Language-Based Security

Course Description

This course introduces students to language-based approaches for building secure software systems. We will examine how the design and features of programming languages can enforce critical security properties that are difficult to guarantee at the operating system level alone. Students will study core ideas such as memory safety, type safety, sandboxing, and information flow control, and learn how these mechanisms prevent common vulnerabilities. Through practical exercises with safe languages and analysis tools, students will gain hands-on experience applying language-based techniques to write more secure programs.

Course Objectives

Explain what “language-based security” covers and why language design/semantics matter for security, including how well-defined semantics and modular reasoning enable stronger guarantees than ad-hoc defensive coding.
Evaluate how safety properties (especially memory safety and type safety) prevent major vulnerability classes, and identify concrete language features that create or eliminate memory-corruption risk (e.g., bounds checks, pointer arithmetic, unsafe casts, manual deallocation).
Design and assess language-based sandboxing/access-control mechanisms that constrain untrusted or less-trusted components, including policies, threat models (e.g., malicious code injection), and enforcement via stack inspection/privilege management.
Analyze trust assumptions and the Trusted Computing Base (TCB) of language platforms, and apply principles like least privilege/defense-in-depth when deciding what must be trusted and how to shrink the TCB in secure system designs.
Specify and enforce information-flow security goals (confidentiality and integrity), using lattices/labels and practical enforcement techniques (e.g., type-based IFC, static taint analysis, dynamic taint tracking), including reasoning about explicit vs. implicit flows and leakage via exceptions/timing/termination.

Prerequisites

This course will explore language-based approaches for building secure software systems. Prior programming experience in these areas is helpful, but the course is self-contained.

📙 Required Textbooks

Language-Based Security (Lecture Notes on Software Security) by Erik Poll, Radboud University Nijmegen, August 2023

Last updated on Dec 23, 2024

← Information Security Dec 23, 2024

Technical Program Committee Dec 23, 2024 →