Programming Language-Based Security To Rescue (PROSECUTOR)

Research Project, 2013 – 2017

It is alarming that the societys critical infrastructures are not fully prepared to meet the challenge of information security. Modern computing systems are increasingly extensible, inter-connected, and mobile. However, exactly these trends make systems more vulnerable to attacks. A particularly exposed infrastructure is the world-wide web infrastructure, where allowing the mere possibility of fetching a web page opens up opportunities for delivering potentially malicious executable content past current security mechanisms such as firewalls. A critical challenge is to secure the computing infrastructures without losing the benefits of the trends.It is our firm belief that attacks will continue succeeding unless a fundamental security solution, one that focuses on the security of the actual applications (code), is devised. To this end, we are convinced that application-level security can be best enforced, *by construction*, at the level of programming languages.ProSecuToR will develop the technology of *programming language-based security* in order to secure computing infrastructures. Language-based security is an innovative approach for enforcing security by construction. The project will deliver policies and enforcement mechanisms for protecting who can see and who can modify sensitive data. Security policies will be expressible by the programmer at the construction phase. We will devise a policy framework capable of expressing fine-grained application-level security policies. We will build practical enforcement mechanisms to enforce the policies for expressive languages. Enforcement mechanisms will be fully automatic, preventing dangerous programs from executing whenever there is a possibility of compromising desired security properties. The practicality will be demonstrated by building robust web applications.