My thesis is that languages and frameworks can and should be designed to make it easier for programmers to write reviewably secure systems. A system is reviewably secure if its security is easy for an experienced programmer to verify, given access to the source code. A security reviewer should be able, with a reasonable amount of effort, to gain confidence that such a system meets its stated security goals. This dissertation includes work on on language subsetting and web application framework design. It presents Joe-E, a subset of the Java programming language designed to enforce object-capability security, simplifying the task of verifying a variety of security properties by enabling sound, local reasoning. Joe-E also enforces determinism-by-default, which permits functionally-pure methods to be identified by their signature. Functional purity is a useful property that can greatly simplify the task of correctly implementing and reasoning about application code. A number of applications of the Joe-E language are presented and evaluated. The second part of this dissertation presents tool and framework enhancements for improving the security of web applications. I present techniques for retrofitting existing web applications to use template systems effectively to prevent cross-site scripting and content injection vulnerabilities while preserving functionality. I also show how HTML templates can be rewritten to normalize their output, improving the assurance of security provided by automatic escaping and other static analyses. These two applications of my thesis demonstrate that practical enhancements to languages and frameworks can support developers in creating more secure software that is easier to review. Continued improvement in language and framework support for reviewability is a promising approach toward improving the security provided by modern software.




Download Full History