Security – Programming Languages

Security – Programming Languages


Let’s take a break and talk a bit about computer security– a topic we really haven’t touched on much in this unit so far. Security can sometimes be defined as computing in the presence of an adversary– someone else using a computer or a network or resources who means you hard or hopes to exploit or take advantage of resources resources that you’ve put out there. It just so happens–you’ll be surprised to discover I am breaking this news– that the internet is not secure. Malicious agents or adversaries can write malicious webpages or JavaScript fragments. The simplest way to do this would be to write a JavaScript fragment that loops forever– some sort of version of Fibonacci that has no stopping condition that just keeps going and going and going. Then as soon as you’ve directed your browser to that page, it would stall, and you’d be denied some server. You wouldn’t be able to use your computer. In practice, browsers often put some sort of timeout on script execution. I’ll run your script for 3 or 4 seconds, and after that if it hasn’t finished, I’d better stop. that’s one of the reasons why optimization is so important, but it also has this security angle. If we make any mistakes when we’re designing our web browser, then outside agents might break in to our computers and gain access to sensitive documents–our tax returns, our personal email, or whatnot. We want to make sure that that doesn’t happen. Let’s listen to someone who knows quite a bit more about security than I do talk about how this plays out in the real world with web browsers. The web can be a great place but it can also be a dangerous place. Nothing stops users from posting malicious code or websites or writing scripts that will trying to take advantage of your computer or your browser. There might be security holes or exploits, they’re sometimes called, that allow this. I was wondering if you might talk a bit about security at the language or implementation level from the perspective of Mozilla. Absolutely. Security is a prevalent concern at Mozilla. When I was growing up, the idea of getting a piece of software was that you actually drove to a store and you looked at a shelf and you pulled a box off the shelf and you paid somebody and you took it home and that piece of software was sold to you by a company that you trusted, by a third party that you trusted, so you had some sense of this piece of software that I’m about to put on my computer is something that I can believe is going to do something on behalf, not something against me. The web doesn’t work like that way at all. The way web applications work is you can go to any website anywhere in the world, and somebody you’ve never met and never seen and that nobody can vouch for you is going to run some of their code that they wrote on your computer. So that changes the game. That means that in order to build a serious platform where programs can do important things on your behalf, we need to make sure that they can’t also do important things against you. The more people put valuable parts of their lives onto the web like their bank account, for example, the more we have important assets to defend. One of the concepts people talk about a lot in security is the notion of the trust computing base. When you download some code from some third party that you don’t know, if we’re being kind of maximally pessimistic we say, well, I don’t trust this code completely. I’d like it to do something for me but I don’t know for sure that it’s not malicious. However, that code is running inside of a web browser like Firefox, and I do trust the code that was written by Mozilla. I do trust Firefox. In order to be able to say as much as we can about the security of a system, we’d like for the parts of the system that we need to trust the most to be as small as possible, so we talk about shrinking the trusted computing base, as being a goal of having the smallest possible amount of software where if it goes wrong disaster can ensue–like somebody can steal or credit card information or your bank account. All modern web browsers are implemented in C++. Now, C++ is a very powerful language. There are a lot of things that you can do with it. But it’s also not a particularly safe language. It’s a language where if you make one wrong move, if you make one little programming mistake, you can actually leave parts of your system open to malicious programs. For example, if you write a program in C++ and you have an array of data and you forget to make sure that the program doesn’t go beyond the end of that array, in most programming languages you’ll get a runtime error that says, “Oops. You tried to access beyond the end of the array.” C++ doesn’t give you that protection. What C++ does is it just keeps reading what ever happens to be in memory at the end of that array. Well, whatever happens to be in memory could actually be some part of the browser that has internal information like a password. It could also be some other program running on the system, and there are a lot of people out there who work on finding ways to exploit these kinds of bugs to use them to take control of your computer or to get access to your private data. The project of building a web browser that people can trust and building a web browser that operates on user’s behalf is also one of building software that they can trust. In order to build software that they can trust, it needs to be built on top of programming technologies that we know we can work with effectively to build software that’s not unsafe. We’ve been discussing malicious code like JavaScript written by evildoers that we would run in our interpreter. Running evil code seems really bad. Can’t I just look at the source code and tell if it’s bad before I run it and then not run the bad code? Why doesn’t Mozilla do something like that. Unfortunately, it turns out that there’s a lot of good theoretical computer science that shows us that that is a provably impossible problem. I don’t know if you’ve discussed the halting program.>>We may have. It turns out that if I were able to prove that any particular piece of code was not malicious I would also be able to solve the halting problem, and we already know that that’s an unsolvable problem in computer science. Looking at this maybe from a more positive side, that means that I’ll always have a job. The law of compiler writer employability.>>Exactly.

2 thoughts on “Security – Programming Languages”

Leave a Reply

Your email address will not be published. Required fields are marked *