Parker Umd 0117E 21086.Pdf
Total Page:16
File Type:pdf, Size:1020Kb
ABSTRACT Title of Dissertation: Advanced Language-based Techniques for Correct, Secure Networked Systems James Parker Doctor of Philosophy, 2020 Dissertation Directed by: Professor Michael Hicks Department of Computer Science Developing correct and secure software is an important task that impacts many areas including finance, transportation, health, and defense. In order to develop se- cure programs, it is critical to understand the factors that influence the introduction of vulnerable code. To investigate, we developed and ran the Build-it, Break-it, Fix- it (BIBIFI) security-oriented programming contest as a quasi-controlled experiment. BIBIFI aims to assess the ability to securely build software, not just break it. In BIBIFI, teams build specified software with the goal of maximizing correctness, performance, and security. The latter is tested when teams attempt to break other teams' submissions. Winners are chosen from among the best builders and the best breakers. BIBIFI was designed to be open-ended—teams can use any language, tool, process, etc. that they like. As such, contest outcomes shed light on fac- tors that correlate with successfully building secure software and breaking insecure software. We ran three contests involving a total of 156 teams and three differ- ent programming problems. Quantitative analysis from these contests found that the most efficient build-it submissions used C/C++, but submissions coded in a statically-typed language were less likely to have a security flaw. Break-it teams that were also successful build-it teams were significantly better at finding security bugs. The contest results showed that programmers make mistakes in both the de- sign and implementation of their programs in ways that make it vulnerable. To mitigate these issues, we advanced the state of the art in language-integrated tech- niques for security enforcement, including formal methods. First we created LWeb, a tool for enforcing label-based, information flow policies in database-using web ap- plications. In a nutshell, LWeb marries the LIO Haskell IFC enforcement library with the Yesod web programming framework. The implementation has two parts. First, we extract the core of LIO into a monad transformer (LMonad) and then apply it to Yesod's core monad. Second, we extend Yesod's table definition DSL and query functionality to permit defining and enforcing label-based policies on tables and enforcing them during query processing. LWeb's policy language is expressive, per- mitting dynamic per-table and per-row policies. We formalize the essence of LWeb in the λLWeb calculus and mechanize the proof of noninterference in Liquid Haskell, an extension of Haskell that adds refinement types to the language. This mecha- nization constitutes the first metatheoretic proof carried out in Liquid Haskell. We also used LWeb to build the web site hosting BIBIFI. The site involves 40 data tables and sophisticated policies. Compared to manually checking security policies, LWeb imposes a modest runtime overhead of between 2% to 21%. It reduces the trusted code base from the whole application to just 1% of the application code, and 21% of the code overall (when counting LWeb too). Finally, we further advance the capabilities of Liquid Haskell by using it to verify the correctness of distributed applications based on conflict-free replicated data types (CRDTs). To do so, we add an extension to Liquid Haskell that facilitates stating and semi-automatically proving properties of typeclasses. Our work allows refinement types to be attached to typeclass method declarations, and ensures that instance implementations respect these types. The engineering of this extension is a modular interaction between GHC, the Glasgow Haskell Compiler, and Liquid Haskell's core proof infrastructure. To verify CRDTs, we define them as a typeclass with refinement types that capture the mathematical properties CRDTs must satisfy, prove that these properties are sufficient to ensure that replicas' states converge despite out-of-order delivery, implement (and prove correct) several instances of our CRDT typeclass, and use them to build two realistic applications, a multi-user calendar event planner and a collaborative text editor. In addition, we demonstrate the utility of our typeclass extension by using Liquid Haskell to modularly verify that 34 instances satisfy the laws of five standard typeclasses. Advanced Language-based Techniques for Correct, Secure Networked Systems by James Parker Dissertation submitted to the Faculty of the Graduate School of the University of Maryland, College Park in partial fulfillment of the requirements for the degree of Doctor of Philosophy 2020 Advisory Committee: Professor Michael