Arrival and Coffee: 9:30 - 10:00
Session 1: 10:00 - 10:45
Break: 10:45 - 11:00
Session 2: 11:00 - 12:30
Lunch: 12:30 - 1:50
Business meeting: 1:50 - 2:00
Session 3: 2:00 - 3:30
Fable: A Language for Enforcing User-defined Security Policies
This paper presents Fable, a core formalism for a programming language
in which programmers may specify security policies and reason that
these policies are properly enforced. In Fable, security policies can
be expressed by associating security labels with the data or actions
they protect. Programmers define the semantics of labels in a separate
part of the program called the enforcement policy. Fable prevents a
policy from being circumvented by al- lowing labeled terms to be
manipulated only within the enforcement policy; application code must
treat labeled values abstractly. Together, these features facilitate
straightforward proofs that programs implementing a particular policy
achieve their high-level security goals. Fable is flexible enough to
implement a wide variety of security policies, including access
control, information flow, provenance, and security automata. We have
implemented Fable as part of the Links web programming language; we
call the resulting language SELinks. We report on our experience using
SELinks to build two substantial applications, a wiki and an on-line
store, equipped with a combination of access control and provenance
policies. To our knowledge, no existing framework enables the
enforcement of such a wide variety of security policies with an
equally high level of assurance.
Nikhil Swamy, Brian J. Corcoran and Michael Hicks
J&s: Toward Flexible and Efficient Family Extensibility
Object-oriented languages aim to support software extensibility and
reuse with the mechanisms of subtyping and inheritance, but ordinary
inheritance is limited in at least two important ways. First, a group
of interacting classes cannot be extended at the same time while
preserving their relationships, and second, new functionality cannot
be added to the objects of an existing class without modifying the
class.
Xin Qi and Andrew Myers
This talk introduces J&s, a language that simultaneously addresses these two limitations on extensibility. In J&s, as in its predecessors Jx and J&, families can be extended and composed; moreover, classes in different families can be shared: an object that is an instance of one class can be used as an instance of a class it shares with, each class becoming a "view" of the object. Objects can safely move between families by changing their views.
Given such a feature-rich language, it remains a practical problem how to implement it efficiently. This talk also presents our latest effort on a scalable and efficient implementation of the language, based on the Java classloader. It generates a small amount of code that has a low overhead.
HardBound: Architectural Support for Spatial Safety of the C
Programming Language
The C programming language is at least as well known for its absence of
spatial memory safety guarantees (i.e., lack of bounds checking) as it is
for its high performance. C's unchecked pointer arithmetic and
array indexing allow simple programming mistakes to lead to erroneous
executions, silent data corruption, and security vulnerabilities. Many
prior proposals have tackled enforcing spatial safety in C programs by
checking pointer and array accesses. However, existing software-only
proposals have significant drawbacks that may prevent wide
adoption, including: unacceptably high runtime overheads, lack of
completeness, incompatible pointer representations, or need for
non-trivial changes to existing C source code and compiler
infrastructure.
Joe Devietti, Colin Blundell, Milo M. K. Martin, and Steve Zdancewic
Inspired by the promise of these software-only approaches, this paper proposes a hardware bounded pointer architectural primitive that supports cooperative hardware/software enforcement of spatial memory safety for C programs. This bounded pointer is a new hardware primitive datatype for pointers that leaves the standard C pointer representation intact, but augments it with bounds information maintained separately and invisibly by the hardware. The bounds are initialized by the software, and they are then propagated and enforced transparently by the hardware, which automatically checks a pointer's bounds before it is dereferenced. One mode of use requires instrumenting only malloc, which enables enforcement of per-allocation spatial safety for heap-allocated objects for existing binaries. When combined with simple intra-procedural compiler instrumentation, hardware bounded pointers enable a low-overhead approach for enforcing complete spatial memory safety in unmodified C programs.
Finally tagless, partially evaluated:
Tagless staged interpreters for simpler typed languages
This "functional necklace" aims to change how you try to write your
next interpreter: by deforesting the object language, to exhibit more
static safety in a simpler type system. We have built the first family
of tagless interpretations for a higher-order typed object language in
a typed metalanguage (Haskell or ML) that require no dependent types,
generalized algebraic data types, or postprocessing to eliminate tags.
The statically type-preserving interpretations include an evaluator, a
compiler (or staged evaluator), a partial evaluator, and call-by-name
and call-by-value CPS transformers.
Chung-chieh Shan, Jacques Carette and Oleg Kiselyov
Our main idea is to encode abstract syntax using cogen functions rather than data constructors. In other words, we represent object terms not in an initial algebra but using the coalgebraic structure of the lambda-calculus. Our representation also simulates inductive maps from types to types, which are required for typed partial evaluation and CPS transformations. Our encoding of an object term abstracts over the various ways to interpret it, yet statically assures that the interpreters never get stuck.