MIT course "Security of computer systems". Lecture 11: The Ur /Web Programming Language, part 1

 3r3645. 3r3-31.

Massachusetts Institute of Technology. Lecture course # ???. "Security of computer systems." Nikolai Zeldovich, James Mykens. 2014

3r33625.  3r3645. Computer Systems Security is a course on the development and implementation of secure computer systems. Lectures cover threat models, attacks that compromise security, and security methods based on the latest scientific work. Topics include operating system (OS) security, capabilities, information flow control, language security, network protocols, hardware protection and security in web applications. 3r33625.  3r3645. 3r33625.  3r3645. Lecture 1: "Introduction: threat models" 3r310. Part 1
/ Part 2 / Part 3 3r33625.  3r3645. Lecture 2: “Controlling hacker attacks” 3r3-318. Part 1
/ Part 2 / Part 3 3r33625.  3r3645. Lecture 3: "Buffer overflow: exploits and protection" 3r-326. Part 1
/ Part 2 / Part 3 3r33625.  3r3645. Lecture 4: "The division of privileges" 3r3334. Part 1
/ Part 2 / Part 3 3r33625.  3r3645. Lecture 5: “Where Security Errors Come From” Part 1 / Part 2 3r33625.  3r3645. Lecture 6: “Opportunities” 3r348. Part 1
/ Part 2 / Part 3 3r33625.  3r3645. Lecture 7: “Sandbox Native Client” Part 1 / Part 2 / Part 3 3r33625.  3r3645. Lecture 8: "Network Security Model" Part 1 / Part 2 / Part 3 3r33625.  3r3645. Lecture 9: "Web application security" 3r372. Part 1
/ Part 2 / Part 3 3r33625.  3r3645. Lecture 10: “Symbolic Execution” 3r380. Part 1
/ Part 2 / Part 3 3r33625.  3r3645. Lecture 11: The Ur /Web Programming Language Part 1 / Part 2 / Part 3 3r3394. 3r3634. 3r33625.  3r3645. 3r33625.  3r3645. Nikolai Zeldovich: 3-333632. let's get started guys! So, today we will talk about a completely different and principled approach to creating secure web applications. It's about a system called Ur /Web. Now our guest, Adam Chipala, who is the author of this system, a professor at MIT, will tell you about the system he created. 3r33625.  3r3645. 3r33625.  3r3645. MIT course "Security of computer systems". Lecture 11: The Ur /Web Programming Language, part 1 Adam Chipala: I want to get to the demonstration as soon as possible. But before that, I will show some slides to explain the content of this system. You have probably already received some ideas about this from the summary of today's lecture. 3r33625.  3r3645. 3r33625.  3r3645. So what is Ur /Web? It is always helpful to begin by explaining what the name of the topic means. Ur /Web is primarily a programming language for creating web applications. That's what the Web is in its title. This is a kind of full stack system that does everything you need to build web applications. Ur means the new universal programming language that is used to implement these web features. 3r33625.  3r3645. 3r33625.  3r3645. The whole point of Ur /Web is that instead of using a general-purpose programming language, a library, and traditional frameworks for creating web applications, all of this is already integrated into the custom Ur /Web programming language. It is a language that at run time includes compilation, not interpretation. And the compiler, in a sense, understands what a web application should do. It will indicate errors you make, unlike the regular Java compiler, which does not understand where you have errors. 3r33625.  3r3645. 3r33625.  3r3645. There are three basic principles that I tried to use when developing this language: programming efficiency, security, and performance, especially on the server side, for scaling. In this context, the second is most relevant. 3r33625.  3r3645. 3r33625.  3r3645. In most cases, users of your application will not notice small performance problems on the client side, but even a small problem on the server side may force you to buy many more servers than necessary. 3r33625.  3r3645. 3r33625.  3r3645. 3r33625.  3r3645. 3r33625.  3r3645. This web server can also communicate with a database that provides persistent storage common to all users of the application. It uses one popular SQL protocol for conversations between the server network and the database. This is what I will talk about when discussing the possibilities of Ur /Web. 3r33625.  3r3645. 3r33625.  3r3645. 3r33625.  3r3645. 3r33625.  3r3645. Then, when the browser returns this response, some jаvascript code is executed there that implements arbitrary logic to control the user interface, which is shown to the user. 3r33625.  