Stephen Chong Research Statement

ions; and the availability of application-meaningful abstractions can enable precise enforcement of application-specific security requirements. We have considered practical enforcement of strong information security using a variety of techniques (including capabilities, hybrid monitors, cryptographic mechanisms, and PDGs) in a variety of settings (including concurrent programs and web applications). Capabilities A capability is a reified representation of the authority to perform potentially dangerous actions in a computer system. Capabilities have been used in many systems to control the authority of users and computer processes. We have incorporated capabilities into programming languages to provide simple and intuitive mechanisms to restrict the authority of programs, thereby helping prevent applications from violating security requirements. With postdoctoral researcher Christos Dimoulas, and graduate students Scott Moore and Dan King, we have developed Shill, a secure shell scripting language. Shill programs combine language-level capabilities with software contracts. The contracts are essentially declarative security policies, describing the capabilities that a program requires, and how the program might use the capabilities. Through language design and kernel-level sandboxing, Shill limits the effects of program execution to only actions permitted by capabilities the program possesses. The combination of capabilities with software contracts enables compositional reasoning about the potential effects of programs. We have implemented a prototype of Shill for FreeBSD.1 Shill is a practical and useful system security tool, providing fine-grained security guarantees and protecting systems against untrustworthy programs. This work was published at the 2014 USENIX Symposium on Operating Systems Design and Implementation (OSDI) [29]. Despite the recency of this work, other researchers have been inspired by it and enforced similar restrictions on capabilities in other language settings [39]. Effective use of capabilities as a security mechanism requires the ability to reason about and restrict the propagation of capabilities within a system. In further work, we have used declarative policies on capabilities to control their propagation [18]. We allow the developer to declare which software components are permitted to possess a given capability and automatically enforce this security policy by an access control mechanism. Moreover, the developer can declare which components are permitted to influence the use of a given capability, leading to a non-interferencelike security condition that can be achieved using standard information-flow control mechanisms. This work was published at the 2014 Computer Security Foundations Symposium (CSF). Hybrid information-flow control techniques By controlling the flow of information in computer systems, strong, precise, application-specific information security (such as noninterference) can be enforced [33]. Hybrid information-flow security monitors (e.g., [37, 24, 5, 32]) combine static and dynamic techniques for language-based information-flow control and enjoy benefits of both static and dynamic approaches. We discovered theoretical limits on precision of hybrid information-flow control, by extending a hybrid monitor [32] to handle dynamically allocated memory. Graduate student Scott Moore and I identified sufficient conditions for soundness on memory abstractions that the monitor uses to track information flow through dynamically allocated memory. Interestingly, we found that certain memory abstractions are unsound due to being too precise. This led to the discovery of an Available at http://shill.seas.harvard.edu/. Stephen Chong — Research Statement 5 of 9 unintentional source of unsoundness in an existing hybrid information-flow monitor. This work appeared at the 2011 Computer Security Foundations Symposium (CSF) [27]. We additionally developed hybrid information-flow monitors to precisely enforce terminationsensitive security (i.e., preventing the revelation of confidential information by the termination behavior of programs). With Askarov and Moore, I show that contrary to common belief, it is possible to enforce termination-sensitive security without overly restrictive enforcement mechanisms: a case study of a security-typed program showed that the termination behavior of all (intraprocedural) loops depends only on non-confidential information and are amenable to existing termination analyses. This work was published at the 2012 ACM Conference on Computer and Communications Security (CCS) [28]. With collaborator Heiko Mantel (TU Darmstadt) and Askarov, I further extended the state of the art of hybrid information-flow monitoring by provably and efficiently enforcing terminationsensitive security in concurrent programs [3]. In this work, each thread has its own local monitor that tracks and restricts information flow within the thread, and a single global monitor ensures appropriate co-ordination between threads. Importantly, the local monitors communicate with the global monitor only when threads synchronize. This innovation ensures that the monitor does not unnecessarily restrict concurrency. This work was published at the 2015 Computer Security Foundations Symposium (CSF). Concurrency Due to increasing hardware