Creating high-performance statically type-safe network applications

A typical Internet server finds itself in the middle of a virtual battleground, under constant threat from worms, viruses and other malware seeking to subvert the original intentions of the programmer. In particular, critical Internet servers such as OpenSSH, BIND and Sendmail have had numerous security issues ranging from low-level buffer overflows to subtle protocol logic errors. These problems have cost billions of dollars as the growth of the Internet exposes increasing numbers of computers to electronic malware. Despite the decades of research on techniques such as model-checking, type-safety and other forms of formal analysis, the vast majority of server implementations continue to be written unsafely and informally in C/C++. In this dissertation we propose an architecture for constructing new implementations of standard Internet protocols which integrates mature formal methods not currently used in deployed servers: (i) static type systems from the ML family of functional languages; (ii) model checking to verify safety properties exhaustively about aspects of the servers; and (iii) generative meta-programming to express high-level constraints for the domain-specific tasks of packet parsing and constructing non-deterministic state machines. Our architecture—dubbed MELANGE—is based on Objective Caml and contributes two domain-specific languages: (i) the Meta Packet Language (MPL), a data description language used to describe the wire format of a protocol and output statically type-safe code to handle network traffic using high-level functional data structures; and (ii) the Statecall Policy Language (SPL) for constructing non-deterministic finite state automata which are embedded into applications and dynamically enforced, or translated into PROMELA and statically model-checked. Our research emphasises the importance of delivering efficient, portable code which is feasible to deploy across the Internet. We implemented two complex protocols—SSH and DNS—to verify our claims, and our evaluation shows that they perform faster than their standard counterparts OpenSSH and BIND, in addition to providing static guarantees against some classes of errors that are currently a major source of security problems.

[1]  J. Shepherdson,et al.  Computer programming and formal systems , 1965 .

[2]  Ken Thompson,et al.  Reflections on trusting trust , 1984, CACM.

[3]  Scott O. Bradner,et al.  Key words for use in RFCs to Indicate Requirement Levels , 1997, RFC.

[4]  George C. Necula,et al.  Temporal-Safety Proofs for Systems Code , 2002, CAV.

[5]  Yakov Rekhter,et al.  A Border Gateway Protocol 4 (BGP-4) , 1994, RFC.

[6]  Ramesh Govindan,et al.  Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications , 2005, SIGCOMM 2005.

[7]  Geraint Jones Programming in occam , 1986, Prentice Hall International Series in Computer Science.

[8]  Amnon Naamad,et al.  Statemate: a working environment for the development of complex reactive systems , 1988, ICSE '88.

[9]  Natarajan Shankar,et al.  Abstract and Model Check While You Prove , 1999, CAV.

[10]  Xavier Leroy,et al.  Formal certification of a compiler back-end or: programming a compiler with a proof assistant , 2006, POPL '06.

[11]  John McCarthy,et al.  Recursive functions of symbolic expressions and their computation by machine, Part I , 1960, Commun. ACM.

[12]  James C. Corbett,et al.  A Language Framework for Expressing Checkable Properties of Dynamic Software , 2000, SPIN.

[13]  François Pottier,et al.  Information flow inference for ML , 2003, TOPL.

[14]  Simon Peyton Jones,et al.  Wearing the hair shirt: a retrospective on Haskell (2003) , 2003 .

[15]  Tatu Ylönen,et al.  The Secure Shell (SSH) Authentication Protocol , 2006, RFC.

[16]  Benjamin C. Pierce,et al.  XDuce: A statically typed XML processing language , 2003, TOIT.

[17]  Alan Kullberg,et al.  Incremental updating of the Internet checksum , 1990, RFC.

[18]  Chris Okasaki,et al.  Purely functional data structures , 1998 .

[19]  Tatu Ylönen,et al.  The Secure Shell (ssh) Transport Layer Protocol , 2006 .

[20]  Dawson R. Engler,et al.  Checking system rules using system-specific, programmer-written compiler extensions , 2000, OSDI.

[21]  Peter Lee,et al.  A Network Protocol Stack in Standard ML , 2001, High. Order Symb. Comput..

[22]  Tadao Murata,et al.  Petri nets: Properties, analysis and applications , 1989, Proc. IEEE.

[23]  James Cheney,et al.  Cyclone: A Safe Dialect of C , 2002, USENIX Annual Technical Conference, General Track.

