Computer Science Thesis Proposal
Location:
In Person and Remote - ET
-
Gates Hillman 8102 and Zoom
Speaker:
JAY BOSAMIYA
,
Ph.D. Student, Computer Science Department, Carnegie Mellon University
https://www.jaybosamiya.com/
A Principled Approach towards Unapologetic Security
Software is incredibly difficult to write correctly, let alone safely. Prior work (quite successfully) has relied on formal verification—a powerful hammer to achieve provable guarantees. However, improvements in the state-of-the-art of software security often come with significant apology, such as development velocity, software performance, or loss of functionality. While many developers (and more so, users) would like their software to be secure, often security comes with an apology for at least one of the other objectives (often multiple at once), and thus becomes under-prioritized. To be adopted, advances in security thus need to not only improve the state-of-the-art in security, but also focus on other practical considerations that have historically inhibited widespread deployment, and indeed prevented building secure software from being the natural default choice.
In this thesis, we propose that security objectives are achievable without apology, through the use of principled approaches and formalism. As evidence towards this, we show that successfully applying principled approaches and formalism removes the need for apology, across a collection of different kinds of software systems: (1) high-performance cryptographic primitives, (2) safe execution of arbitrary untrusted code, (3) agile enforcement of pre-emptively defensive code, (4) low-level parsers of untrusted data, and (5) source-unavailable executable comprehension. Our hope is that providing security without apology, even in the face of the practical complexities, makes a big step towards the shared goal of security researchers---making security the natural default choice.
Thesis Committee:
Bryan Parno (Chair)
Phillip Gibbons
Jonathan Aldrich
Chris Hawblitzel (Microsoft Research)
In Person and Zoom Participation. See announcement.