Language-Based Security

Comp Sci 839, Fall 2023

School of Computer, Data & Information Sciences

Overview
Schedule
Syllabus
Canvas

Overview

This course explores methods for using programming languages and language semantics to enforce security. It is primarily a reading, discussion, and research course. We will read classic and recent papers covering a variety of topics, including enforcement of confidentiality and integrity policies by controlling information flows both statically and dynamically, quantitative security measures, how to use these ideas to secure practical (often distributed) systems, and methods for incorporating and checking uses of cryptography.

Many of these papers require background in basic theoretical programming languages concepts, but students are not expected to already be familiar with this material. Instead, the first three weeks will consists of lectures covering this background, so students can better understand the papers to follow.

Students will be expected to read at least one paper for every class meeting, present one paper during the term, and do a small research project. For more details on goals and expectations, please see the syllabus.

Course Info

Meeting Time:	Tues/Thurs 2:30 – 3:45pm
Meeting Location:	Engineering Hall 2239
Instructor:	Ethan Cecchetti
Instructor Contact:	cecchetti@wisc.edu
Instructor Office:	CS 7395
Office Hours:	Wednesdays, 2:00 – 3:00pm or by appointment

Schedule

Date

Topic

Presenter

Required Reading

Recommended Reading

Sept 7

Welcome + λ-calculus

(Cecchetti)

OCaml Programming: Correct + Efficient + Beautiful

Michael R. Clarkson

Sept 12

λ-calculus

(Cecchetti)

Sept 14

Operational semantics

(Cecchetti)

Sept 19

Imp

(Cecchetti)

Sept 21

State and traces

(Cecchetti)

Sept 26

Simply-typed λ-calculus

(Cecchetti)

A Language-Based Approach to Security

Fred B. Schneider, Greg Morrisett, and Robert Harper

Informatics: 10 Years Back, 10 Years Ahead, 2001

IFC Overview

Sept 28

Intro to IFC and IFC Types

Ethan Cecchetti

A Note on the Confinement Problem

Butler Lampson

CACM 1973

Language-based Information Flow Security

Andrei Sabelfeld and Andrew C. Myers

Journal on Selected Areas in Communications 2003

Oct 3

Proving Noninterference in a Functional Language

Kanghee Park

Information Flow Inference for ML

François Pottier and Vincent Simonet

POPL 2002 (and TOPLAS 2003)

Note: Feel free to skip Sections 8 and 9

Security Properties

Oct 5

EM-Enforceable Properties

Enforceable Security Properties

Fred B. Schneider

TISSEC 2000

Oct 10

Hyperproperties

Andrey Yao

Hyperproperties

Michael R. Clarkson and Fred B. Schneider

JCS 2010 (and CSF 2008)

Oct 12

Secure Compilation

Journey Beyond Full Abstraction

Carmine Abate, Roberto Blanco, Deepak Garg, Cătălin Hriţcu, Marco Patrignani, Jérémy Thibault

CSF 2019

Formal Approaches to Secure Compilation

Marco Patrignani, Amal Ahmed, and Dave Clarke

ACM Computing Surveys 2019

(Oct 13)

Project Proposals Due

More Expressive Static IFC

Oct 17

Secure Declassification

Brandon Cegelski

Declassification: Dimensions and Principles

Andrei Sabelfeld and David Sands

JCS 2009 (and CSFW 2005)