[24]  Feng Zhou,et al.  Thirty Years Is Long Enough: Getting Beyond C , 2005, HotOS.

[25]  Steven McCanne,et al.  BPF+: exploiting global data-flow optimization in a generalized packet filter architecture , 1999, SIGCOMM '99.

[26]  David Walker,et al.  The next 700 data description languages , 2006, POPL '06.

[27]  John McCarthy,et al.  Recursive functions of symbolic expressions and their computation by machine, Part I , 1959, Commun. ACM.

[28]  Xavier Leroy,et al.  The ZINC experiment : an economical implementation of the ML language , 1990 .

[29]  Richard Sharp,et al.  The Case for Abstracting Security Policies , 2003, Security and Management.

[30]  D. A. Turner The semantic elegance of applicative languages , 1981, FPCA '81.

[31]  Tatu Ylönen,et al.  The Secure Shell (SSH) Protocol Architecture , 2006, RFC.

[32]  Jon Postel,et al.  Request For Comments reference guide , 1987, RFC.

[33]  Gerard J. Holzmann,et al.  An Automated Verification Method for Distributed Systems Software Based on Model Extraction , 2002, IEEE Trans. Software Eng..

[34]  Chanathip Namprempre,et al.  The Secure Shell (SSH) Transport Layer Encryption Modes , 2006, RFC.

[35]  David B. MacQueen,et al.  The Definition of Standard ML (Revised) , 1997 .

[36]  Carl A. Gunter,et al.  The machine-assisted proof of programming language properties , 1996 .

[37]  Giuseppe Castagna,et al.  CDuce: an XML-centric general-purpose language , 2003, ACM SIGPLAN Notices.

[38]  Li Fan,et al.  Web caching and Zipf-like distributions: evidence and implications , 1999, IEEE INFOCOM '99. Conference on Computer Communications. Proceedings. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. The Future is Now (Cat. No.99CH36320).

[39]  Michael Goldsmith,et al.  Programming in occam 2 , 1985, Prentice Hall international series in computer science.

[40]  Angelos D. Keromytis,et al.  The price of safety in an active network , 2001, Journal of Communications and Networks.

[41]  Hong Yan,et al.  A clean slate 4D approach to network control and management , 2005, CCRV.

[42]  David A. Borman,et al.  Computing the internet checksum , 1989, CCRV.

[43]  Gerard J. Holzmann,et al.  The SPIN Model Checker , 2003 .

[44]  Jerome H. Saltzer,et al.  End-to-end arguments in system design , 1984, TOCS.

[45]  Vern Paxson,et al.  Proceedings of the 13th USENIX Security Symposium , 2022 .

[46]  Edsger W. Dijkstra,et al.  Structured programming , 1972, A.P.I.C. Studies in data processing.

[47]  R. Hindley The Principal Type-Scheme of an Object in Combinatory Logic , 1969 .

[48]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, POPL '02.

[49]  Edoardo Biagioni A structured TCP in standard ML. , 1994, SIGCOMM 1994.

[50]  Richard E. Newman,et al.  Capacity estimation and auditability of network covert channels , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[51]  Joseph Pasquale,et al.  The importance of non-data touching processing overheads in TCP/IP , 1993, SIGCOMM 1993.

[52]  C. A. R. Hoare,et al.  Communicating sequential processes , 1978, CACM.

[53]  Crispin Cowan,et al.  RaceGuard: Kernel Protection From Temporary File Race Vulnerabilities , 2001, USENIX Security Symposium.

[54]  Benjamin C. Pierce,et al.  Types and programming languages: the next generation , 2003, 18th Annual IEEE Symposium of Logic in Computer Science, 2003. Proceedings..

[55]  Walid Taha,et al.  A Gentle Introduction to Multi-stage Programming , 2003, Domain-Specific Program Generation.

[56]  Michael Sipser,et al.  Introduction to the Theory of Computation , 1996, SIGA.

[57]  Kyung-Suk Lhee,et al.  Buffer overflow and format string overflow vulnerabilities , 2003, Softw. Pract. Exp..

[58]  Paul Hudak,et al.  Conception, evolution, and application of functional programming languages , 1989, CSUR.

[59]  Niels Provos,et al.  Preventing Privilege Escalation , 2003, USENIX Security Symposium.

