Security vulnerabilities often arise due to programming errors in the source code of an application. Recent programming errors with severe security implications include Heartbleed (buffer over-read), Shellshock (code injection), and goto-fail (ill-formated code). Rather than hunt for individual vulnerabilities in programs, a more structural approach to improve security is to improve the programming language. This is the goal of language-based security: to rule out whole classes of potential security vulnerabilities in one go.
This course studies various security properties and program analysis techniques for enforcing these properties at the level of the programming language to improve software security. In particular, we will study the following properties:
We will study techniques to address these problems at the language level through dynamic analysis, static analysis, and language design. To facilitate a precise study and comparison, we will define the above techniques formally in class. To facilitate student experimentation and exploration of trade-offs, students will implement the above techniques in homework assignments.