Download Untrustworthy Programming Languages PowerPoint Presentation

Iframe embed code :

<iframe src='https://www.slidesfinder.com/embedpresentation/NjMy' width='630' height='570' frameborder='0' marginwidth='0' marginheight='0' scrolling='no' allowfullscreen></iframe>

Presentation url :

Home / Education & Training / Education & Training Presentations / Untrustworthy Programming Languages PowerPoint Presentation

Untrustworthy Programming Languages PowerPoint Presentation

PowerPoint is the world's most popular presentation software which can let you create professional Untrustworthy Programming Languages powerpoint presentation easily and in no time. This helps you give your presentation on Untrustworthy Programming Languages in a conference, a school lecture, a business proposal, in a webinar and business and professional representations.

The uploader spent his/her valuable time to create this Untrustworthy Programming Languages powerpoint presentation slides, to share his/her useful content with the world. This ppt presentation uploaded by onlinesearch in Education & Training ppt presentation category is available for free download,and can be used according to your industries like finance, marketing, education, health and many more.

About This Presentation

onlinesearch

Description : View and free download Untrustworthy Programming Languages powerpoint presentation which is uploaded by search an active user in belonging ppt presentation Education & Training category.

Tags : Untrustworthy Programming Languages

Published on : Feb 10, 2014
Views : 1613 | Downloads : 0

Download Now

Share on Social Media

Untrustworthy Programming Languages Presentation Transcript

Slide 1 -

Queen Mary, University of London, May 2005 1 Untrustworthy Programming Languages Andrew Kennedy, MSR Cambridge

Slide 2 -

2 Queen Mary, University of London, May 2005 Do you trust your programming language? Modern programming platforms promise security: The Java security model is based on a customizable "sandbox" in which Java software programs can run safely, without potential risk to systems or users (java.sun.com/security) The .NET Common Language Runtime implements its own secure execution model that is independent of the host platform (Don Box, MSDN magazine) Most articles emphasise type-safety (=> memory safety) of the JVM or CLR And of course, special-purpose mechanisms such as Code Access Security (stack-walking), permissions, crypto, etc But that’s not the whole story…

Slide 3 -

3 Queen Mary, University of London, May 2005 The way it was In the past: programming language abstractions made languages “high-level” i.e. far from the raw metal of the machine good software engineering protected programmers from themselves & others If the language contained holes, it was “just” a programming problem In any case, nothing was enforced “underneath” except at coarse boundaries (machine, system/user, process)

Slide 4 -

4 Queen Mary, University of London, May 2005 But now... The programming model is part of the security model in particular, its type system but also, other aspects… Programmers will assume that abstractions are enforced underneath... ...and use them to write secure code.

Slide 5 -

5 Queen Mary, University of London, May 2005 Eiffel, 1989 Cook, W.R. (1989) - A Proposal for Making Eiffel Type-Safe, in Proceedings of ECOOP'89. S. Cook (ed.), pp. 57-70. Cambridge University Press. Betrand Meyer, on unsoundness of Eiffel: “Eiffel users universally report that they almost never run into such problems in real software development.”

Slide 6 -

6 Queen Mary, University of London, May 2005 Ten years later: Java

Slide 7 -

7 Queen Mary, University of London, May 2005 Secure programming platforms Java source JVML (bytecodes) C# C++ Visual Basic CIL CIL CIL Java compiler C# compiler C++ compiler VB compiler JVM(Java Virtual Machine) .NET CLR(Common Language Runtime) Executed on Executed on

Slide 8 -

8 Queen Mary, University of London, May 2005 Type safety Ensures data safety: can access memory only through typed objects code safety: can access components only according to their interface Isolates software processes (“Application Domains” in .NET) used for downloadable plug-ins for UI in next version of Windows Importance of type safety is now widely appreciated Microsoft would issue an immediate “critical update” if a type safety bug was discovered [Insert war stories here]

Slide 9 -

9 Queen Mary, University of London, May 2005 Type loophole => anything goes Exploit a type loophole to execute arbitrary code. Here’s a recipe. Define a delegate type D, create a delegate object off an empty methoddelegate void D();public static void DoNothing() { }D d = new D(DoNothing); Define a SpoofD class with int field spoofing the (internal) function pointer field of the delegate typeclass SpoofD { public int fptr; ... } Now pretend that the delegate object has type SpoofD (via type loophole)SpoofD sd = ...loophole magic...(d); Set the spoof function pointer field to the address of your malicious codesd.fptr = my_bad_code; Invoke the delegatesd();

Slide 10 -

10 Queen Mary, University of London, May 2005 Beyond type safety How do programmers reason about security properties of their code? Or about their code at all? We might hope that: A C# programmer can reason about code armed only with the C# language spec and specs for libraries used by the code Unfortunately, it seems that a C# programmer also needs Some understanding of how C# is translated into IL Some understanding of the behaviour of IL Some understanding of parts of the standard library not mentioned in the language spec or used by the program