[60]  Eugene H. Spafford,et al.  The internet worm program: an analysis , 1989, CCRV.

[61]  Stanislaw Budkowski,et al.  An Introduction to Estelle: A Specification Language for Distributed Systems , 1987, Comput. Networks.

[62]  Wei Tu,et al.  Model checking an entire Linux distribution for security violations , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[63]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[64]  Kurt Jensen Coloured Petri nets: A high level language for system design and analysis , 1989, Applications and Theory of Petri Nets.

[65]  Bryan Cantrill,et al.  Dynamic Instrumentation of Production Systems , 2004, USENIX Annual Technical Conference, General Track.

[66]  Robert Jonathan Ennals,et al.  Adaptive evaluation of non-strict programs , 2004 .

[67]  Frank Cusack,et al.  Generic Message Exchange Authentication for the Secure Shell Protocol (SSH) , 2006, RFC.

[68]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[69]  Daniel C. DuVarney,et al.  Model-carrying code: a practical approach for safe execution of untrusted applications , 2003, SOSP '03.

[70]  Carl A. Gunter,et al.  PLAN: a packet language for active networks , 1998, ICFP '98.

[71]  Henry G. Baker,et al.  Infant mortality and generational garbage collection , 1993, SIGP.

[72]  Ralph Johnson,et al.  design patterns elements of reusable object oriented software , 2019 .

[73]  Matthias Bauer New covert channels in HTTP: adding unwitting Web browsers to anonymity sets , 2003, WPES '03.

[74]  Srinivas Nedunuri The functional approach to programming , 2000, SOEN.

[75]  Roy T. Fielding,et al.  Hypertext Transfer Protocol - HTTP/1.1 , 1997, RFC.

[76]  Michael Norrish,et al.  Rigorous specification and conformance testing techniques for network protocols, as applied to TCP, UDP, and sockets , 2005, SIGCOMM '05.

[77]  Zohar Manna,et al.  The Temporal Logic of Reactive and Concurrent Systems , 1991, Springer New York.

[78]  Konstantinos Sagonas,et al.  Native code compilation of Erlang's bit syntax , 2002, ERLANG '02.

[79]  Andrew W. Appel,et al.  Using memory errors to attack a virtual machine , 2003, 2003 Symposium on Security and Privacy, 2003..

[80]  Jon Crowcroft,et al.  Proceedings of the conference on Communications architectures, protocols and applications , 1994, Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication.

[81]  Giuseppe Castagna,et al.  A Full Pattern-Based Paradigm for XML Query Processing , 2005, PADL.

[82]  Charles E. Perkins,et al.  Mobile IP Network Access Identifier Extension for IPv4 , 2000, RFC.

[83]  Emden R. Gansner,et al.  An open graph visualization system and its applications to software engineering , 2000 .

[84]  Alfred V. Aho,et al.  Principles of Compiler Design , 1977 .

[85]  Jon Postel,et al.  File Transfer Protocol , 1985, RFC.

[86]  Cormac Flanagan,et al.  Hybrid type checking , 2006, POPL '06.

[87]  Klaus Havelund,et al.  Model checking JAVA programs using JAVA PathFinder , 2000, International Journal on Software Tools for Technology Transfer.

[88]  Carla E. Brodley,et al.  Detection and prevention of stack buffer overflow attacks , 2005, CACM.

[89]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[90]  Matthias Felleisen,et al.  Contracts for higher-order functions , 2002, ICFP '02.

[91]  Martín Abadi,et al.  A Theory of Objects , 1996, Monographs in Computer Science.

[92]  Klaus Havelund,et al.  Model Checking Programs , 2004, Automated Software Engineering.

[93]  Scott O. Bradner,et al.  The Internet Standards Process - Revision 3 , 1996, RFC.

[94]  Niklaus Wirth,et al.  Program development by stepwise refinement , 1971, CACM.

[95]  A. Pnueli,et al.  STATEMATE: a working environment for the development of complex reactive systems , 1988, Proceedings. [1989] 11th International Conference on Software Engineering.

[96]  Tatu Ylönen,et al.  The Secure Shell (SSH) Connection Protocol , 2006, RFC.

[97]  Robin Milner,et al.  A Metalanguage for interactive proof in LCF , 1978, POPL.

