Digital Security by Design: Robustness by Design - Sophia Drossopoulou, Imperial College London
•
1 like•70 views
Following the Collaborators' Workshop held on 26th Sept (presentations available on KTN's SlideShare account), EPSRC/ESRC are running a Collaboration Development workshop on 22nd November 2019 in London to facilitate academia-industry and academia-academia collaboration ahead of the closing dates for the EPSRC and ESRC ISCF Digital Security by Design calls. The calls need to be led by academic institutions. Industrial involvement, while not mandatory, is highly desirable and will be required for future competitions. Hence this workshop aims to have a mix of academic and industrial participants. The Digital Security by Design challenge was announced in July. This challenge, amounting to £70 million of government funding over 5 years, will be delivered by UK Research and Innovation (UKRI) through the Industrial Strategy Challenge Fund (ISCF). Find out more: https://ktn-uk.co.uk/news/iscf-digital-security-by-design-collaboration-development-workshop
Recommended
Recommended
More Related Content
More from KTN
More from KTN (20)
Recently uploaded
Recently uploaded (20)
Digital Security by Design: Robustness by Design - Sophia Drossopoulou, Imperial College London
- 1. 1 Sophia Drossopoulou, Imperial College London Worked on programming language models, design and implementation, ownership types, session types, Pony. Proposed type state (Fickle), gradual types, Javascript type inference Robustness by Design
- 2. Robustness goes beyond traditional concerns 1 Sophia Drossopoulou, Imperial College London Worked on programming language models, design and implementation, ownership types, session types, Pony. Proposed type state (Fickle), gradual types, Javascript type inference Robustness by Design
- 3. • closed world • sufficient conditions for some effect • about individual functions; Robustness goes beyond traditional concerns 1 Traditional Specs Sophia Drossopoulou, Imperial College London Worked on programming language models, design and implementation, ownership types, session types, Pony. Proposed type state (Fickle), gradual types, Javascript type inference Robustness by Design
- 4. • closed world • sufficient conditions for some effect • about individual functions; Robustness goes beyond traditional concerns 1 Traditional Specs Robustness considerations • open world • necessary conditions for some effect • about emergent behaviour Sophia Drossopoulou, Imperial College London Worked on programming language models, design and implementation, ownership types, session types, Pony. Proposed type state (Fickle), gradual types, Javascript type inference Robustness by Design
- 5. 2 Robustness goes beyond traditional concerns
- 6. 2 class SafeOne{ private fld secret; private fld treasure; mthd take(s){ if (s==secret) { t=treasure; treasure = null; return t; } } constr SafeOne(s,t){ secret=s; treasure = t; } } Robustness goes beyond traditional concerns
- 7. 2 class SafeOne{ private fld secret; private fld treasure; mthd take(s){ if (s==secret) { t=treasure; treasure = null; return t; } } constr SafeOne(s,t){ secret=s; treasure = t; } } SpecA: { true } sf.take(s) { s=sf.secret -> sf.treasurepost = null ∧ s≠sf.secret -> sf.treasurepost = sf.treasurepre } Robustness goes beyond traditional concerns
- 8. 2 class SafeOne{ private fld secret; private fld treasure; mthd take(s){ if (s==secret) { t=treasure; treasure = null; return t; } } constr SafeOne(s,t){ secret=s; treasure = t; } } SpecA: { true } sf.take(s) { s=sf.secret -> sf.treasurepost = null ∧ s≠sf.secret -> sf.treasurepost = sf.treasurepre } SafeOne ⊨ SpecA Robustness goes beyond traditional concerns 😀
- 9. 2 class SafeOne{ private fld secret; private fld treasure; mthd take(s){ if (s==secret) { t=treasure; treasure = null; return t; } } constr SafeOne(s,t){ secret=s; treasure = t; } } class SafeTwo{ private fld secret; private fld treasure; mthd take(s){ …. } constr SafeTwo(s,t){ … } mthd set(s) { this.secret=s;} } SpecA: { true } sf.take(s) { s=sf.secret -> sf.treasurepost = null ∧ s≠sf.secret -> sf.treasurepost = sf.treasurepre } SafeOne ⊨ SpecA Robustness goes beyond traditional concerns 😀