Slide 11 -

11 Queen Mary, University of London, May 2005 Example 1: “Privacy through override” In C# (and Java), overridden methods cannot be invoked directly except by the overriding method This property has been used by programmers for security purposes:class InsecureWidget { // No checking of argument virtual void Put(string s); …}class SecureWidget : InsecureWidget { // Validate argument and pass on override void Put(string s) { Validate(s); base.Put(s); }}…SecureWidget sw = new SecureWidget();// We can’t avoid validation of arguments to Put, can we? // Oh, yes we can! Direct call on superclassldloc swldstr “Invalid string”call void InsecureWidget::Put(string)

Slide 12 -

12 Queen Mary, University of London, May 2005 Analysis What went wrong? In C#, overridden methods can only be invoked through “base” calls In IL, they can be called directly So there are programs in IL that can provoke behaviour not possible from C# What is a good way to characterize this? Translation from C# to IL fails to be fully abstract See “Protection in Programming Language Translation”, Abadi, 1998 How can we fix it? Not easily: IL was designed for multiple languages, with conflicting goals

Slide 13 -

13 Queen Mary, University of London, May 2005 An ideal: full abstraction Ensure that all abstractions of the programming language are enforced by the runtime programmers don’t have to know what’s underneath if they understand the programming language, they understand the platform programming model Ensure that translation from C# to IL is fully abstract C# program IL program Properties that hold here... ...also hold here

Slide 14 -

14 Queen Mary, University of London, May 2005 Two programs are equivalent if they have the same behaviour in all contexts of the language e.g. A translation is “fully abstract” if it respects equivalence For us: the “translation” is from source language (C# etc) to MSIL if there exist contexts (e.g. other code) in MSIL that can distinguish equivalent source programs, then the translation fails to be fully abstract Full abstraction class Secret { public Secret(int fv) { } public Set(int fv) { }} class Secret { private int f; public Secret(int fv) { f = fv; } public Set(int fv) { f = fv; }} ≈

Slide 15 -

15 Queen Mary, University of London, May 2005 Full abstraction for Java Translation from Java to JVML is not quite fully abstract (Abadi, 1998) At least one failure: access modifiers in inner classes a late addition to the language not directly supported by the JVM compiled by translation => impractical to make fully-abstract without changing the JVM

Slide 16 -

16 Queen Mary, University of London, May 2005 Full abstraction for C#? A number of failures Excuse: multiple languages target the CLR, with different goals The JVM was designed for a single language: Java. (Almost) Full- abstraction was probably an accident; though in retrospect it’s a good thing. For C#/CLR, we can catalogue failures of full abstraction and propose fixes either: change the translation from C# to IL or: reduce expressivity of IL (fewer IL contexts) or: increase the expressivity of C# (more C# contexts) At least: document the failures, educate programmers, provide tools to spot insecure programming patterns

Slide 17 -

17 Queen Mary, University of London, May 2005 Example 2Encapsulation of object state Programmer expectation: instances of types whose API ensures immutability are immutable. Ex: String, DateTime, Int32 Boxing shouldn’t make any difference, should it? // A dictionary keyed on stringsclass StringDict { private Hashtable dict; public object Get(string s) { return dict[s]; } internal void Set(string s, object o) { … }…}static StringDict personalData;// In a module far away…// We cannot update from here object salary = personalData.Get(“Salary”); // Oh, yes we can! Just get pointer to interiorldloc salaryunbox int32stind.i4 1000000

Slide 18 -

18 Queen Mary, University of London, May 2005 Example 2Encapsulation of object state An equivalence that is not preserved: Fix? In CLR type system: disallow update after unboxing public static int Foo(int x) { object y = (object) x; Bar(y); return x;} public static int Foo(int x) { object y = (object) x; Bar(y); return (int) y; } ≈

Slide 19 -

19 Queen Mary, University of London, May 2005 Example 3this is valid object instance? Instance methods are always invoked on a valid instance, surely?class Foo { // Instance registered for privileged action private static Foo registered = null; // Only called from this module (internal access) internal void Register() { registered = this }; public void Bar() { if (this == registered) { // Perform privileged action } }}// We can’t execute privileged action from another module // Oh, yes we can! Just call-direct-with-nullldnullcall void Foo::Bar()

Slide 20 -

20 Queen Mary, University of London, May 2005 Example 3 this is valid object instance? An equivalence that is not preserved: Fix? In C# compiler: explicit check-for-null at start of method In CLR: check-for-null at call-site (as with virtual call) class C { public bool Foo() { return true; } …} class C { public bool Foo() { return this != null; } …} ≈

Slide 21 -

21 Queen Mary, University of London, May 2005 Example 4 Exceptions are instances of System.Exception? try { // perform some action, to completion } catch (Exception e) { // undo action whenever an exception was thrown in try-block }// Action either ran to completion, or was fully undone // Not necessarily! From IL, can throw any objectnewobj instance void System.Object::.ctor()throw

Slide 22 -

22 Queen Mary, University of London, May 2005 Example 5Booleans are two-valued? void Foo(bool b){ bool c = !b; if (!c != b) { Console.WriteLine(“This cannot happen”); }} // Oh yes it can! ldc.i4 2call void Foo(bool)