[98]  Peter Lee,et al.  Run-time code generation and modal-ML , 1998, PLDI.

[99]  David A. Wagner,et al.  Mimicry attacks on host-based intrusion detection systems , 2002, CCS '02.

[100]  Robbert van Renesse,et al.  Building Adaptive Systems Using Ensemble , 1998, Softw. Pract. Exp..

[101]  Margo I. Seltzer,et al.  An architecture a day keeps the hacker away , 2005, CARN.

[102]  Robin Milner,et al.  Communicating and mobile systems - the Pi-calculus , 1999 .

[103]  Juha Röning,et al.  Running Malicious Code By Exploiting Buffer Overflows: A Survey Of Publicly Available Exploits , 2000 .

[104]  Alain Frisch Regular Tree Language Recognition with Static Information , 2004, IFIP TCS.

[105]  Joseph Pasquale,et al.  The importance of non-data touching processing overheads in TCP/IP , 1993, SIGCOMM '93.

[106]  Simon Marlow,et al.  Developing a high-performance web server in Concurrent Haskell , 2002, Journal of Functional Programming.

[107]  Henk Barendregt,et al.  The Lambda Calculus: Its Syntax and Semantics , 1985 .

[108]  Bertrand Meyer,et al.  Object-Oriented Software Construction, 2nd Edition , 1997 .

[109]  Benjamin C. Pierce,et al.  Schema-Directed Data Synchronization , 2005 .

[110]  Joe L. Armstrong The development of Erlang , 1997, ICFP '97.

[111]  Bjarne Stroustrup,et al.  The C++ programming language (2nd ed.) , 1991 .

[112]  D. A. Turner,et al.  Miranda: A Non-Strict Functional language with Polymorphic Types , 1985, FPCA.

[113]  Arlene F. Getchell,et al.  A Revised Catalog of Available X.500 Implementations , 1994, RFC.

[114]  Murray Hill,et al.  Yacc: Yet Another Compiler-Compiler , 1978 .

[115]  Dawson R. Engler,et al.  RacerX: effective, static detection of race conditions and deadlocks , 2003, SOSP '03.

[116]  Hassen Saïdi,et al.  Construction of Abstract State Graphs with PVS , 1997, CAV.

[117]  Sriram K. Rajamani,et al.  Automatically validating temporal safety properties of interfaces , 2001, SPIN '01.

[118]  Philip Wadler,et al.  Deforestation: Transforming Programs to Eliminate Trees , 1990, Theor. Comput. Sci..

[119]  John McCarthy,et al.  History of LISP , 1978, SIGP.

[120]  Paul V. Mockapetris,et al.  Domain names: Concepts and facilities , 1983, RFC.

[121]  James C. Corbett,et al.  Expressing checkable properties of dynamic systems: the Bandera Specification Language , 2002, International Journal on Software Tools for Technology Transfer.

[122]  Godmar Back,et al.  DataScript - A Specification and Scripting Language for Binary Data , 2002, GPCE.

[123]  C. Petri Kommunikation mit Automaten , 1962 .

[124]  Sriram K. Rajamani,et al.  SLIC: A Specification Language for Interface Checking (of C) , 2002 .

[125]  Jacques Garrigue,et al.  Code reuse through polymorphic variants , 2000 .

[126]  Kent Boortz,et al.  World-class product certification using Erlang , 2002, ERLANG '02.

[127]  M. F.,et al.  Bibliography , 1985, Experimental Gerontology.

[128]  Hsiao-Keng Jerry Chu,et al.  Zero-Copy TCP in Solaris , 1996, USENIX Annual Technical Conference.

[129]  Randal E. Bryant,et al.  Graph-Based Algorithms for Boolean Function Manipulation , 1986, IEEE Transactions on Computers.

[130]  Van Jacobson,et al.  Congestion avoidance and control , 1988, SIGCOMM '88.

[131]  Wendy E. Mackay,et al.  CPN/Tools: A Post-WIMP Interface for Editing and Simulating Coloured Petri Nets , 2001, ICATPN.

[132]  Robert K. Cunningham,et al.  A taxonomy of computer worms , 2003, WORM '03.

[133]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[134]  David A. Wagner,et al.  MOPS: an infrastructure for examining security properties of software , 2002, CCS '02.

[135]  Jon Postel,et al.  Simple Mail Transfer Protocol , 1981, RFC.

