nach oben

Erschienen in:

2015 | OriginalPaper | Buchkapitel

15. Programming Language Theoretic Security in the Real World: A Mirage or the Future?

verfasst von : Andrew Ruef, Chris Rohlf

Erschienen in: Cyber Warfare

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

The last decade has seen computer security rise from a niche field to a household term. Previously, executive level responses to computer security were disbelief and dismissal, while today the responses are questions of budget and risk. Computer security is a complicated issue with many moving parts and it is difficult to present a coherent view of its issues and problems. We believe that computer security issues have their root in programming languages and language runtime decisions. We argue that computer intrusion, malware, and network security issues all fundamentally arise from tradeoffs made in programming language design and the structure of the benign programs that are exploited. We present a case for addressing fundamental computer security problems at this root, by using advancements in programming language technology. We also present a case against relying on advancements in programming language technology, arguing that even when using the most sophisticated programming language technology available today, attacks are still possible, and that the current state of research is insufficient to guarantee security. We also discuss practical issues relating to the implementation of large-scale reforms in software development based on advancements in programming language technology.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Graph Mining for Cyber Security

Abadi, Martin, Protection in Programming-Language Translations, Lecture Notes in Computer Science Volume 1603, 1999, pp 19–34

Abadi, Martín, et al. “Control-flow integrity.” Proceedings of the 12th ACM conference on Computer and communications security. ACM, 2005.

Benjamin C. Pierce. The SAFE Machine: An Architecture for Pervasive Information Flow, June 2013. Invited talk at Computer Security Foundations Symposium (CSF).

Bhargavan, Karthikeyan, et al. “Proving the TLS Handshake Secure (as it is).” IACR Cryptology ePrint Archive 2014 (2014): 182.

Bittau, Andrea, et al. “Hacking blind.” Proceedings of the 35th IEEE Symposium on Security and Privacy. 2014.

Fournet, Cedric; Swamy, Nikhil; Chen, Juan; Dagand, Pierre-Evariste; Strub, Pierre-Yves; Livshits, Benjamin, Fully Abstract Compilation to JavaScript, POPL 2013

Göktas, Enes, et al. “Out of control: Overcoming control-flow integrity.” IEEE S&P. 2014.

Guido, Dan “A Case Study of Intelligence-Driven Defense” IEEE Security & Privacy November/December 2011, p 67–70

Guido, Dan Elderwood and the Department of Labor Hack, May 13, 2013http://blog.trailofbits.com/2013/05/13/elderwood-and-the-department-of-labor-hack/

Hutchins, Eric M, Cloppert, Michael J, Amin, Rohan M “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”, Lockheed Martin Technical Report. 2011http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf

Jackson, Todd, et al. “Compiler-generated software diversity.” Moving Target Defense. Springer New York, 2011. 77–98.

Klein, Gerwin, et al. “seL4: Formal verification of an OS kernel.” Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles. ACM, 2009.

Mashable, April 9, 2014http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

McGraw, Gary; Felten, Edward Understanding the keys to Java security—the sandbox and authentication, JavaWorld May 1, 1997http://www.javaworld.com/article/2076945/java-security/understanding-the-keys-to-java-security—the-sandbox-and-authentication.html

Nagarakatte, Santosh, Milo MK Martin, and Steve Zdancewic. “WatchdogLite: Hardware-Accelerated Compiler-Based Pointer Checking.” Proceedings of Annual IEEE/ACM International Symposium on Code Generation and Optimization. ACM, 2014

Nagaraju, Swamy Shivaganga and Craioveanu, Cristian and Florio, Elia and Miller, Matt, Software Vulnerability Exploitation Trends, Microsoft, 2013

Oh Jeong Wook Recent Java exploitation trends and malware, Black Hat USA 2012https://media.blackhat.com/bh-us-12/Briefings/Oh/BH_US_12_Oh_Recent_Java_Exploitation_Trends_and_Malware_WP.pdf

Peter Bright, N.D. ArsTechnicahttp://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/. Accessed 15 Feb 2011

RSA FraudAction Research Labshttps://blogs.rsa.com/anatomy-of-an-attack. Accessed 01 April 2011

Yang, Xuejun; Chen, Yang; Edie, Eric; Regehr, John, Finding and Understanding Bugs in C Compilers, PLDI 2011http://www.cs.utah.edu/~regehr/papers/pldi11-preprint.pdf

Yang, Jean, Kuat Yessenov, and Armando Solar-Lezama. “A language for automatically enforcing privacy policies.” ACM SIGPLAN Notices. Vol. 47. No. 1. ACM, 2012.

Zamyatin, Igor, Intel® Memory Protection Extensions (Intel® MPX) support in the GNU toolchain, Intel July 22, 2013https://software.intel.com/en-us/blogs/2013/07/22/intel-memory-protection-extensions-intel-mpx-support-in-the-gnu-toolchain

Zhang, Chao, et al. “Practical control flow integrity and randomization for binary executables.” Security and Privacy (SP), 2013 IEEE Symposium on. IEEE, 2013.

Titel: Programming Language Theoretic Security in the Real World: A Mirage or the Future?
verfasst von: Andrew Ruef
Chris Rohlf
Verlag: Springer International Publishing
Buch: Cyber Warfare
Print ISBN: 978-3-319-14038-4

Electronic ISBN: 978-3-319-14039-1

Copyright-Jahr: 2015
DOI: https://doi.org/10.1007/978-3-319-14039-1_15

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"