3r3645. 3r33625.  3r3645. 3r33625.  3r3645. 3r33625.  3r3645. And there are many ways to do this, for example, Comet is a model of a web application where a permanent HTTP connection allows a web server to send data to the browser without an additional request from the browser, or the WebSockets duplex communication protocol that communicates between the browser and the server in real time. In principle, they are the same things, but in a conceptually different direction. 3r33625.  3r3645. 3r33625.  3r3645. So, I want to return all these protocols and languages ​​to the screen, pre-highlighting some parts in yellow. After reading the lecture notes, did anyone guess what is common between all these parts in terms of security? 3r33625.  3r3645. 3r33625.  3r3645. Student: 3r33236. all of them are strings in which you can put anything. 3r33625.  3r3645. 3r33625.  3r3645. Professor: 3r33236. correctly, in the conventional approach to programming web applications, all these things are string. And the programming language does not understand how you use them, so it cannot help you avoid mistakes. For example, by representing these things as strings, you get code injection attacks. As far as I can tell, attacks with the introduction of code are mainly the result of the inclusion of some function as a primitive in your programming language or your framework that runs programs as text in a fairly expressive language. 3r33625.  3r3645. 3r33625.  3r3645. Ur /Web does not have a built-in interpreter for executing strings as programs. And it makes constructively impossible a lot of the most common errors of web applications. So all these selected objects will be either invisible or represented by special types, which makes it clear which code you are dealing with. In doing so, you do not have any automatic casting of strings to any of these special types. 3r33625.  3r3645. 3r33625.  3r3645. Now the slide shows an alternative model that Ur /Web provides and which tocompiled into a traditional model. This is how it works in all common browsers. But the programmer can think about it at a higher level and avoid potential mistakes that were possible in the previous picture. 3r33625.  3r3645. 3r33625.  3r3645. 3r33625.  3r3645. 3r33625.  3r3645. [b] Student: 3r33236. Perhaps something like this could cause a DoS service failure? If he is going to restart the transaction that you are sending, and you know that it will not succeed, you can simply continue to restart this process and try again 3r33625.  3r3645. 3r33625.  3r3645. [b] Professor: 3r33236. ok, go on
 3r3645. 3r33625.  3r3645. [b] Student: 3r33236. if you force the system to do what, as you know, it will never succeed, you can repeat attempts again and again, and, eventually, cause a service failure. 3r33625.  3r3645. 3r33625.  3r3645. [b] Professor: 3r33236. correct, but in order to do this, you need at least two threads running at the same time. Although this could potentially work and you will be able to launch a denial of service attack. In this case, you can take advantage of the fact that the request handlers are restarted again and again and deliberately cause a conflict, and use this as a way to increase the power of the DoS attack besides what you can get with the help of the traditional attack model of this type. Well, I can believe it. 3r33625.  3r3645. 3r33625.  3r3645. [b] Student: 3r33236. Is this the only way to cause a transaction to fail? 3r33625.  3r3645. 3r33625.  3r3645. [b] Professor: 3r33236. Yes, this is the only way to cause a crash and automatic restart. 3r33625.  3r3645. 3r33625.  3r3645. [b] Student: 3r33236. perhaps there is a third party that would conditionally fail. Then you could use this to monitor the behavior of other users. 3r33625.  3r3645. 3r33625.  3r3645. [b] Professor: 3r33236. You will also need a way to observe that someone has failed, but you will be able to do this only after a while. However, this can also be a problem. You can use a third-party channel to see what other threads are doing, because their actions might or might not create a conflict in your topic. This is possible in principle, but very intricate. I'm not sure that this is possible, because it is difficult to come up with a specific attack that will work predictably. But it can be a fun security test. 3r33625.  