[136]  Gul Agha,et al.  Concurrent Object-Oriented Programming and Petri Nets , 2001, Lecture Notes in Computer Science.

[137]  Wolfgang Reisig,et al.  Deterministic buffer synchronization of sequential processes , 1982, Acta Informatica.

[138]  Todd C. Miller,et al.  strlcpy and strlcat - Consistent, Safe, String Copy and Concatenation , 1999, USENIX Annual Technical Conference, FREENIX Track.

[139]  Jessica Chen,et al.  Translation from Adapted UML to Promela for CORBA-Based Applications , 2004, SPIN.

[140]  Rajive L. Bagrodia,et al.  Slow memory: the rising cost of optimism , 2000, Proceedings Fourteenth Workshop on Parallel and Distributed Simulation.

[141]  James C. Corbett,et al.  Evaluating Deadlock Detection Methods for Concurrent Software , 1996, IEEE Trans. Software Eng..

[142]  David A. Wagner,et al.  Model Checking One Million Lines of C Code , 2004, NDSS.

[143]  Friedrich L. Bauer,et al.  Revised report on the algorithm language ALGOL 60 , 1963, CACM.

[144]  Namkyu Park,et al.  An XML-based process definition language for integrated process management , 2003, Comput. Ind..

[145]  Andrea C. Arpaci-Dusseau,et al.  Deploying Safe User-Level Network Services with icTCP , 2004, OSDI.

[146]  Satish Chandra,et al.  Packet types: abstract specification of network protocol messages , 2000 .

[147]  Alfred V. Aho,et al.  Principles of Compiler Design (Addison-Wesley series in computer science and information processing) , 1977 .

[148]  Michel Mauny,et al.  The functional approach to programming , 1998 .

[149]  Jeff Bonwick,et al.  The Slab Allocator: An Object-Caching Kernel Memory Allocator , 1994, USENIX Summer.

[150]  Ralph-Johan Back,et al.  Refinement Calculus: A Systematic Introduction , 1998 .

[151]  Andrew Warfield,et al.  Live migration of virtual machines , 2005, NSDI.

[152]  Sriram K. Rajamani,et al.  Refining Approximations in Software Predicate Abstraction , 2004, TACAS.

[153]  Dawson R. Engler,et al.  Bugs as deviant behavior: a general approach to inferring errors in systems code , 2001, SOSP.

[154]  Junfeng Yang,et al.  Using model checking to find serious file system errors , 2004, TOCS.

[155]  Angelos D. Keromytis,et al.  e-NeXSh: achieving an effectively non-executable stack and heap via system-call policing , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[156]  Thomas A. Henzinger,et al.  Checking Memory Safety with Blast , 2005, FASE.

[157]  John W. Backus,et al.  Can programming be liberated from the von Neumann style?: a functional style and its algebra of programs , 1978, CACM.

[158]  Richard S. Bird,et al.  Introduction to functional programming , 1988, Prentice Hall International series in computer science.

[159]  Todd A. Proebsting,et al.  USC: a universal stub compiler , 1994, SIGCOMM 1994.

[160]  Bjarne Stroustrup,et al.  C++ Programming Language , 1986, IEEE Softw..

[161]  Dave Crocker,et al.  Augmented BNF for Syntax Specifications: ABNF , 1997, RFC.

[162]  Luca Cardelli,et al.  Mobile Ambients , 1998, FoSSaCS.

[163]  Jon Callas,et al.  OpenPGP Message Format , 1998, RFC.

[164]  Paul Vixie,et al.  Extension Mechanisms for DNS (EDNS0) , 1999, RFC.

[165]  John McCarthy,et al.  A basis for a mathematical theory of computation, preliminary report , 1899, IRE-AIEE-ACM '61 (Western).

[166]  Peter Lee,et al.  Optimizing ML with run-time code generation , 1996, PLDI '96.

[167]  Stuart Cheshire,et al.  Encoding Long Options in the Dynamic Host Configuration Protocol (DHCPv4) , 2002, RFC.

[168]  Jon Postel,et al.  Internet Protocol , 1981, RFC.

[169]  Steven McCanne,et al.  The BSD Packet Filter: A New Architecture for User-level Packet Capture , 1993, USENIX Winter.

