The high-profile attacks and data-breaches of the last few years demonstrate the importance of securing software. While there are ever more tools that can analyze systems for vulnerabilities, these do not help the programmer write secure code in the first place. To prevent security from becoming a bottleneck–and to prevent expensive security mistakes from becoming increasingly probable–we need to make it easier to write provably secure software.
My work on policy-agnostic programming addresses the issue of unintentional information leaks by factoring out the implementation of information flow security from other functionality. In this paradigm, programmers specify policies about how sensitive data may be used directly with the data, instead of as conditional checks across a program. In this talk, I present dynamic and static approaches for policy-agnostic programming, show how to extend these approaches to support database-backed web applications, and discuss how the policy-agnostic approach can help us secure legacy code written in existing languages.
Jean Yang is an Assistant Professor in the Computer Science Department at Carnegie Mellon University. Jean is interested in creating programming tools to build complex systems that have surprisingly clean guarantees. Jean received the Best Paper Award at PLDI 2010 for her work on Verve, an operating system automatically verified end-to-end for type safety. Jean has interned at Google, Facebook, and Microsoft Research. In 2015, Jean co-founded the Cybersecurity Factory accelerator for turning security research into companies.