3r3645. 3r33625.  3r3645. Student: 3r33236. transactions that you run for each incoming request, and you run for the code that runs on the server. But when you send this code to the database, does it turn into a database transaction? 3r33625.  3r3645. 3r33625.  3r3645. [b] Professor: 3r33236. yes, this is true; all server-side execution is packed into a single database transaction if the application uses the database. 3r33625.  3r3645. 3r33625.  3r3645. [b] Student: 3r33236. so if you have a failed transaction, do you tell the database that nothing will be updated later? Because presumably, the database knows nothing about the failure of a transaction. 3r33625.  3r3645. 3r33625.  3r3645. [b] Professor: 3r33236. yes, so the compiler does static analysis and defines read-only transactions. This creates a read-only transaction, which on some database systems allows for additional optimization. 3r33625.  3r3645. 3r33625.  3r3645. [b] Student: 3r33236. How about the fact that some of the things you read do not affect what you are going to write, but other things you read can affect this? 3r33625.  3r3645. 3r33625.  3r3645. [b] Professor: 3r33236. you ask, can we use our knowledge of the semantics of the application to tell the database system that some things that look like concurrency violations are not really such and we do not need to restart the system? I think the answer will be brief - no, the current implementation of the language does not. But it would be interesting to consider in the future. I think that this will require a change in the database engine, and not just the programming language interface. 3r33625.  3r3645. 3r33625.  3r3645. [b] Student: 3r33236. usually you can divide it into two separate transactions, or maybe you can do so under certain circumstances? 3r33625.  3r3645. 3r33625.  3r3645. [b] Professor: 3r33236. Yes, it sounds difficult to implement, but potentially it is useful. True, I can not say how many applications can take advantage of this, but this is a neat idea. So a transaction is a great thing. 3r33625.  3r3645. 3r33625.  3r3645. I was just telling you about the old school browser model requesting pages from a web server. We can also implement this process in AJAX style, which basically looks like client-side code. 3r33625.  3r3645. 3r33625.  3r3645. 3r3444. 3r33625.  3r3645. 3r33625.  3r3645. This is a function call marked to run on the server. When it is completed, the result is returned in the client code and it turns out just a native value in the programming language. You do not need to worry about somehow turning it into a string and translating it back from the string. 3r33625.  3r3645. 3r33625.  3r3645. 3r33625.  3r3645. 3r33625.  3r3645. Imagine that this picture shows us where the created channel is. He has a recording side and a reading side that can go to different places. The end of the record is in the database. And the read end somehow makes the way to the client and is in the variable of the flow environment. 3r33625.  3r3645. 3r33625.  3r3645. So, imagine that the thread previously made a remote call to the server that created the channel, returned it to the client, and placed it in the database in one transaction. So later the server decides: “OK, I’ll request this channel from the database and add value to it,” and it seems to pop up from the other end of the channel to the client. And everything in this system is “tied” to a similar process. 3r33625.  3r3645. 3r33625.  3r3645. Student: 3r33236. Why do I need to pass the message if the request is automatically processed by the server? 3r33625.  3r3645. 3r33625.  3r3645. [b] Professor: 3r33236. The RPC interface is about to initiate a call from the browser, and the server handles it. A message occurs when the server itself initiates communication. 3r33625.  3r3645. 3r33625.  3r3645. A canonical example is a new e-mail message that a customer is expecting. It cannot determine when a new message is available, so the server automatically sends it. 3r33625.  3r3645. 3r33625.  3r3645. [b] Student: 3r33236. Are all messages multiplexed through one connection or through different connections? 3r33625.  3r3645. 3r33625.  3r3645. [b] Professor: 3r33236. they are all multiplexed over an HTTP connection. I know that there are these newfangled things called web sockets and maybe some other protocols, but here everything works on old-fashioned HTTP with one connection for all messages via different channels. 