Designed-In Security for Mobile Architectures
Presented as part of the 2012 HCSS conference.
Abstract:
Mobile applications--both native and web-based--are a critical emerging segment of the software industry, and security for these applications is of increasing concern. Unfortunately, today's mobile applications are expressed at a low level of abstraction in which important security properties are implicit and only indirectly related to code, making assurance difficult.
In this talk I will argue for a new approach based on two principles: expressing the application at a level of abstraction more appropriate for reasoning about security, and integrating explicit security design information into the implementation of the application. I will describe past successes in applying these principles and describe the work we are now doing to build a system that embodies this approach.
Biography:
Jonathan Aldrich is Associate Professor of Computer Science at Carnegie Mellon University. He is the director of CMU's undergraduate minor program in Software Engineering, and teaches courses in programming languages, software engineering, and program analysis for quality and security. Dr. Aldrich joined the CMU faculty after completing a Ph.D. at the University of Washington and a B.S. at Caltech.
Dr. Aldrich’s research centers on programming languages and type systems that are deeply informed by software engineering and security considerations. His research contributions include verifying the correct and secure implementation of an architectural design, modular formal reasoning about code, and API protocol specification and verification. For his work on software architecture, Aldrich received a 2006 NSF CAREER award and the 2007 Dahl-Nygaard Junior Prize, given annually for a significant technical contribution to object-oriented programming. Aldrich was one of 12 computer science researchers nationwide who were selected to the 2007 DARPA Computer Science Study Group. Aldrich's current work focuses on programming systems for secure mobile applications, and on leveraging permissions to reason about typestate and concurrency.