Protecting Systems From Exploits Using Language-Theoretic Security

Any computer program processing input from the user or network must validate the input. Input-handling vulnerabilities occur in programs when the software component responsible for filtering malicious input---the parser---does not perform validation adequately. Consequently, parsers are among the most targeted components since they defend the rest of the program from malicious input. This thesis adopts the Language-Theoretic Security (LangSec) principle to understand what tools and research are needed to prevent exploits that target parsers. LangSec proposes specifying the syntactic structure of the input format as a formal grammar. We then build a recognizer for this formal grammar to validate any input before the rest of the program acts on it. To ensure that these recognizers represent the data format, programmers often rely on parser generators or parser combinators tools to build the parsers. This thesis propels several sub-fields in LangSec by proposing new techniques to find bugs in implementations, novel categorizations of vulnerabilities, and new parsing algorithms and tools to handle practical data formats. To this end, this thesis comprises five parts that tackle various tenets of LangSec. First, I categorize various input-handling vulnerabilities and exploits using two frameworks. First, I use the mismorphisms framework to reason about vulnerabilities. This framework helps us reason about the root causes leading to various vulnerabilities. Next, we built a categorization framework using various LangSec anti-patterns, such as parser differentials and insufficient input validation. Finally, we built a catalog of more than 30 popular vulnerabilities to demonstrate the categorization frameworks. Second, I built parsers for various Internet of Things and power grid network protocols and the iccMAX file format using parser combinator libraries. The parsers I built for power grid protocols were deployed and tested on power grid substation networks as an intrusion detection tool. The parser I built for the iccMAX file format led to several corrections and modifications to the iccMAX specifications and reference implementations. Third, I present SPARTA, a novel tool I built that generates Rust code that type checks Portable Data Format (PDF) files. The type checker I helped build strictly enforces the constraints in the PDF specification to find deviations. Our checker has contributed to at least four significant clarifications and corrections to the PDF 2.0 specification and various open-source PDF tools. In addition to our checker, we also built a practical tool, PDFFixer, to dynamically patch type errors in PDF files. Fourth, I present ParseSmith, a tool to build verified parsers for real-world data formats. Most parsing tools available for data formats are insufficient to handle practical formats or have not been verified for their correctness. I built a verified parsing tool in Dafny that builds on ideas from attribute grammars, data-dependent grammars, and parsing expression grammars to tackle various constructs commonly seen in network formats. I prove that our parsers run in linear time and always terminate for well-formed grammars. Finally, I provide the earliest systematic comparison of various data description languages (DDLs) and their parser generation tools. DDLs are used to describe and parse commonly used data formats, such as image formats. Next, I conducted an expert elicitation qualitative study to derive various metrics that I use to compare the DDLs. I also systematically compare these DDLs based on sample data descriptions available with the DDLs---checking for correctness and resilience

Vision 2040: A Roadmap for Integrated, Multiscale Modeling and Simulation of Materials and Systems

Over the last few decades, advances in high-performance computing, new materials characterization methods, and, more recently, an emphasis on integrated computational materials engineering (ICME) and additive manufacturing have been a catalyst for multiscale modeling and simulation-based design of materials and structures in the aerospace industry. While these advances have driven significant progress in the development of aerospace components and systems, that progress has been limited by persistent technology and infrastructure challenges that must be overcome to realize the full potential of integrated materials and systems design and simulation modeling throughout the supply chain. As a result, NASA's Transformational Tools and Technology (TTT) Project sponsored a study (performed by a diverse team led by Pratt & Whitney) to define the potential 25-year future state required for integrated multiscale modeling of materials and systems (e.g., load-bearing structures) to accelerate the pace and reduce the expense of innovation in future aerospace and aeronautical systems. This report describes the findings of this 2040 Vision study (e.g., the 2040 vision state; the required interdependent core technical work areas, Key Element (KE); identified gaps and actions to close those gaps; and major recommendations) which constitutes a community consensus document as it is a result of over 450 professionals input obtain via: 1) four society workshops (AIAA, NAFEMS, and two TMS), 2) community-wide survey, and 3) the establishment of 9 expert panels (one per KE) consisting on average of 10 non-team members from academia, government and industry to review, update content, and prioritize gaps and actions. The study envisions the development of a cyber-physical-social ecosystem comprised of experimentally verified and validated computational models, tools, and techniques, along with the associated digital tapestry, that impacts the entire supply chain to enable cost-effective, rapid, and revolutionary design of fit-for-purpose materials, components, and systems. Although the vision focused on aeronautics and space applications, it is believed that other engineering communities (e.g., automotive, biomedical, etc.) can benefit as well from the proposed framework with only minor modifications. Finally, it is TTT's hope and desire that this vision provides the strategic guidance to both public and private research and development decision makers to make the proposed 2040 vision state a reality and thereby provide a significant advancement in the United States global competitiveness