[170]  Harlan D. Mills,et al.  Data structured programming: Program design without arrays and pointers , 1986, IEEE Transactions on Software Engineering.

[171]  Yuanyuan Zhou,et al.  SafeMem: exploiting ECC-memory for detecting memory leaks and memory corruption during production runs , 2005, 11th International Symposium on High-Performance Computer Architecture.

[172]  Simon L. Peyton Jones,et al.  The Implementation of Functional Programming Languages , 1987 .

[173]  Harlan D. Mills Software Development , 1976, IEEE Transactions on Software Engineering.

[174]  Walid Dabbous,et al.  Generating efficient protocol code from an abstract specification , 1996, SIGCOMM 1996.

[175]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[176]  Simon S. Lam,et al.  SNP: An Interface for Secure Network Programming , 1994, USENIX Summer.

[177]  Robin Milner,et al.  A Calculus of Communicating Systems , 1980, Lecture Notes in Computer Science.

[178]  Andrew Odlyzko,et al.  Internet traffic growth: sources and implications , 2003, SPIE ITCom.

[179]  Dan S. Wallach,et al.  Denial of Service via Algorithmic Complexity Attacks , 2003, USENIX Security Symposium.

[180]  Keith L. Clark,et al.  PARLOG: parallel programming in logic , 1986, ACM Trans. Program. Lang. Syst..

[181]  Abhay K. Bhushan,et al.  The File Transfer Protocol , 1971, Request for Comments.

[182]  Doug Lea,et al.  Interface-Based Protocol Specification of Open Systems using PSL , 1995, ECOOP.

[183]  Yousef A. Khalidi,et al.  An Efficient Zero-Copy I/O Framework for UNIX , 1995 .

[184]  John Hughes,et al.  Why Functional Programming Matters , 1989, Comput. J..

[185]  Stefan Savage,et al.  The Spread of the Sapphire/Slammer Worm , 2003 .

[186]  Bertrand Meyer,et al.  Eiffel: The Language , 1991 .

[187]  Eddie Kohler,et al.  A readable TCP in the Prolac protocol language , 1999, SIGCOMM '99.

[188]  Michael Westergaard,et al.  CPN Tools for Editing, Simulating, and Analysing Coloured Petri Nets , 2003, ICATPN.

[189]  P. J. Landin,et al.  The next 700 programming languages , 1966, CACM.

[190]  Robert Bell,et al.  Megaco IP Phone Media Gateway Application Profile , 2001, RFC.

[191]  Tim Howes,et al.  Lightweight Directory Access Protocol , 1995, RFC.

[192]  Benjamin C. Pierce,et al.  Combinators for bi-directional tree transformations: a linguistic approach to the view update problem , 2005, POPL '05.

[193]  Rod M. Burstall,et al.  HOPE: An experimental applicative language , 1980, LISP Conference.

[194]  Robin Milner,et al.  A Theory of Type Polymorphism in Programming , 1978, J. Comput. Syst. Sci..

[195]  Henning Schulzrinne,et al.  An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol , 2004, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[196]  David Zhang,et al.  Secure program execution via dynamic information flow tracking , 2004, ASPLOS XI.

[197]  David Scott Abstracting application-level security policy for ubiquitous computing , 2005 .

[198]  Rafael Dueire Lins,et al.  Garbage collection: algorithms for automatic dynamic memory management , 1996 .

[199]  John C. Klensin,et al.  Simple Mail Transfer Protocol , 2001, RFC.

[200]  Walid Dabbous,et al.  Generating efficient protocol code from an abstract specification , 1996, SIGCOMM '96.

[201]  Sally A. McKee,et al.  Formal hardware specification languages for protocol compliance verification , 2004, TODE.

[202]  J. Doug Tygar,et al.  The battle against phishing: Dynamic Security Skins , 2005, SOUPS '05.

[203]  Kurt D. Zeilenga Lightweight Directory Access Protocol version 2 (LDAPv2) to Historic Status , 2003, RFC.

[204]  Richard Sharp,et al.  Linear Types for Packet Processing , 2004, ESOP.

[205]  Guru M. Parulkar,et al.  The UVM Virtual Memory System , 1999, USENIX Annual Technical Conference, General Track.

[206]  Niels Provos,et al.  Improving Host Security with System Call Policies , 2003, USENIX Security Symposium.

