ACM Transactions on Information and System Security (TISSEC)
The inlined reference monitor approach to security policy enforcement
The inlined reference monitor approach to security policy enforcement
abc: an extensible AspectJ compiler
Proceedings of the 4th international conference on Aspect-oriented software development
Using Static Analysis to Reduce Dynamic Analysis Overhead
Formal Methods in System Design
Proceedings of the twenty-second IEEE/ACM international conference on Automated software engineering
ConSpec -- A Formal Language for Policy Specification
Electronic Notes in Theoretical Computer Science (ENTCS)
Full functional verification of linked data structures
Proceedings of the 2008 ACM SIGPLAN conference on Programming language design and implementation
Racer: effective race detection using aspectj
ISSTA '08 Proceedings of the 2008 international symposium on Software testing and analysis
XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks
DIMVA '08 Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Typestate-like analysis of multiple interacting objects
Proceedings of the 23rd ACM SIGPLAN conference on Object-oriented programming systems languages and applications
Finding programming errors earlier by evaluating runtime monitors ahead-of-time
Proceedings of the 16th ACM SIGSOFT International Symposium on Foundations of software engineering
Efficient purely-dynamic information flow analysis
Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security
Efficient hybrid typestate analysis by determining continuation-equivalent states
Proceedings of the 32nd ACM/IEEE International Conference on Software Engineering - Volume 1
Aspect-Oriented Race Detection in Java
IEEE Transactions on Software Engineering
Clara: a framework for partially evaluating finite-state runtime monitors ahead of time
RV'10 Proceedings of the First international conference on Runtime verification
Actor-based parallel dataflow analysis
CC'11/ETAPS'11 Proceedings of the 20th international conference on Compiler construction: part of the joint European conferences on theory and practice of software
Generating analyses for detecting faults in path segments
Proceedings of the 2011 International Symposium on Software Testing and Analysis
Continuation equivalence: a correctness criterion for static optimizations of dynamic analyses
Proceedings of the Ninth International Workshop on Dynamic Analysis
Verifying finite-state properties of large-scale programs
Verifying finite-state properties of large-scale programs
Join point interfaces for modular reasoning in aspect-oriented programs
Proceedings of the 19th ACM SIGSOFT symposium and the 13th European conference on Foundations of software engineering
The spec# programming system: an overview
CASSIS'04 Proceedings of the 2004 international conference on Construction and Analysis of Safe, Secure, and Interoperable Smart Devices
DiSL: a domain-specific language for bytecode instrumentation
Proceedings of the 11th annual international conference on Aspect-oriented Software Development
The Clara framework for hybrid typestate analysis
International Journal on Software Tools for Technology Transfer (STTT) - Runtime Verification
Challenges for refinement and composition of instrumentations: position paper
SC'12 Proceedings of the 11th international conference on Software Composition
A staged static program analysis to improve the performance of runtime monitoring
ECOOP'07 Proceedings of the 21st European conference on Object-Oriented Programming
Adaptable and evolving software for eternal systems
ISoLA'12 Proceedings of the 5th international conference on Leveraging Applications of Formal Methods, Verification and Validation: technologies for mastering change - Volume Part I
| Hi-index | 0.00 |
Modern software systems are not only famous for being ubiquitous and large scale but also infamous for being inherently insecure. We argue that a large part of this problem is due to the fact that current programming languages do not provide adequate built-in support for addressing security concerns. In this work we outline the challenges involved in developing Codana, a novel programming language for defining provably correct dynamic analyses. Codana analyses form security monitors; they allow programmers to proactively protect their programs from security threats such as insecure information flows, buffer overflows and access-control violations. We plan to design Codana in such a way that program analyses will be simple to write, read and prove correct, easy to maintain and reuse, efficient to compile, easy to parallelize, and maximally amenable to static optimizations. This is difficult as, nevertheless, Codana must comprise sufficiently expressive language constructs to cover a large class of security-relevant dynamic analyses. For deployed programs, we envision Codana-based analyses to be the last line of defense against malicious attacks. It is hence paramount to provide correctness guarantees on Codana-based analyses as well as the related program instrumentation and static optimizations. A further challenge is effective but provably correct sharing: dynamic analyses can benefit from sharing information among another. We plan to encapsulate such shared information within Codana program fragments.