Some of the various cited papers

Oct 19

Robust Declassification

Jack Stanek

Enforcing Robust Declassification and Qualified Robustness

Andrew C. Myers, Andrei Sabelfeld, and Steve Zdancewic

JCS 2006

Nonmalleable Information Flow Control

Ethan Cecchetti, Andrew C. Myers, and Owen Arden

CCS 2017

Dynamic IFC and Notions of Noninterference

Oct 24

Progress-(in)sensitivity

Shengyuan Yang

Reconciling progress-insensitive noninterference and declassification

Johan Bay and Aslan Askarov

CSF 2020

Termination-Insensitive Noninterference Leaks More Than Just a Bit

Aslan Askarov, Sebastian Hunt, Andrei Sabelfeld, and David Sands

ESORICS 2008

Oct 26

Secure Multi-execution

Robert Nagel

Faceted Secure Multi Execution

Thomas Schmitz, Maximilian Algehed, Cormac Flanagan, and Alejandro Russo

CCS 2018

Noninterference through Secure Multi-execution

Dominique Devriese and Frank Piessens

IEEE S&P 2010

Securing Systems

Oct 31

Speculative Execution Security

Jiangyi Liu

Spectector: Principled Detection of Speculative Information Flows

Marco Guarnieri, Boris Köpf, José F. Morales, Jan Reineke, and Andrés Sánchez

IEEE S&P 2020

Also look at the recommended paper and get the general idea. Reading it in detail is optional.

Automatic Detection of Speculative Execution Combinations

Xaver Fabian, Marco Guarnieri, and Marco Patrignani

CCS 2022

Nov 2

Reentrancy Protection

Fangzhou Wu

Compositional Security for Reentrant Applications

Ethan Cecchetti, Siqiu Yao, Haobin Ni, and Andrew C. Myers

IEEE S&P 2021

Nov 7

Web Security

Rahul Krishnan

Retrofitting Fine Grain Isolation in the Firefox Renderer

Shravan Narayan, Craig Disselkoen, Tal Garfinkel, Nathan Froyd, Eric Rahm, Sorin Lerner, Hovav Shacham, and Deian Stefan

USENIX Security 2020

LWeb: Information Flow Security for Multi-tier Web Applications

James Parker, Niki Vazou, and Michael Hicks

POPL 2019

Nov 9

Capabilities

Ante Tonkovic-Capin

Macaroons: Cookies with Contextual Caveats for Decentralized Authorization in the Cloud

Arnar Birgisson, Joe Gibbs Politz, Úlfar Erlingsson, Ankur Taly, Michael Vrable, and Mark Lentczner

NDSS 2014

Shill: A Secure Shell Scripting Language

Scott Moore, Christos Dimoulas, Dan King, and Stephen Chong

OSDI 2014

Probabilistic and Quantitative Security

Nov 14

Probabilistic Noninterference

Julia Nakhleh

A Language for Probabilistically Oblivious Computation

David Darais, Ian Sweet, Chang Liu, and Michael Hicks

POPL 2020

Nov 16

Quantitative Information Flow

Ashley Samuelson

On the Foundations of Quantitative Information Flow

Geoffrey Smith

FoSSaCS 2009

Quantifying Information Flow with Beliefs

Michael R. Clarkson, Andrew C. Myers, and Fred B. Schneider

JSC 2009

Nov 21

(Canceled due to illness)

Nov 23

(Thanksgiving Break)

Nov 28

Differential Privacy

Ben Jacobsen

CheckDP: An Automated and Integrated Approach for Proving Differential Privacy or Finding Precise Counterexamples

Yuxin Wang, Zeyu Ding, Daniel Kifer, and Danfeng Zhang

CCS 2020

LightDP: Towards Automating Differential Privacy Proofs

Danfeng Zhang and Daniel Kifer

POPL 2017

Language-Based Cryptography

Nov 30

Synthesizing Cryptography

Muhammad Musa

Viaduct: An Extensible, Optimizing Compiler for Secure Distributed Programs

Coşku Acay, Rolph Recto, Joshua Gancher, Andrew C. Myers, and Elaine Shi

PLDI 2021

Using Replication and Partitioning to Build Secure Distributed Systems

Lantian Zheng, Stephen Chong, Andrew C. Myers, and Steve Zdancewic

IEEE S&P 2003

Multiparty Computation Languages

Symphony: Expressive Secure Multiparty Computation with Coordination

Ian Sweet, David Darais, David Heath, William Harris, Ryan Estes, and Michael Hicks

‹Programming› 2023

Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations

Aseem Rastogi, Matthew Hammer, and Michael Hicks

IEEE S&P 2014

Dec 5

Project Presentations

(2:30 – 2:40)	Jiangyi Liu
(2:42 – 2:57)	Kanghee Park and Rahul Krishnan
(3:00 – 3:10)	Fangzhou Wu
(3:12 – 3:22)	Robert Nagel
(3:25 – 3:40)	Ben Jacobsen and Julia Nakhleh

Dec 7

Project Presentations

(2:30 – 2:40)	Ante Tonkovic-Capin
(2:42 – 2:52)	Jack Stanek
(2:55 – 3:05)	Ashley Samuelson
(3:07 – 3:17)	Brandon Cegelski
(3:20 – 3:30)	Muhammad Musa
(3:32 – 3:42)	Andrey Yao

(Dec 12)

Project Writeups Due

Syllabus

(A pdf version of this syllabus is available here.)

