Security via Type Qualifiers
Jeff Foster     U Maryland

Standard practice for software quality
  -- Testing
       make sure program runs correctly on set of inputs
  -- Code auditing
       convince yourself and others that your code is correct

  difficult, expensive, incomplete

  What more to do?
    - build tools to analyze source code
    - check limited but very useful properties
    - develop programming models

  Goal: add specifications to programs in a way that
    - programmer will accept, light weight
    - scales to large program
    - solves many different problems

 Type Qualifiers
   - Extend standard type systems (C, Java, ML)
       -- get programmers to write a little bit more
       -- e.g.

	     int
	     const int		ANSI C
	     ptr(tainted char)  format-string vulnerabilites
	     kernel ptr(char)->char
				user/kernel vulnerabilities

Format String Vulnerabilities
  - I/O functionalities in C use format strings
  - do "printf(name)" instead "printf("\s\n", name)";
  - do "printf("...%n...")" to write to memory

Using tainted and untainted
  - add qualifier annotations
     -- tainted : may be controlled by adversary
     -- untainted : must not be controlled by adversary

  - subtyping

Type  Qualifiers for MinML
  Q : set of type qualifies
  qualified types :
    qt  ::=  Qs
    s  ::= c0(qt, ..., qt) | ... | cn(qt, ..., qt)
  for MinML
    qt ::= int^Q, bool^Q, q->q^Q