An information theoretic approach to the expressiveness of programming languages

The conciseness conjecture is a longstanding notion in computer science that programming languages with more built-in operators, that is more expressive languages with larger semantics, produce smaller programs on average. Chaitin defines the related concept of an elegant program such that there is no smaller program in some language which, when run, produces the same output. This thesis investigates the conciseness conjecture in an empirical manner. Influenced by the concept of elegant programs, we investigate several models of computation, and implement a set of functions in each programming model. The programming models are Turing Machines, λ-Calculus, SKI, RASP, RASP2, and RASP3. The information content of the programs and models are measured as characters. They are compared to investigate hypotheses relating to how the mean program size changes as the size of the semantics change, and how the relationship of mean program sizes between two models compares to that between the sizes of their semantics. We show that the amount of information present in models of the same paradigm, or model family, is a good indication of relative expressivity and average program size. Models that contain more information in their semantics have smaller average programs for the set of tested functions. In contrast, the relative expressiveness of models from differing paradigms, is not indicated by their relative information contents. RASP and Turing Machines have been implemented as Field Programmable Gate Array (FPGA) circuits to investigate hardware analogues of the hypotheses above. Namely that the amount of information in the semantics for a model directly influences the size of the corresponding circuit, and that the relationship of mean circuit sizes between models is comparable to the relationship of mean program sizes. We show that the number of components in the circuits that realise the semantics and programs of the models correlates with the information required to implement the semantics and program of a model. However, the number of components to implement a program in a circuit for one model does not relate to the number of components implementing the same program in another model. This is in contrast to the more abstract implementations of the programs. Information is a computational resource and therefore follows the rules of Blum’s axioms. These axioms and the speedup theorem are used to obtain an alternate proof of the undecidability of elegance. This work is a step towards unifying the formal notion of expressiveness with the notion of algorithmic information theory and exposes a number of interesting research directions. A start has been made on integrating the results of the thesis with the formal framework for the expressiveness of programming languages

Safety Assurance in Interlocking Design

This thesis takes a pedagogical stance in demonstrating how results from theoretical computer science may be applied to yield significant insight into the behaviour of the devices computer systems engineering practice seeks to put in place, and that this is immediately attainable with the present state of the art. The focus for this detailed study is provided by the type of solid state signalling systems currently being deployed throughout mainline British railways. Safety and system reliability concerns dominate in this domain. With such motivation, two issues are tackled: the special problem of software quality assurance in these data-driven control systems, and the broader problem of design dependability. In the former case, the analysis is directed towards proving safety properties of the geographic data which encode the control logic for the railway interlocking; the latter examines the fidelity of the communication protocols upon which the distributed control system depends. The starting point for both avenues of attack is a mathematical model of the interlocking logic that is derived by interpreting the geographic data in process algebra. Thus, the emphasis is on the semantics of the programming language in question, and the kinds of safety properties which can be expressed as invariants of the system's ongoing behaviour. Although the model so derived turns out to be too concrete to be effectual in program verification in general, a careful analysis of the safety proof reveals a simple co-induction argument that leads to a highly efficient proof methodology. From this understanding it is straightforward to mechanise the safety arguments, and a prototype verification system is realised in higher-order logic which uses the proof tactics of the theorem prover to achieve full automation. The other line of inquiry considers whether the integrity of the overall design that coordinates the activities of many concurrent control elements can be compromised. Therefore, the formal model is developed to specifically answer safety-related concerns about the protocol employed to achieve distributed control in the management of larger railway networks. The exercise reveals that moderately serious design flaws do exist, but the real value of the mathematical model is twofold: it makes explicit one's assumptions about the conditions under which the faults can and cannot be activated, and it provides a framework in which to prove a simple modification to the design recovers complete security at negligible cost to performance