parallelism, concurrent systems that handle sensitive information are common, and we need practical mechanisms to enforce strong security in such systems. Since both information security and concurrency are connected to notions of dependency [1], there is potential for synergy between language mechanisms for concurrency and enforcement mechanisms for information security in concurrent programs. With undergraduate Stefan Muller, I exploited such synergy in the X10 programming language, published at OOPSLA 2012 [30]. In X10, a place is a computational unit that contains computation and data (such as a core of a machine). Multiple threads may execute concurrently within a place. Threads at the same place share memory, and a thread may access data only at the place where it is located. Communication between places is by message passing. We extend X10 with coarse-grained information security mechanisms: we associate each place with a security level, and use a (completely static) security analysis to ensure that each place stores only data appropriate for that security level. Thus, all computation within a place is on data at the same security level. Interaction between places may influence the scheduling of threads at a place, leading to potential covert information channels; our security analysis tracks and controls these covert channels using an existing may-happen-in-parallel analysis for X10 [25]. The key innovation here is to leverage recently developed language mechanisms for concurrency to provide simple, practical, and useful abstractions for strong information security in concurrent programs. Additional work using hybrid information-flow security monitors to efficiently enforce security in concurrent programs [3] was described above. Web Application Security It is difficult to develop secure web applications using existing languages and frameworks. The dynamic and distributed nature of web applications is difficult to reason about, leading to numerous and costly vulnerabilities. One challenge is to correctly sanitize untrusted data. Failure to do so can lead to injection vulnerabilities, and it is notoriously difficult for developers of large web applications to get it right [34]. With collaborator Benjamin Livshits (Microsoft Research), I proposed a novel technique for the automated placement of sanitizers in web applications [26]. The developer simply states Stephen Chong — Research Statement 6 of 9 what sanitization needs to be applied to data as it moves from sources to sinks, and our mechanism automatically modifies the code to place sanitizers on appropriate code paths, ensuring correct sanitization. Placement is static whenever possible, but switches to using run-time taint tracking techniques when necessary for correctness. This work was published in the 2013 Symposium on Principles of Programming Languages (POPL). Information Erasure Information erasure is a formal security requirement that stipulates when sensitive data must be removed from computer systems. I introduced this security requirement in earlier work [11, 12], and other researchers have refined it and developed enforcement mechanisms (e.g., [22, 31]). In a system that correctly enforces erasure requirements, an attacker who observes the system after sensitive data is erased cannot deduce anything about the data. Practical obstacles to enforcing information erasure include: (1) correctly determining which data requires erasure; and (2) reliably deleting potentially large volumes of data, despite untrustworthy storage services. The first obstacle can be overcome using language-based informationflow control mechanisms. With collaborator Askarov, graduate student Moore, and postdoctoral researcher Dimoulas, we formalized the use of cryptographic mechanisms to address the second obstacle: sensitive data is encrypted before storage, and upon erasure, only a relatively small set of decryption keys needs to be deleted. Although this cryptographic technique is used by a number of systems, we combine it with language-based information security mechanisms to support the correct determination of data that needs erasure. This novel combination also improves the efficiency of existing language-based mechanisms for information erasure. This work was published at the 2015 Computer Security Foundations Symposium (CSF) [4]. 4 Additional Research Although primarily focused on language-based information security, I am also active in other areas of programming language research. I describe two such projects in this section. Functional Reactive Programming The Elm programming language2 is a functional reactive programming language (FRP) for graphical user interfaces. Developed under my supervision by undergraduate Evan Czaplicki for his senior thesis, Elm provides elegant programming abstractions for developing web-based clients. A paper published at the 2013 conference on Programming Language Design and Implementation (PLDI) presents a core calculus for Elm, including a novel language feature for asynchronous FRP that enables the efficient concurrent execution of FRP programs [16]. Elm has been used in programming language courses at the University of Chicago and KU Leuven, is used by at least 5 companies, and is the language used by McMaster University’s software outreach program. Moreover, Elm has over 100 community-contributed