Languages and Security

Embedded systems, such as those found in mobile phones or satellites, have grown in popularity in the recent years. Code that executes in these environments needs to be verified as safe, so they do not expose sensitive data or hidden APIs to the outside world. With enough knowledge of the code and the environment in which it executes, malicious entities can find and exploit vulnerabilities for their own gain. Failure to protect and verify executing software can leak or corrupt sensitive data, and in extreme cases cause loss of the device. This chapter explores security through language, compiler, and software techniques. The techniques and discussion apply to general system security. However, they are equally applicable to the systems described above.

[1]  James R. Larus,et al.  Language support for fast and reliable message-based communication in singularity OS , 2006, EuroSys.

[2]  Guru Venkataramani,et al.  Comprehensively and efficiently protecting the heap , 2006, ASPLOS XII.

[3]  Steven Gianvecchio,et al.  Mimimorphism: a new approach to binary code obfuscation , 2010, CCS '10.

[4]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, POPL '02.

[5]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[6]  Jianmin Wang,et al.  A semi-dynamic multiple watermarking schemefor java applications , 2009, DRM '09.

[7]  Hervey Elwes,et al.  Thoughts on Music , 1926 .

[8]  Bennet S. Yee,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[9]  Mark Harman,et al.  Dependence clusters in source code , 2009, TOPL.

[10]  Brandon Lucia,et al.  DMP: Deterministic Shared-Memory Multiprocessing , 2010, IEEE Micro.

[11]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, SIGP.

[12]  Calton Pu,et al.  A Toolkit for Specializing Production Operating System Code , 1997 .

[13]  George C. Necula,et al.  The design and implementation of a certifying compiler , 1998, PLDI.

[14]  Thomas Ball,et al.  SLAM2: Static driver verification with under 4% false alarms , 2010, Formal Methods in Computer Aided Design.

[15]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[16]  Avik Chaudhuri,et al.  PCAL: Language Support for Proof-Carrying Authorization Systems , 2009, ESORICS.

[17]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[18]  George C. Necula,et al.  Proof-carrying code , 1997, POPL '97.

[19]  W. Wong,et al.  Transparent Runtime Shadow Stack : Protection against malicious return address modifications , 2006 .

[20]  Dan Grossman,et al.  CoreDet: a compiler and runtime system for deterministic multithreaded execution , 2010, ASPLOS XV.

[21]  Eric Eide,et al.  Volatiles are miscompiled, and what to do about it , 2008, EMSOFT '08.

[22]  James Cheney,et al.  Cyclone: A Safe Dialect of C , 2002, USENIX Annual Technical Conference, General Track.

[23]  Ben Chelf The Next Generation of Static Analysis Boolean Satisfiability and Path Simulation — A Perfect Match , 2008 .

[24]  Kenneth Knowles,et al.  Hybrid type checking , 2010, TOPL.

[25]  Jonathan D. Pincus,et al.  Beyond stack smashing: recent advances in exploiting buffer overruns , 2004, IEEE Security & Privacy Magazine.

[26]  Ewen Denney,et al.  Certifiable program generation , 2005, GPCE'05.

[27]  Koen De Bosschere,et al.  Program obfuscation: a quantitative approach , 2007, QoP '07.

[28]  Christian S. Collberg,et al.  Surreptitious Software - Obfuscation, Watermarking, and Tamperproofing for Software Protection , 2009, Addison-Wesley Software Security Series.

[29]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[30]  J. Gregory Morrisett,et al.  Robusta: taming the native beast of the JVM , 2010, CCS '10.

[31]  Sriram K. Rajamani,et al.  SLAM and Static Driver Verifier: Technology Transfer of Formal Methods inside Microsoft , 2004, IFM.

[32]  Koen De Bosschere,et al.  LOCO: an interactive code (De)obfuscation tool , 2006, PEPM '06.

[33]  Robert O. Hastings,et al.  Fast detection of memory leaks and access errors , 1991 .

[34]  Koen De Bosschere,et al.  Understanding Obfuscated Code , 2006, 14th IEEE International Conference on Program Comprehension (ICPC'06).

[35]  K. Rustan M. Leino,et al.  Extended static checking , 1998, PROCOMET.

[36]  黄敏尧 Thoughts on Music , 2000 .

[37]  Greg Nelson,et al.  Extended static checking for Java , 2002, PLDI '02.

[38]  Hovav Shacham,et al.  When good instructions go bad: generalizing return-oriented programming to RISC , 2008, CCS.

[39]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[40]  Claude Castelluccia,et al.  Code injection attacks on harvard-architecture devices , 2008, CCS.

[41]  Ramarathnam Venkatesan,et al.  A Graph Theoretic Approach to Software Watermarking , 2001, Information Hiding.