Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Philly ETE 2016: Securing Software by Construction


Published on

The high-profile attacks and data-breaches of the last few years have shown us the importance of securing our software. While it is good that we are seeing more tools that can analyze systems for vulnerabilities, this does not help the programmer write secure code in the first place. To prevent security from becoming a bottleneck–and expensive security mistakes from becoming increasingly probable–we need to look to techniques that allow us to secure software by construction.

This talk has two parts. First, I will present technical ideas from research, including my own, that help secure software by construction. Even though these are reasonable ideas, however, the gap between academia and industry often prevents these ideas from becoming realized in practice. Second, I will discuss what prevents longer-term security solutions from being commercialized, how we started the Cybersecurity Factory accelerator bridge the research/industry gap, and how we can work together to address the issues that remain.

Published in: Software
  • Be the first to comment

  • Be the first to like this

Philly ETE 2016: Securing Software by Construction

  1. 1. Securing Software by Construction Jean Yang Harvard Medical School/ Carnegie Mellon University April 11, 2016 @jeanqasaur
  2. 2. Our Lives Run on Software Smart homes Driverless cars Automatic dating But first we need to “solve” security!
  3. 3. State of the Art Academia Industry Undo mechanisms Encrypted databases Program analyses Provably secure software Firewalls The big question: How can we take advantage of research ideas in practice?
  4. 4. This Talk Companies Ventur e capital Startups Academia Policy makers Consumers How can we connect researchers to everyone else?
  5. 5. Secondary Goals of Talk Creative, fun, greatDifferent time-scales for goals unless you give us some
  6. 6. Part I: What Do Academics Think About? @jeanqasaur
  7. 7. Problem I’m Solving: Protecting Sensitive Data is Hard • Nobody is surprised to hear about data breaches. • Reasoning about code is difficult to scale. • Left with heuristics and little hope about information security.
  8. 8. Why Aren’t Existing Approaches Enough? Jean Yang / Jeeves 8 Exploit Patch But leaves system builders a step behind. Reactive Security But people often are protecting data— though incorrectly. Encrypting Data
  9. 9. Jean Yang / Jeeves 9 Factor out policy checks to reduce opportunity for leaks. • Programmer specifies high-level policies about how sensitive data may be used. • Rest of program is policy-agnostic. • System manages policies automatically. My Approach
  10. 10. Goal: Keep Sensitive Information Private Airbnb has a policy of blocking phone numbers so communications happen through their application. Redacted by Airbnb Example courtesy of Chelsea Voss
  11. 11. Need to Make Sure Information Protected in All Views Phone number remains redacted in email view. Redacted by Airbnb Example courtesy of Chelsea Voss
  12. 12. Missed a spot! Phone number is visible in message preview. Actual phone number! Redacted by me and not Airbnb. Example courtesy of Chelsea Voss
  13. 13. Jean Yang / Jeeves 13 Programmers Must Navigate “Policy Spaghetti” Code from HotCRP conference management system Highlighted: conditional permissions checks everywhere.
  14. 14. Jean Yang / Jeeves 14 Policy-agnostic programming model and guarantees [POPL ‘12] Improved semantics based on multi-execution [PLAS ‘13] Extending programming model across database [PLDI ‘16] The language and runtime manage policies so the programmer does not need to. Solution: Allow Programmers to Attach Policies Directly to Data
  15. 15. Policy-Agnostic Programming Factors Out Policies Jean Yang / Jeeves 15 • Centralized policies. • Policy-agnostic program. • Runtime differentiates behavior. Model View Controller
  16. 16. 16Jean Yang / Jeeves HIDDENif == “867-5309”: x += 1 return x x = 0 print { } print { } 1 0 Jeeves Language and Execution Model Runtime propagates values and policies. Runtime solves for values to show based on policies and viewer. 2 1 actual number
  17. 17. Semantics of Output Jean Yang / Jeeves 17 Σ, 𝐸 𝑜𝑐 ⇓∅ Σ 𝑜𝑐, 𝑉𝑜𝑐 Σ 𝑜𝑐, 𝐸𝑟 ⇓∅ Σ 𝑟, 𝑉𝑟 𝑘1 … 𝑘 𝑛 = 𝑐𝑙𝑜𝑠𝑒𝐾(𝑙𝑎𝑏𝑒𝑙𝑠 𝐸 𝑜𝑐 ∪ 𝑙𝑎𝑏𝑒𝑙𝑠(𝐸𝑟), Σ2) 𝐸 𝑝 = 𝜆𝑥. 𝑡𝑟𝑢𝑒 ∧ 𝑓 … ∧ 𝑓 Σ2(𝑘 𝑛) Σ 𝑟, (𝐸 𝑝 𝑉𝑜𝑐) ⇓∅ Σ 𝑝, 𝑉𝑝 pick 𝑝𝑐 such that 𝑝𝑐 𝑉𝑜𝑐 = 𝑜𝑐, 𝑝𝑐 𝑉𝑟 = 𝑅, 𝑝𝑐 𝑉𝑝 = 𝑡𝑟𝑢𝑒 Σ, print 𝐸 𝑜𝑐 𝐸𝑟 ⇓ 𝑉𝑝, 𝑜𝑐: 𝑅 Evaluate output context and expression to print. Retrieve labels and policies. Evaluate policies applied to the output context. Defacet using satisfying policy assignment. Σ, 𝑆 ⇓ 𝑉𝑝, 𝑜𝑐: 𝑅 Σ, 𝐸 ⇓ 𝑝𝑐 Σ′, 𝑉 Statement evaluation Expression evaluation Output context ResultPolicies
