[langsec-discuss] so what does langsec have to say about heartbleed?

Andrew munin at mimisbrunnr.net
Tue Apr 8 23:50:44 UTC 2014


There's a huge body of academic literature dealing with quantifying
information disclosure from applications and ensuring that
applications don't leak sensitive information, either explicitly or
implicitly (including via timing-based side channels, which is very
exciting). This includes both the construction of programming
languages that specify security/integrity of data the program is
working on, and, construction of type systems and hardware that
enforce security boundaries, as well as some amusing proofs of
non-existence with regards to some kinds of policy enforcement
mechanisms.

The keywords you want are "noninterference" and "declassification".

Some links:

http://www.ce.sharif.ac.ir/courses/91-92/1/ce795-1/resources/root/ReferencePapers/04-DenningModel-1976.pdf

http://www.cse.psu.edu/~tjaeger/cse598-f11/docs/sm-jsac03.pdf

http://www.ieee-security.org/TC/SP2013/papers/4977a003.pdf

http://f3.tiera.ru/2/Cs_Computer%20science/CsLn_Lecture%20notes/I/Information%20Security%20and%20Cryptology%20-%20ICISC%202005,%208%20conf.(LNCS3935,%20Springer,%202006)(ISBN%203540333541)(469s).pdf#page=168

http://research.microsoft.com/pubs/119060/WebAppSideChannel-final.pdf

http://people.seas.harvard.edu/~aslan/pltiming-pldi12.pdf

http://www.cse.chalmers.se/~russo/publications_files/csf2010full.pdf

http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.64.6274&rep=rep1&type=pdf

On 04/08/2014 07:24 PM, travis+ml-langsec at subspacefield.org wrote:
> http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html
>
>  So I'm wondering, apart from using buffer-safe languages (which
> is obviously the Right Thing), is there something like
> taint-checking that we could do in programming languages to prevent
> this sort of thing?
> 
> 
> 
> _______________________________________________ langsec-discuss
> mailing list langsec-discuss at mail.langsec.org 
> https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss
> 


More information about the langsec-discuss mailing list