[207]  A. Turing On Computable Numbers, with an Application to the Entscheidungsproblem. , 1937 .

[208]  David Evans,et al.  Improving Security Using Extensible Lightweight Static Analysis , 2002, IEEE Softw..

[209]  Frank Pfenning,et al.  Eliminating array bound checking through dependent types , 1998, PLDI.

[210]  Tim Owen,et al.  SafetyNet: A language-based approach to programmable networks , 2001, Comput. Networks.

[211]  Stuart E. Schechter,et al.  Inoculating SSH Against Address Harvesting , 2006, NDSS.

[212]  S. Kleene,et al.  λ-Definability and Recursiveness. , 1937 .

[213]  Robbert van Renesse,et al.  Building adaptive systems using ensemble , 1998 .

[214]  Flemming Nielson,et al.  Type and Effect Systems , 1999, Correct System Design.

[215]  Andrew Kennedy,et al.  Design and implementation of generics for the .NET Common language runtime , 2001, PLDI '01.

[216]  Torben Bra,et al.  Introduction to Linear Logic , 1996 .

[217]  Martin Elsman,et al.  Web Programming with SMLserver , 2003, PADL.

[218]  Thomas A. Henzinger,et al.  The Blast Query Language for Software Verification , 2004, SAS.

[219]  Rajeev Alur,et al.  Verifying Network Protocol Implementations by Symbolic Refinement Checking , 2001, CAV.

[220]  Helmut Veith,et al.  Counterexample-guided abstraction refinement for symbolic model checking , 2003, JACM.

[221]  Richard Sharp,et al.  Abstracting application-level web security , 2002, WWW.

[222]  Mark Garland Hayden,et al.  The Ensemble System , 1998 .

[223]  Markus G. Kuhn,et al.  Analysis of a denial of service attack on TCP , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[224]  Todd A. Proebsting,et al.  USC: A Universal Stub Compiler , 1994, SIGCOMM.

[225]  簡聰富,et al.  物件導向軟體之架構(Object-Oriented Software Construction)探討 , 1989 .

[226]  Paul V. Mockapetris,et al.  Domain names - implementation and specification , 1987, RFC.

[227]  Emden R. Gansner,et al.  An open graph visualization system and its applications to software engineering , 2000, Softw. Pract. Exp..

[228]  Edsger W. Dijkstra,et al.  Guarded commands, nondeterminacy and formal derivation of programs , 1975, Commun. ACM.

[229]  Jeffrey S. Foster,et al.  Checking type safety of foreign function calls , 2005, PLDI '05.

[230]  Robert Tappan Morris,et al.  DNS performance and the effectiveness of caching , 2001, IMW '01.

[231]  Miguel Castro,et al.  Vigilante: end-to-end containment of internet worms , 2005, SOSP '05.

[232]  Peyton Jones,et al.  Haskell 98 language and libraries : the revised report , 2003 .

[233]  Vern Paxson,et al.  How to Own the Internet in Your Spare Time , 2002, USENIX Security Symposium.

[234]  Frank Pfenning,et al.  Dependent types in practical programming , 1999, POPL '99.

[235]  Niels Provos,et al.  ScanSSH: Scanning the Internet for SSH Servers , 2001, LISA.

[236]  Geoffrey Smith,et al.  Polymorphic typing of variables and references , 1996, TOPL.

[237]  James C. Corbett,et al.  Bandera: extracting finite-state models from Java source code , 2000, ICSE.

[238]  James McKinna,et al.  Why dependent types matter , 2006, POPL '06.

[239]  Thomas P. Brisco DNS Support for Load Balancing , 1995, RFC.

[240]  Alan M. Turing,et al.  Computability and λ-definability , 1937, Journal of Symbolic Logic.

[241]  Randal E. Bryant,et al.  Symbolic Boolean manipulation with ordered binary-decision diagrams , 1992, CSUR.

[242]  George C. Necula,et al.  Proof-carrying code , 1997, POPL '97.

[243]  Robert Gruber,et al.  PADS: a domain-specific language for processing ad hoc data , 2005, PLDI '05.

[244]  Naoki Kobayashi Quasi-linear types , 1999, POPL '99.

[245]  Jon Crowcroft,et al.  The main name system: an exercise in centralized computing , 2005, CCRV.

[246]  Wesley Griffin,et al.  Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints , 2006, RFC.