  18. 18. The Pain of Production-Testing a Research Prototype
  19. 19. Lessons Learned •Need a solution for running out of memory. •Need a story for extending language-level guarantees to the database. •But, in good news, web programs are often short and simple.
  20. 20. Policy-agnostic runtime Jacqueline, a Policy-Agnostic Web Framework Jean Yang / Jeeves 20 Application Frontend Database PoliciesViewer Attach policies. Programmer is responsible Framework is responsible
  21. 21. Research is Slow At this point, we have proposed a new programming model and de-risked the problem for people in
  22. 22. Be Patient with Us! •Research takes time. •Adoption into the mainstream can take even more time. •Many features in modern programming languages were incubated in research decades ago!
  23. 23. Part II: How Can We Use Research Results in the Real World?
  24. 24. Barriers to Industry Adoption In large companies: • Managers need to fight status quo. • Programmers need to manage legacy code. What about the startup route to tech transfer?
  25. 25. Security is no Tindog The Hot New Silicon Valley Startup Startup that Helps Us Secure Our Software Fun concept. Slick design. Toddler nephew can use it. Integrates with your life. Technical concept. Verifiable by experts. Requires infrastructure change.
  26. 26. Unique Challenges for Security Startups Justin Somaini, Chief Security Officer, SAP • Security is expensive. • Concept is highly technical. • No flashy demos. • Adoption requires client expertise and/or trust. • Solving a technical problem != building a product.
  27. 27. Cybersecurity Factory $20,000 Raj Shah Office space Focused mentorship A network David Ting An 8-week accelerator that gives teams: Legal support Maxwell Krohn
  28. 28. Summer 2015 Cohort Aikicrypt: Outsourcing data securely to the cloud. Oblivilock: Protecting data and metadata in the cloud.
  29. 29. “I thought it was hard to sell my research. It’s much harder to sell something for money.” Christopher Fletcher, MIT PhD student, Cybersecurity Factory participant
  30. 30. How Teams Spent the Summer How Teams Actually Spent Time Talking to customers and working on pitches Coding How Teams Thought They Would Spend Time Talking to customers and working on pitches Coding
  31. 31. Biggest Lessons for Teams • People matter. • People matter. • People matter. A good product drives conversations. Finding a target market is crucial. Networking can drive innovation.
  32. 32. Fun Discovery: Del Monte Foods is Unexpectedly Hip
  33. 33. Long-Term Goals for Cybersecurity Factory • Continue running program. • Commercialize academic security projects. • Create awareness among investors, clients, and the public. • More collaboration and partnership with industry. • Create community of founders interested in technical security problems.
  34. 34. Part III: How To Motivate Customers to Pay for Security? @jeanqasaur
  35. 35. Insecurity is Expensive “A report released this month by the Atlantic Council and Zurich Insurance Group estimated that by 2030, an insecure Internet would reduce global economic net benefit by $90 trillion. In contrast, a completely secure Internet would result in a global net gain of $190 trillion.” -Jeff Kosseff, cybersecurity law professor @jeanqasaur
  36. 36. The Security “Prisoner’s Dilemma” @jeanqasaur Lack of individual incentive: • Requires $$. • Requires more employee training. • Requires more programmer effort. • Doesn’t currently provide competitive advantage.
  37. 37. We Need to Care More Consumer Example: Snapchat @jeanqasaur Numerous privacy violations, but valued at $16 billion with 100 million users. Policy Example: Dentists Common to email records in violation of HIPAA, but HHS does not audit.
  38. 38. Most Important is Legislative Change “Intentionally or unintentionally, poorly crafted or outdated laws and technical standards threaten to undermine security, privacy and the viability of our most promising new technologies and networks…” –Joichi Ito How we can contribute is left as an exercise to the listener.
  39. 39. Conclusion: Many Pieces to Securing Software Companies Ventur e capital Startups Academia Policy makers Consumers Connect research with industry. 1 Change incentives for security. 2 Get ideas out there and iterate! 3
  40. 40. But… If we work together, we can create the right ecosystem to secure our software. @jeanqasaur