack is the same as it was a few milliseconds ago when I wrote it there. And so buffer-overrun vulnerabilities are born.
Domain-specific techniques provide a powerful approach to addressing this dilemma between functionality and security. In many cases, the full generality of a general purpose programming language is not required to program specific solutions. Instead, the set of possible solutions can be characterized constructively using a (small) language that is focused on the specific domain. The language provides a great freedom of expression within the domain, and yet does not permit insecurities to arise from accidentally straying outside the domain. Examples of this technique range from simple regular-expression matchers through techniques for constructing SQL queries so that injection-attacks cannot occur, right through to implementations of operating system kernels. The tools associated with the domain-specific language are able to produce very efficient code while also providing strong guarantees about the absence of large classes of security vulnerabilities. By looking at the wide range of domain-specific techniques now in use, we can extract general lessons as to the kind of security guarantees these techniques are able to provide by construction, as well as indications of when they may or may not be appropriate.
Biography:
Dr. John Launchbury is Chief Scientist of Galois, Inc. John founded Galois in 1999 to address challenges in Information Assurance through the application of Functional Programming and Formal Methods. Under his leadership, formerly as CEO, the company has grown strongly, successfully winning and delivering on multiple contract awards for more than a decade. John continues to lead Galois' growing stature for its thought leadership in high assurance technology development.
Prior to founding Galois, John was a full professor in Computer Science and Engineering at the Oregon Graduate Institute School of Science and Engineering at OHSU. His instruction style earned him several awards for outstanding teaching, and he is internationally recognized for his work on the analysis and semantics of programming languages, and on the Haskell programming language in particular. John received First Class Honors in Mathematics from Oxford University in 1985. He holds a Ph.D. in Computing Science from University of Glasgow and won the British Computer Society's distinguished dissertation prize. In 2010, John was inducted as a Fellow of the Association for Computing Machinery (ACM).