3r33625.  3r3645. So, let's see what will happen next. Let me switch to the demo. So welcome to the Ur /Web program. As you can see, so far nothing terrible. 3r33625.  3r3645. 3r33625.  3r3645. 3r33547. 3r33625.  3r3645. 3r33625.  3r3645. Unusual here may be that it is really a whole program. There is no additional routing logic explaining how to match a URL with the code for querying this URL. We have only regular functions of a standard programming language. And the compiler provides all the functions in the main module, which is called via the URL. 3r33625.  3r3645. 3r33625.  3r3645. The URL is simply formed from the name of the function. And if there is any nested modular structure, it is also replicated in the URL. Then we have a function that returns HTML syntax. The compiler uses a special extension for parsing HTML syntax. It also performs some basic checks to make sure that the various XML elements that are displayed inside others are actually authorized for such a display. 3r33625.  3r3645. 3r33625.  3r3645. I did something in advance, and it does nothing surprising in the browser. This is what an HTML page looks like among friends.properties, it automatically adds the page title and declares the character encoding for this document. 3r33625.  3r3645. 3r33625.  3r3645. 3r33535. 3r33625.  3r3645. 3r33625.  3r3645. I was a little shocked looking at some books intended for reading in this course. I am surprised how much time is spent in talking about character encodings and what happens if you do not use UTF-8 encoding. I hope I understood that correctly. 3r33625.  3r3645. 3r33625.  3r3645. I hope they make you use UTF-8 so that no terrible things happen. But if someone sees a way to reproduce any of the attacks described in the book Tangled Web (Tangled Internet) on the Ur /Web server, I would be interested to hear how he is going to do this. 3r33625.  3r3645. 3r33625.  3r3645. By the way, at any moment of this demonstration, please suggest experiments that come to your mind so that we can try out on my system what kind of errors it is capable of catching. 3r33625.  3r3645. 3r33625.  3r3645. I think this is the most productive way to demonstrate the capabilities of Ur /Web. 3r33625.  3r3645. 3r33625.  3r3645. 27:45 min 3r33625.  3r3645. 3r33625.  3r3645. 3r3-3589. MIT course "Security of computer systems". Lecture 11: The Ur /Web Programming Language, part 2 3r3634. 3r33625.  3r3645. 3r33625.  3r3645. 3r33595. 3r? 3596. 3r? 3597. 3r3-3598. 3r3599.
3r33625.  3r3645. Full course version available 3r3605. here is 3r3634. . 3r33625.  3r3645. 3r33625.  3r3645. Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or recommending a friend, 3r3629. 30% discount for users of Habr for a unique analogue of entry-level servers, which was invented by us for you:
3r33613. The whole truth about VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR???GB SSD 1Gbps from $ 20 or how to share the server? 3r3634. (Available options with RAID1 and RAID1? up to 24 cores and up to 40GB DDR4). 3r33625.  3r3645. 3r33625.  3r3645. [b] VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR???GB SSD 1Gbps until December for free 3r33232. when paying for a period of six months, you can order
here 3r3634. . 3r33625.  3r3645. 3r33625.  3r3645. [b] Dell R730xd 2 times cheaper? 3r33232. Only we have [b] 3r3630. 2 x Intel Dodeca-Core Xeon E5-2650v???GB DDR4 6x480GB SSD 1Gbps 100 TV from $ 249 3r3634. in the Netherlands and the USA! 3r33232. Read about r3r3633. How to build the infrastructure of the building. class c using servers Dell R730xd E5-2650 v4 worth 9000 euros for a penny? 3r3634.
3r3645. 3r3645. 3r3638. ! function (e) {function t (t, n) {if (! (n in e)) {for (var r, a = e.document, i = a.scripts, o = i.length; o-- ;) if (-1! == i[o].src.indexOf (t)) {r = i[o]; break} if (! r) {r = a.createElement ("script"), r.type = "text /jаvascript", r.async =! ? r.defer =! ? r.src = t, r.charset = "UTF-8"; var d = function () {var e = a.getElementsByTagName ("script")[0]; e.parentNode.insertBefore (r, e)}; "[object Opera]" == e.opera? a.addEventListener? a.addEventListener ("DOMContentLoaded", d,! 1): e.attachEvent ("onload", d ): d ()}}} t ("//mediator.mail.ru/script/2820404/"""_mediator") () ();
3r3645.
3r3645. 3r3645. 3r3645. 3r3645.
+ 0 -

Add comment