CIAS-CS Invited Talk Series

Invited Talk Series: Computer Information Assurance and Security

Thursday, December 15, 2005
2:00-3:30 p.m.
Bioscience Building, Loeffler Room 3.03.02

Language-based Information Security

Steve Zdancewic
Assistant Professor
University of Pennsylvania

Abstract: Our society's widespread dependence on networked information systems for everything from personal finance to military communications makes it essential to improve the reliability and security of software. Recently, programming-languages research has demonstrated that security concerns can be addressed by using both program analysis and program rewriting as powerful and flexible enforcement mechanisms.

I will describe how to use programming-language techniques to enforce information-flow policies, which are a natural, high-level way of specifying how programs may manipulate confidential data. This talk will give an overview of the approach and then consider two challenges in more detail. The first challenge is specifying and enforcing policies that include downgrading mechanisms (e.g. declassification of confidential information). We propose the notions of "robust declassification" and "relaxed noninterference" to address this challenge. The second challenge is to permit static information-flow policies to depend on data (such as which user ran the program) that is not available until runtime. To address this challenge, we use an extend type system that permits "dynamic principals" and uses static checking to ensure that the program performs appropriate dynamic checks. The two challenges are related, and, when combined, our proposed solutions yield a programming language with features for programming secure software that can naturally be implemented in terms of a public key infrastructure or other trust-management system.

Bio: Dr. Zdancewic is an assistant professor in the Computer and Information Science department at the University of Pennsylvania. He received his Ph.D. in computer science from Cornell University in 2002, and he graduated from Carnegie Mellon University with a B.S. in Computer Science and Mathematics in 1996. He is the recipient of an NSF Graduate Research Fellowship, an Intel fellowship, and an NSF CAREER award. His publications in the areas of programming languages and computer security include two best paper awards.