- 10. 2 class SafeOne{ private fld secret; private fld treasure; mthd take(s){ if (s==secret) { t=treasure; treasure = null; return t; } } constr SafeOne(s,t){ secret=s; treasure = t; } } class SafeTwo{ private fld secret; private fld treasure; mthd take(s){ …. } constr SafeTwo(s,t){ … } mthd set(s) { this.secret=s;} } SpecA: { true } sf.take(s) { s=sf.secret -> sf.treasurepost = null ∧ s≠sf.secret -> sf.treasurepost = sf.treasurepre } SafeOne ⊨ SpecA SafeTwo ⊨ SpecA Robustness goes beyond traditional concerns 😱 😀
- 11. 2 class SafeOne{ private fld secret; private fld treasure; mthd take(s){ if (s==secret) { t=treasure; treasure = null; return t; } } constr SafeOne(s,t){ secret=s; treasure = t; } } class SafeTwo{ private fld secret; private fld treasure; mthd take(s){ …. } constr SafeTwo(s,t){ … } mthd set(s) { this.secret=s;} } SpecA: { true } sf.take(s) { s=sf.secret -> sf.treasurepost = null ∧ s≠sf.secret -> sf.treasurepost = sf.treasurepre } SafeOne ⊨ SpecA SafeTwo ⊨ SpecA SpecB: ∀sf:Safe.[ sf.secretpre = sf.secretpost ] SafeTwo ⊭ SpecB Robustness goes beyond traditional concerns 😱 😀 😀
- 12. 2 class SafeOne{ private fld secret; private fld treasure; mthd take(s){ if (s==secret) { t=treasure; treasure = null; return t; } } constr SafeOne(s,t){ secret=s; treasure = t; } } class SafeTwo{ private fld secret; private fld treasure; mthd take(s){ …. } constr SafeTwo(s,t){ … } mthd set(s) { this.secret=s;} } class SafeThree{ private fld secret; private fld treasure; mthd take(s){ …. } constr SafeThree(s,t){ … } mthd set(s,sOld) { if sOld==secret then { secret=s;}} } SpecA: { true } sf.take(s) { s=sf.secret -> sf.treasurepost = null ∧ s≠sf.secret -> sf.treasurepost = sf.treasurepre } SafeOne ⊨ SpecA SafeTwo ⊨ SpecA SpecB: ∀sf:Safe.[ sf.secretpre = sf.secretpost ] SafeTwo ⊭ SpecB SafeThree ⊭ SpecB Robustness goes beyond traditional concerns 😱 😀 😀 😱
- 13. 2 class SafeOne{ private fld secret; private fld treasure; mthd take(s){ if (s==secret) { t=treasure; treasure = null; return t; } } constr SafeOne(s,t){ secret=s; treasure = t; } } class SafeTwo{ private fld secret; private fld treasure; mthd take(s){ …. } constr SafeTwo(s,t){ … } mthd set(s) { this.secret=s;} } class SafeThree{ private fld secret; private fld treasure; mthd take(s){ …. } constr SafeThree(s,t){ … } mthd set(s,sOld) { if sOld==secret then { secret=s;}} } SpecA: { true } sf.take(s) { s=sf.secret -> sf.treasurepost = null ∧ s≠sf.secret -> sf.treasurepost = sf.treasurepre } SafeOne ⊨ SpecA SafeTwo ⊨ SpecA SpecB: ∀sf:Safe.[ sf.secretpre = sf.secretpost ] SafeTwo ⊭ SpecB SpecC: ∀sf:Safe.[ Will(Changes(sf.treasure)) ⟶ ∃ o:External.Access(o,sf.secret) ] SafeThree ⊭ SpecB Robustness goes beyond traditional concerns 😱 😀 😀 😱
- 14. 2 class SafeOne{ private fld secret; private fld treasure; mthd take(s){ if (s==secret) { t=treasure; treasure = null; return t; } } constr SafeOne(s,t){ secret=s; treasure = t; } } class SafeTwo{ private fld secret; private fld treasure; mthd take(s){ …. } constr SafeTwo(s,t){ … } mthd set(s) { this.secret=s;} } class SafeThree{ private fld secret; private fld treasure; mthd take(s){ …. } constr SafeThree(s,t){ … } mthd set(s,sOld) { if sOld==secret then { secret=s;}} } SpecA: { true } sf.take(s) { s=sf.secret -> sf.treasurepost = null ∧ s≠sf.secret -> sf.treasurepost = sf.treasurepre } SafeOne ⊨ SpecA SafeTwo ⊨ SpecA SpecB: ∀sf:Safe.[ sf.secretpre = sf.secretpost ] SafeTwo ⊭ SpecB SpecC: ∀sf:Safe.[ Will(Changes(sf.treasure)) ⟶ ∃ o:External.Access(o,sf.secret) ] SafeThree ⊭ SpecB SafeTwo ⊭ SpecC SafeThree ⊨ SpecC Robustness goes beyond traditional concerns 😱 😀 😀 😀 😀 😱
- 15. Work so far 3 Work to do Robustness by Design
- 16. Work so far 3 • designed specification languages • semantics of the specification language • case studies from financial cyptography and object capabilities literature • concepts of trust and risk Work to do Robustness by Design
- 17. Work so far 3 • designed specification languages • semantics of the specification language • case studies from financial cyptography and object capabilities literature • concepts of trust and risk Work to do • desk-reason about adherence to Robustness Specs • logic to reason adherence to Robustness Specs • testing for adherence to Robustness Specs • what if external code is executed on untrusted machine Robustness by Design