Talk : Mind your languages!
Year after year, software vulnerabilities continue to arise in operating systems and applications. Most of the time, people blame it on the developers. However, one might also argue that, since generations after generations of developers fall into the same traps, another course of action would be to design better programming languages, or at least to better learn the quirks of current languages.
Since 2007, the French Network and Information Security Agency (ANSSI) has conducted several studies (JavaSec and LaFoSec, whose reports have been published [1] [2]). Recently, former ANSSI member Eric Jaeger and the speakers further discussed the question of the intrinsic security characteristics of programming languages in an academic paper [3]. Through illustrations and discussions, it advocates for a different vision of well-known mechanisms and is intended to provide some food for thoughts regarding languages and development tools.
Since 2014, Eric, Pierre and Olivier have been presenting “Mind your languages!” in different seminars [4] [5], gathering new examples in an ever evolving presentation.
Bio:
Olivier Levillain is Head of ANSSI Cybersecurity Training Centre (CFSSI, centre de formation a la SSI). He has previously been working in ANSSI research laboratories, on various topics, ranging from low-level architecture (SMM/ACPI) to PKI. More recently, his work has been more focused on secure network protocols (especially SSL/TLS) and on programming languages.
Pierre Chifflier works in the Hardware and Software Lab of ANSSI. He is working on various topics, from UEFI firmwares to firewalls,
languages and compilers. His recent work are based on the modification of compilers to add Control Flow Integrity to the compiled code.
[1] JavaSec study, http://www.ssi.gouv.fr/agence/publication/securite-et-langage-java (documents in French)
[2] LaFoSec study, http://www.ssi.gouv.fr/agence/publication/lafosec-securite-et-langages-fonctionnels/ (documents in French)
[3] Eric Jaeger, Olivier Levillain, Pierre Chifflier — Mind your Language(s): A Discussion about Languages and Security — LangSec Workshop @ IEEE Security and Privacy, http://spw14.langsec.org/abstracts.html#mind
[4] Mind your languages, long version, https://www-apr.lip6.fr/~chaillou/Public/enseignement/2014-2015/conf-STL/LangSec_handout.pdf (UPMC M2 seminar, slides in French)