Language Based Software Security

Many software security issues cannot be addressed without a specification defining what security means. This project investigates secure API's and disciplined styles of programming that reduce the likelihood of security flaws and combines two related efforts: first, development of specification languages that enhance security without much cost to programmers, and second, tools that enforce these disciplines, such as the efficient insertion of security monitors into existing programs. If successful, this work will develop methods and tool that make it significantly easier to design secure API's and know that implementations are faithful to those designs.
Problems in language-based privacy are also being investigated. One potential threat to privacy and security in contemporary languages is leakage via pointers. Objects are implemented as pointers to data structures, and aliasing of pointers can violate many of the encapsulation boundaries provided by modern programming languages and systems. This effort is focusing on techniques for confining the scope of pointer aliasing; such techniques can provide a basis for higher-level reasoning about what privacy guarantees (if any) can be made about a software system. The goal is to design methods that make it easier to write software where data can be declared and checked to be private.