Learning Outcomes

The goal of this course is that, after successful completion, students should be able to demonstrate the following skills.

Articulate the core concepts and ideas in modern research papers in the field of language-based security, and situate those results within the broader literature of the field.
Present cutting-edge research ideas to other researchers in a way that is clear, understandable, and well-motivated.
Investigate new research questions in the area of language-based security and progress our understanding of those questions and associated ideas.

Assignments

There will be four types of assignments. All non-presentation assignments will be handed in on Canvas.

Problem Sets

Only during the lecture portion of the class. These are to help build comfort and familiarity with the background material.

Paper Reviews

Each class (after the first three weeks) will have a paper that is required reading, and possibly a paper that is recommended as well. For each required reading, students must submit a short review summarizing the paper and explaining core concepts. These reviews should also note any confusion or questions you have, as well as describe anything about the paper you did or didn't like. Reviews for recommended readings are optional.

Reviews are due at 11:00am on the day of class.

Paper Presentations

Each class (after the background lectures), one or two students will give a 30–45 minute presentation on that day's topic. The student(s) presenting must read both the required and recommended reading for that day well in advance. They must also meet with the instructor (Ethan) to discuss the paper and a draft of their presentation at least 3 days in advance (no later than Monday if the presentation is on a Thursday, or Friday of the previous week if the presentation is on a Tuesday).

Students will sign up to present papers in the 3rd week of class (after add/drop period has ended).

Research Project

Each student must conduct a small research project in the area of language-based security. These projects may be individual, or in groups of up to three. The goal of the project is for every student in the class to have experience doing research in the area of language-based security. It is not to produce a publishable piece of research, although a good project would have promise to be the first step toward that goal. Students already working on projects that could reasonably be construed as language-based security research are welcome to use part or all of that work as the project for this course.

The topic of the project is up to each student. The schedule is front-loaded with background material and papers on language-based information flow, but projects can be centered around whatever area of language-based security that most interests each student. Other options include capabilities, model checking, and synthesis of secure code.

Projects can be implementation-based, such as implementing a language-based security technique or using one to build software more securely, theory-based, such as developing formal (perhaps machine-checked) proofs of security for some system, or even based on deeply surveying the state of a section of the field in the style of a Systematization of Knowledge (SoK) paper.

Students will be required to submit a 1-page proposal in October. The proposal should motivate the project and explain what concretely you plan to do to complete it. It should discuss how the proposed project relates to prior published research and provide citations.

In December, each project group will give a 10–15 minute presentation on their project to the class and produce a written report on their results, insights, and progress. There is no fixed length for these reports, but I expect the will be a few pages long.

Additionally, any students working in a group will be required to turn in a peer evaluation for their project group. The peer evaluation must answer the following questions for each team member (including yourself).

How did the team member's work positively contribute to the group?
How did the team member's work negatively contribute to the group?
For each stage of the project, what percentage of the total work of the group did the team member do? Please consider all work that team member did, not just work that was successful or ended up in the final product.

It is not necessary that every member of the team contribute equally to every component of the project. I will look at each team member's contribution in total across the whole project while making an evaluation.

Grading

Grades will be based on the following breakdown:

Problem sets and reviews: 40%
Paper presentation: 25%
Project: 30%
Participation: 5%

This is a graduate-level course. As such, the expectations are a bit different from what you may be used to in undergraduate-level courses. The focus of this course is on exposing you to new ideas and concepts and allowing you space to investigate and learn. To that end, problem sets and paper reviews will be graded on a "✓" / "✓−" scale, while presentations and projects will be graded with a simple letter grade (A, B, C, or F).

