CSCI 342 - Security and Programming
Security and Programming is a course that I took as a graduate student at The George Washington University during the Spring 2007 semester. It was a survey course exploring the concept of enforcing computer program security at the programming language level. The course involved the reading and discussion of academic papers about research regarding the combination of security and programming language concepts. At each class meeting, two students would provide summary presentations of sets of papers dealing with the topics chosen for that day. When it was my turn to present, I was assigned three papers related (mostly) to vulnerabilities of embedded systems and techniques for detecting modifications to embedded software. The papers can be found here, here, and here. My summary of the papers can be found here.
The first assignment for the course involved the creation of a static analysis tool to detect the use of uninitialized variables in C source code. It was suggested that we use a language recognition tool such as ANTLR to perform the task. For some reason I ended up modifying the lcc retargetable ANSI C compiler source code and attaching it to a GUI to display locations where uninitialized variables were used in a file. A document describing the modifications performed and the modified lcc source are provided below.
For my final project I designed a domain specific programming language to monitor, manage, and manipulate data streams. I implemented a simple interpreter for the language, capable of connecting with other interpreter instances to remotely execute commands. The main concept was to provide a system within which interpreters are installed on different computers, each responsible for managing data streams, which can all be controlled from a single location. Language commands allow data resources (UDP sockets, files, etc) to be connected together, such that data received from one resource is directed to another. Transforms can be placed between connected resources, such that the source's data format is converted to the data format expected by the destination. The system was designed to authenticate interpreter-to-interpreter connections and provide user access control at the interpreter command level.
The sample interpreter was implemented with C#, using ANTLR for language parsing. Documents describing the project and the source code, with Windows executables, are provided below.
Creating a channel between two interpreters, and creating and linking sources
Following the completion of the course, I registered for an Independent Research course (CSCI 298) at GW in the Fall of 2007 to continue working on the domain specific language project. Goals and motivation for the project were documented, concepts for the language were more formally defined, and the language syntax was refined. Documents providing an overview of the system and its design are provided below.