Robust Verteilte Software Transaktionen für Haskell

This thesis motivates and develops a robust distributed Software Transactional Memory (STM) library for Haskell. Many real-life applications are distributed by nature. They either control geographically wide spread hardware resources or utilize redundant hardware components to minimize system failure. STM is an abstraction for synchronizing shared resources in concurrent applications. It helps to prevent deadlocks and thus facilitates composing program code. We extend the STM abstraction to distributed systems and present an implementation efficient enough to be used in soft real-time applications. Further, the implemented library is robust in itself, offering the application developer a high abstraction level to realize robustness, hence, significantly simplifying this, in general, complex task.Die vorliegende Arbeit motiviert und entwickelt eine robuste, verteilte Software Transactional Memory (STM) Bibliothek für Haskell. Viele reale Anwendungen sind von Natur aus verteilt. Sie steuern entweder geografisch weit verteilte Ressourcen oder nutzen redundante Hardware-Komponenten, um Systemfehler zu verringern. STM ist eine Abstraktion, um gemeinsame Ressourcen in nebenläufigen Anwendungen zu synchronisieren. Sie hilft Verklemmungen zu verhindern und vereinfacht dadurch die Komposition des Programmcodes. Wir erweitern die STM-Abstraktion auf verteilte Systeme und präsentieren eine Implementierung, die effizient genug ist, um in weichen Echtzeit-Anwendungen genutzt zu werden. Weiterhin ist die implementierte Bibliothek selbst robust und bietet damit dem Anwendungsprogrammierer ein hohes Maß an Abstraktion, um Robustheit zu verwirklichen, was ihm diese, im Allgemeinen, komplexe Aufgabe deutlich erleichtert

An investigation into tooling requirements and strategies for FMS operation

A study of the minimum tooling requirements and strategies for efficient operation of Flexible Manufacturing Systems, FMS's, in Assembly set Production, ASP, i.e production in sets of parts to completely assemble one or more product units, is presented in this research work. The main investigating tool is a simulation model. With this model the tool groups to be loaded into machines and fixtured pallet requirements were studied in conjunction with two scheduling rules. One is a FCFS rule and the other is a new rule, called MRPAS, which schedules work on the basis of the number of parts still unfinished belonging to an Assembly Set. The results of the research work show that ASP can be efficiently carried out in FMS's. However this requires that a good system set-up and adequate operating strategies are used. In particular appropriate tooling levels and good tooling configurations,TC's, i.e. combinations of tools in groups to be loaded into the machines, must be established to achieve high FMS performance. Tooling combination and duplication heuristic rules and the simulation model can be used for achieving this aim. The heuristic approach is shown to be necessary due to the impossibility, in a reasonable time, of evaluating the performance of FMS's under the large number of alternative tooling configurations which are possible. The level of fixtured pallets used can also have a great influence on system performance. Appropriate levels of these resources to operate FMS's for given TC's can be established using the methodology developed in this work. It is also important that good scheduling rules are used. In the cases studied, the MRPAS rule produces the best performance expressed as the combination of FMS utilization and production of complete assembly sets. Moreover a very small assembly set batch size, ASBS, i.e. number of AS released together into the FMS, is likely to be preferable. In the cases studied an ASBS of one performed best overall

Reliability Abstracts and Technical Reviews January - December 1970

Reliability Abstracts and Technical Reviews is an abstract and critical analysis service covering published and report literature on reliability. The service is designed to provide information on theory and practice of reliability as applied to aerospace and an objective appraisal of the quality, significance, and applicability of the literature abstracted

An explicitly structured control model for exploring search space: chorale harmonisation in the style of J.S. Bach

In this research, we present our computational model which performs four part har-monisation in the style of J.S. Bach. Harmonising Bach chorales is a hard AI problem, comparable to natural language understanding. In our approach, we explore the issue of gaining control in an explicit way for the chorale harmonisation tasks. Generally, the control over the search space may be from both domain dependent and domain inde-pendent control knowledge. Our explicit control emphasises domain dependent control knowledge. The control gained from domain d ependent control enables us to map a clearer relationship between the control applied and its effects. Two examples of do-main dependent control are a plan of tasks to be done and heuristics stating properties of the domain. Examples of domain independent control are notions such as temperature values in an annealing method; mutation rates in Genetic Algorithms; and weights in Artificial Neural Networks.The appeal of the knowledge based approach lies in the accessibility to the control if required. Our system exploits this concept extensively. Control is explicitly expressed by weaving different atomic definitions {i.e. the rules, tests and measures) together with appropriate control primitives. Each expression constructed is called a control definition, which is hierarchical by nature.One drawback of the knowledge based approach is that, as the system grows bigger, the exploitation of the new added knowledge grows exponentially. This leads to an intractable search space. To reduce this intractability problem, we partially search the search space at the meta-level. This meta-level architecture reduces the complexity in the search space by exploiting search at the meta-level which has a smaller search space.The experiment shows that an explicitly structured control offers a greater flexibility in controlling the search space as it allows the control definitions to be manipulated and modified with great flexibility. This is a crucial clement in performing partial search over a big search space. As the control is allowed to be examined, the system also potentially supports elaborate explanations of the system activities and reflections at the meta-level