A program transformation is a
function that maps programs to programs. A security-oriented program
transformation is a function that maps programs to security-augmented programs, i.e. it introduces a security
solution to make a program more secure.
There are many kinds of program transformations. Compilers transfer programs in source form to an equivalent program for a particular machine language. Refactorings are source to source transformations that intend to change the structure of programs but not their behavior. Our security-oriented program transformations include both source to source and binary to binary transformations. They improve the security of systems, which means that they do not preserve all types of behavior. They preserve the expected behavior, but change a system’s response to security attacks.
A software system is often thought of as a collection of components. In that case, "adding on" security to a software system means adding a new component. However, a software system can also be thought of as a sequence of program transformations. For example, consider a sequence of versions in a version control system. The difference between any two adjacent versions is a program transformation. Some version control systems, such as cvs, store the differences between versions instead of storing the versions directly. These systems produce a version by applying a series of program transformations. Our focus is not on these very specific program transformations.
We are interested in automated, general purpose program transformations that remove security threats from programs. Our program transformations are "general purpose", but no transformation will work with every program. They usually expect a certain programming language or a certain platform, because the exact details are language-specific. By general purpose transformations, we mean that a transformation for a certain programming language should be applicable to all programs written in that language.
Our security-oriented program transformations are "schematic" in the sense that they are structural changes that do not depend on a detailed understanding of the application logic. This property makes them similar to refactoring, altering the internal structure of code without changing its external behavior. However, security-oriented program transformations are not behavior-preserving the way refactorings are. The concept of behavior preservation in the face of security vulnerabilities is a little different. It should mean that a program preserves the correct behavior and fixes the incorrect behavior that is caused by a security vulnerability. Our program transformations are behavior-preserving when the system is used correctly; they preserve the good path behavior. Only attackers see change in the behavior, because security-oriented program transformations eliminate the source of vulnerabilities the attackers want to exploit.
We have compiled a list of forty four candidate security solutions that can be described as security-oriented program transformations. The list is available as a pdf document.
An Example Security-oriented Program Transformation
Safe Library Replacement Transformation
You have a program that uses a function that might cause data injection attacks if it receives an insufficiently validated input. You want to ensure that the program is not vulnerable to injection attacks.
Replace unsafe functions with safe functions that are not vulnerable even if malicious data is injected.
Mechanics
For each unsafe function, a developer specifies the alternative safe function and the library that includes the function.
The program transformation finds all functions that need to be replaced. It replaces unsafe functions with suitable alternatives in all source files.
PhD Thesis
Department of Computer Science, University of Illinois
Urbana, Illinois, Dec 2010
Tool Demo
Preventing Integer Overflow Attacks with 'Add Integer Cast' Program Transformation
(avi) (Extended Abstract)
Munawar Hafiz
Feb, 2011
Publications
Security-oriented Program Transformations to Cure Integer Overflow Vulnerabilities
Zack Coker
ACM Student Research Competition
In Companion of the 27th Object-Oriented Programming, Systems, Languages and Applications, OOPSLA 2012
Oct 2012
Patterns Transform Architectures
Munawar Hafiz, Paul Adamczyk and Ralph Johnson
In Proceedings of the 9th Working IEEE/IFIP Conference on Software Architecture, WICSA 2011
Boulder, CO, Jun 2011
Improving Perimeter Security with Security-oriented Program Transformations
Munawar Hafiz and Ralph Johnson
In Proceedings of the 5th International Workshop on Software Engineering for Secure Systems, SESS 2009
Vancouver, Canada, May 2009
Systematically Eradicating Data Injection Attacks using Security-oriented Program Transformations
Munawar Hafiz, Paul Adamczyk and Ralph Johnson
In Proceedings of the Symposium on Engineering Secure Software and Systems, ESSoS 2009
Leuven, Belgium, Feb 2009
Security-oriented program transformations (Or how to add security on demand)
Munawar Hafiz
In companion of the 23rd Object-Oriented Programming, Systems, Languages and Applications, OOPSLA 2008
San Diego, California, Oct 2008
A security oriented program transformation to "add on" policies to prevent injection attacks.
Munawar Hafiz and Ralph Johnson
2nd Workshop on Refactoring Tools, Co-located with OOPSLA 2008
Nashville, Tennessee, Oct 2008
Last modified: Aug 24, 2012
Conceived and Maintained by: Munawar Hafiz