Slide 23 -

23 Queen Mary, University of London, May 2005 Example 5 Booleans are two-valued? An equivalence that is not preserved: Fix? Change C# compilation of == and != for bool so that it cares only about zero/non-zero-ness static bool Foo(bool x, bool y) { return (x == false) == (y == false);} static bool Foo(bool x, bool y) { return x==y;} ≈

Slide 24 -

24 Queen Mary, University of London, May 2005 Weak abstractions Some abstractions aren’t broken; they’re just a bit weak arrays are always mutable developers forget this and define “readonly” properties with array types run-time types break “privacy by subsumption” solution to array problem would be to return array as an IEnumerable (a read-only enumerator) but run-time types let programmer “cast” back to the array Other abstractions are broken not by IL but by library classes e.g. delegates (closures) would “encapsulate” code & object state if it weren’t for System.Delegate.Target and System.Delegate.Method methods.

Slide 25 -

25 Queen Mary, University of London, May 2005 Why bother? Even if the translation from C# to IL were fully abstract, reasoning about C# programs would still be hard. Programmers make mistakes in writing secure code Tools for automating reasoning about programs are still in their infancy There are many other pitfalls in the language So why bother about full abstraction? Because it’s a great starting point: The ability to reason about C# programs “in C#” is hugely simplifying Even better: if we could cut down to a subset of C# that suffices

Slide 26 -

26 Queen Mary, University of London, May 2005 Formalize? Proofs of full abstraction are hard We don’t have a complete formal model of C# We don’t have a complete formal model of IL So what to do? Optimist: even if we can’t formalize, we can identify failures, and fix them all Pessimist: we can never be sure that we have full abstraction. Instead, focus on certain patterns, prove that these are watertight. Example: prove that integers are safe! prove that private fields don’t leak

Slide 27 -

27 Queen Mary, University of London, May 2005 Conclusions The programming model is a vital part of the security story for .NET and Java Programmers need to know what they can trust “Full abstraction” is the ideal My choice would be to fix the holes we know about Might be hard to do If we can’t or won’t, we should educate developers Type safety is now taken for granted as a necessity In the future, full abstraction also?

Frequently Asked Questions

> About SlidesFinder?

Slidesfinder is a website that allows users to upload and share their PowerPoint presentations online. It provides a platform for individuals and businesses to share their ideas and knowledge through presentations, and for others to view and download these presentations for educational or professional purposes.
Slidesfinder offers a wide range of presentation topics and categories, including business, education, science, technology, health, and more. Users can also search for presentations using keywords, tags, or by category. The website provides tools to create professional presentations with rich media, animations, and graphics.

One of the key features of Slidesfinder is its user-friendly interface, which allows users to easily upload, view, and share presentations. Users can also embed their presentations in their websites or blogs using the website's embed code feature.
Slidesfinder also offers premium services, such as the ability to create private presentations and to download presentations in high-quality formats. However, the basic features of Slidesfinder are free to use, making it accessible to anyone who wants to share their ideas and knowledge through presentations.

> How do I register with SlidesFinder?

Go to registration page (you can see signup link on top of website page) https://www.slidesfinder.com/signup . If you have facebook/gmail account them just click on SIGN IN WITH FACEBOOK OR SIGN IN WITH GOOGLE button, by this you will be a registered member of slidesfinder without filling any form, required detail automatically will be fatch from your account. If you do not a Facebook account, then click on "Signup". Fill all required fields and you will be a registered member of slidesfinder.

> Is slidesfinder account confirmation is mandatory?

Yes it is mandetory to active your account to login.

> Do I need to signup/login on SlidesFinder before uploading a PowerPoint presentation?

Yes, you need to login with your account before uploading presentation. Your username will be displayed on your uploaded presentation. Your registered email id is needed for sending your stats of uploaded presentation.

Slidesfinder is a sharing website for PowerPoint presentations search and share. Find your interest in the form of powerpoint presentations on slidesfinder and save your valuable time . On Slidesfinder you get presentations from our huge library of professional ppt presentations. We believe in making your search INFORMATIVE and FUN. Find your best ppt presentation from a pool of PowerPoint presentations stacked under important industry categories like business & management, heath & Wellness,eduction & training etc. We provide unique informative PowerPoint presentation for marketers, presenters and educationists. These professional PowerPoint presentations are uploaded by professionals from across numerous industry segments.These ppt presentations are available for FREE download.

Not just finding your interest, but facilitate you broadcast your interest. We have created this platform for easy sharing of PowerPoint presentations, ensuring that these presentations get maximum exposure. Create your slidesfinder account and upload PowerPoint presentations for free, share on social media platforms and BUILD YOUR CROWD WITH PRESENTATION !!

The Great Buddha says, "Share your knowledge.It’s a way to achieve immortality"! So, start sharing knowledge and we are here to make that immortal !!

Re-productivity of content are not allowed. Without prior written permission from author, commercial use of any content is illegal.