Hicks, Chair/Advisor Dr. Niki Vazou Professor Michelle Mazurek Professor David Mount Professor Lawrence Washington c Copyright by James Parker 2020 Acknowledgments There are numerous people in my life who have helped make this dissertation possible. First, I would like to thank my advisor, Michael Hicks who has been an invaluable mentor and supporter of my research. In addition to everything he's taught me academically, he has served as a role model. It is obvious how much he cares for his students, and he always aims to do what is best. During her time as a postdoctoral researcher at the University of Maryland, Niki Vazou exposed me to the wonderful world of Liquid Haskell. I believe it has the potential to become a tool that is used to formally verify programs on a larger scale outside of academia. With her guidance, we have taken some of the first steps towards this goal. I have enjoyed working on many interesting problems with all of my collaborators including Yiyun Liu, Andrew Ruef, Michelle Mazurek, Daniel Votipka, Kelsey Fulton, Phúc Nguy¹n, Piotr Mardziel, Dave Levin, Patrick Red- mond, Lindsey Kuper, and Matthew Hou. I hope that we continue to work together in the future. Finally, I would not be here without the love and support of my family. My parents built a strong foundation for me growing up. My brother and I foster a competitive environment that drives us to constantly improve. My wife has stood by my side and encouraged me throughout my journey through graduate school. ii Table of Contents Acknowledgements ii Table of Contents iii List of Tables vi List of Figures vii List of Abbreviations ix Chapter 1:Introduction1 1.1 Background on Liquid Haskell...................... 7 Chapter 2:Build It, Break It, Fix It: Contesting Secure Development 11 2.1 Introduction................................ 11 2.1.1 Acknowledgements ........................ 14 2.2 Build-it, Break-it, Fix-it ......................... 15 2.2.1 Competition phases........................ 16 2.2.2 Competition scoring ....................... 18 2.2.3 Discussion............................. 23 2.2.4 Implementation.......................... 26 2.3 Contest Problems............................. 29 2.3.1 Secure Log............................. 29 2.3.2 ATM................................ 33 2.3.3 Multiuser DB........................... 37 2.4 Build-it Submissions: Successes and Failures.............. 42 2.4.1 Failure Stories........................... 43 2.4.2 Success Stories .......................... 46 2.5 Quantitative Analysis........................... 47 2.5.1 Data collection .......................... 48 2.5.2 Analysis approach ........................ 49 2.5.3 Contestants............................ 50 2.5.4 Ship scores ............................ 51 2.5.5 Resilience ............................. 57 2.5.6 Presence of security bugs..................... 61 2.5.7 Breaking success ......................... 65 iii 2.5.8 Model differences......................... 72 2.5.9 Summary ............................. 73 2.6 Related work ............................... 74 2.7 Conclusion................................. 78 Chapter 3:LWeb: Information Flow Security for Multi-tier Web Ap- plications 80 3.1 Introduction................................ 80 3.1.1 Acknowledgements ........................ 84 3.2 Overview.................................. 84 3.2.1 Label-Based Information Flow Control with LIO . 85 3.2.2 Yesod ............................... 87 3.2.3 LWeb: Yesod with LIO ...................... 89 3.3 Mechanizing Noninterference of LIO in Liquid Haskell......... 93 3.3.1 Security Lattice as a Type Class................. 93 3.3.2 λLIO : Syntax and Semantics................... 95 3.3.3 Noninterference.......................... 99 3.4 Label-based Security for Database Operations . 104 3.4.1 Database Definition........................104 3.4.2 Querying the Database......................106 3.4.3 Monadic Database Queries....................108 3.4.4 Noninterference..........................113 3.5 Liquid Haskell for Metatheory......................115 3.5.1 Advantages ............................116 3.5.2 Disadvantages...........................118 3.6 Implementation..............................119 3.6.1 Extensions.............................119 3.6.2 Trusted Computing Base.....................122 3.7 The BIBIFI Case Study .........................123 3.7.1 BIBIFI Labels...........................123 3.7.2 Users and Authentication ....................124 3.7.3 Opening the Contest.......................125 3.7.4 Teams and Declassification....................126 3.7.5 Breaks and Advanced Queries..................128 3.8 Experimental Evaluation.........................129 3.8.1 Trusted Computing Base of BIBIFI . 129 3.8.2 Running Time Overhead.....................129 3.9 Quantifying