2 Search Results for "Cifuentes, Cristina"


Document
What is a Secure Programming Language?

Authors: Cristina Cifuentes and Gavin Bierman

Published in: LIPIcs, Volume 136, 3rd Summit on Advances in Programming Languages (SNAPL 2019)


Abstract
Our most sensitive and important software systems are written in programming languages that are inherently insecure, making the security of the systems themselves extremely challenging. It is often said that these systems were written with the best tools available at the time, so over time with newer languages will come more security. But we contend that all of today’s mainstream programming languages are insecure, including even the most recent ones that come with claims that they are designed to be "secure". Our real criticism is the lack of a common understanding of what "secure" might mean in the context of programming language design. We propose a simple data-driven definition for a secure programming language: that it provides first-class language support to address the causes for the most common, significant vulnerabilities found in real-world software. To discover what these vulnerabilities actually are, we have analysed the National Vulnerability Database and devised a novel categorisation of the software defects reported in the database. This leads us to propose three broad categories, which account for over 50% of all reported software vulnerabilities, that as a minimum any secure language should address. While most mainstream languages address at least one of these categories, interestingly, we find that none address all three. Looking at today’s real-world software systems, we observe a paradigm shift in design and implementation towards service-oriented architectures, such as microservices. Such systems consist of many fine-grained processes, typically implemented in multiple languages, that communicate over the network using simple web-based protocols, often relying on multiple software environments such as databases. In traditional software systems, these features are the most common locations for security vulnerabilities, and so are often kept internal to the system. In microservice systems, these features are no longer internal but external, and now represent the attack surface of the software system as a whole. The need for secure programming languages is probably greater now than it has ever been.

Cite as

Cristina Cifuentes and Gavin Bierman. What is a Secure Programming Language?. In 3rd Summit on Advances in Programming Languages (SNAPL 2019). Leibniz International Proceedings in Informatics (LIPIcs), Volume 136, pp. 3:1-3:15, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2019)


Copy BibTex To Clipboard

@InProceedings{cifuentes_et_al:LIPIcs.SNAPL.2019.3,
  author =	{Cifuentes, Cristina and Bierman, Gavin},
  title =	{{What is a Secure Programming Language?}},
  booktitle =	{3rd Summit on Advances in Programming Languages (SNAPL 2019)},
  pages =	{3:1--3:15},
  series =	{Leibniz International Proceedings in Informatics (LIPIcs)},
  ISBN =	{978-3-95977-113-9},
  ISSN =	{1868-8969},
  year =	{2019},
  volume =	{136},
  editor =	{Lerner, Benjamin S. and Bod{\'\i}k, Rastislav and Krishnamurthi, Shriram},
  publisher =	{Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
  address =	{Dagstuhl, Germany},
  URL =		{https://drops-dev.dagstuhl.de/entities/document/10.4230/LIPIcs.SNAPL.2019.3},
  URN =		{urn:nbn:de:0030-drops-105466},
  doi =		{10.4230/LIPIcs.SNAPL.2019.3},
  annote =	{Keywords: memory safety, confidentiality, integrity}
}
Document
Parfait - Designing a Scalable Bug Checker

Authors: Cristina Cifuentes and Bernhard Scholz

Published in: Dagstuhl Seminar Proceedings, Volume 8161, Scalable Program Analysis (2008)


Abstract
We present the design of Parfait, a static layered program analysis framework for bug checking, designed for scalability and precision by improving false positive rates and scale to millions of lines of code. The Parfait framework is inherently parallelizable and makes use of demand driven analyses. In this paper we provide an example of several layers of analyses for buffer overflow, summarize our initial implementation for C, and provide preliminary results. Results are quantified in terms of correctly-reported, false positive and false negative rates against the NIST SAMATE synthetic benchmarks for C code.

Cite as

Cristina Cifuentes and Bernhard Scholz. Parfait - Designing a Scalable Bug Checker. In Scalable Program Analysis. Dagstuhl Seminar Proceedings, Volume 8161, pp. 1-8, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2008)


Copy BibTex To Clipboard

@InProceedings{cifuentes_et_al:DagSemProc.08161.5,
  author =	{Cifuentes, Cristina and Scholz, Bernhard},
  title =	{{Parfait - Designing a Scalable Bug Checker}},
  booktitle =	{Scalable Program Analysis},
  pages =	{1--8},
  series =	{Dagstuhl Seminar Proceedings (DagSemProc)},
  ISSN =	{1862-4405},
  year =	{2008},
  volume =	{8161},
  editor =	{Florian Martin and Hanne Riis Nielson and Claudio Riva and Markus Schordan},
  publisher =	{Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
  address =	{Dagstuhl, Germany},
  URL =		{https://drops-dev.dagstuhl.de/entities/document/10.4230/DagSemProc.08161.5},
  URN =		{urn:nbn:de:0030-drops-15737},
  doi =		{10.4230/DagSemProc.08161.5},
  annote =	{Keywords: Static analysis, demand driven, parallelizable}
}
  • Refine by Author
  • 2 Cifuentes, Cristina
  • 1 Bierman, Gavin
  • 1 Scholz, Bernhard

  • Refine by Classification
  • 1 Security and privacy → Software security engineering
  • 1 Software and its engineering → Language features

  • Refine by Keyword
  • 1 Static analysis
  • 1 confidentiality
  • 1 demand driven
  • 1 integrity
  • 1 memory safety
  • Show More...

  • Refine by Type
  • 2 document

  • Refine by Publication Year
  • 1 2008
  • 1 2019

Questions / Remarks / Feedback
X

Feedback for Dagstuhl Publishing


Thanks for your feedback!

Feedback submitted

Could not send message

Please try again later or send an E-mail