Problem sets and Reviews

If you engaged with the material and attempted to do the work, even if there were parts that were somewhat incomplete or you partially misunderstood, you will still receive a ✓. If you turn in something, but it is substantially incomplete or demonstrates very little understanding, you will receive a ✓−. If you turn in nothing or indicate no understanding at all or engagement with the material, you will receive no credit.

Presentations and Projects

The grade will be based on the quality of your work. For presentations, this will include reading the papers and discussing your presentation plan with Ethan far enough in advance (see the presentation description above).

For the research project, it means making progress towards solving the problem you propose. It is important to remember that the research projects are research. It is extremely difficult to know how large or difficult the projects will be before you dive into them. That means that you can fail to solve your proposed problem and still receive an A on the project by demonstrating effort and progress. For example, demonstrating that a promising approach fails to solve a problem for fundamental reasons could be an excellent result!

Participation

To receive participation points, you must stop by Ethan's office some time in the first two weeks of class to introduce yourself. You must also fill out the end-of-semester course evaluation. Active participation in class does not directly impact your grade, but it is highly encouraged and may indirectly improve your grade by helping you better understand and engage with the material.

A message for PhD students

Please try not to worry about your grade. I don't know how to put this delicately, but grades matter less as a PhD student than they did in undergrad. Focus on getting as much knowledge as you can out of the course, and your grade will be fine.

Academic Integrity

By virtue of enrollment, each student agrees to uphold the high academic standards of the University of Wisconsin-Madison; academic misconduct is behavior that negatively impacts the integrity of the institution. Cheating, fabrication, plagiarism, unauthorized collaboration, and helping others commit these previously listed acts are examples of misconduct which may result in disciplinary action. In this course, one example of misconduct would be using someone else's research results or writing without proper credit. Examples of disciplinary sanctions include, but are not limited to, failure on the assignment/course, written reprimand, disciplinary probation, suspension, or expulsion.

Accommodations for Students with Disabilities

The University of Wisconsin–Madison and this course support the right of all enrolled students to a full and equal educational opportunity. The Americans with Disabilities Act (ADA), Wisconsin State Statute (36.12), and UW–Madison policy (UW-855) require the university to provide reasonable accommodations to students with disabilities to access and participate in its academic programs and educational services. Faculty and students share responsibility in the accommodation process. Students are expected to inform faculty (Ethan) of their need for instructional accommodations during the beginning of the semester, or as soon as possible after being approved for accommodations. Faculty (Ethan) will work either directly with the student or in coordination with the McBurney Center to provide reasonable instructional and course-related accommodations. Disability information, including instructional accommodations as part of a student's educational record, is confidential and protected under FERPA. (See: McBurney Disability Resource Center)

Diversity & Inclusion

Diversity is a source of strength, creativity, and innovation for UW–Madison. The university and this course values the contributions of each person and respects the profound ways their identity, culture, background, experience, status, abilities, and opinion enrich the university and classroom community. We commit ourselves to the pursuit of excellence in teaching, research, outreach, and diversity as inextricably linked goals. The University of Wisconsin–Madison fulfills its public mission by creating a welcoming and inclusive community for people from every background—people who as students, faculty, and staff serve Wisconsin and the world.

Mental Health and Well-Being

Students, particularly graduate students, often experience stressors that can impact both their academic experience and personal well-being. These may include mental health concerns, substance misuse, sexual or relationship violence, family circumstances, campus climate, financial matters, among others.

Students are encouraged to learn about and utilize UW–Madison's mental health services and/or other resources as needed. Visit uhs.wisc.edu or call University Health Services at (608) 265-5600 to learn more.

Students are also encouraged to alert the instructor (Ethan) if their mental or physical health or that of a loved one or family member is negatively impacting their ability to succeed in the course. We can then make appropriate accommodations.

Acknowledgements

This course (and some of the language in this syllabus) is adapted from Andrew Myers's Language-Based Security seminar at Cornell University (CS 6113). The material in the lectures is adapted from Cornell University's Advanced Programming Languages course (CS 6110). The language for the sections on academic integrity, disability accommodations, diversity & inclusion, and mental health is taken from standard UW–Madison syllabus resources.