Exploits and insecure compilation§

The field of secure compilation studies when and how security properties are preserved by a compiler. My recent research has examined how concepts and techniques from the study of secure compilation can be applied to the problem of understanding vulnerabilities, exploits, and security mitigations.

2020 Exploits as Insecure Compilation (Short Paper). Jennifer Paykin, Eric Mertens, Mark Tullsen, Luke Maurer, Benoit Raziet, and Scott Moore. In Proceedings of the 4th Workshop on Principles of Secure Compilation (PriSC), January 2020.

2019 Weird Machines as Insecure Compilation (Short Paper). Jennifer Paykin, Eric Mertens, Mark Tullsen, Luke Maurer, Benoit Raziet, and Scott Moore. In Proceedings of the Workshop on Foundations of Computer Security (FCS), June 2019.

Software Contracts for Security§

Component-based software engineering is an approach for building complex systems from seperate components that interact via clearly defined interfaces. "Design by Contract" is a programming methodology that facilitates this approach by attaching executable specifications, called software contracts, to components to ensure that each component correctly interacts with the rest of the system.

Existing work on software contracts has focused almost exclusively on contracts for functional correctness. In my work, I explore how software contracts are also an effective mechanism for specifying and enforcing security properties.

2020 Fine-Grained, Language-Based Access Control for Database-Backed Applications. Ezra Zigmond, Stephen Chong, Christos Dimoulas, and Scott Moore. In In Conference Companion of the 4th International Conference on Art, Science, and Engineering of Pro- gramming (Programming), March 2020.

2016 Software Contracts for Security. Scott Moore. PhD Disseration, Harvard University, May 2016.

Extensible Access Control with Authorization Contracts. Scott Moore, Christos Dimoulas, Robert Bruce Findler, Matthew Flatt, and Stephen Chong. In Proceedings of the Conference on Object-Oriented Programming, Systems, Languages and Applications (OOPSLA), November 2016.

2014 Shill: A Secure Shell Scripting Language. Scott Moore, Christos Dimoulas, Dan King, and Stephen Chong. In Proceedings of the 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI), October 2014.

Declarative Policies for Capability Control. Christos Dimoulas, Scott Moore, Aslan Askarov, and Stephen Chong. In Proceedings of the 27th IEEE Computer Security Foundations Symposium (CSF), July 2014.

Information-flow security§

By tracking and controlling the flow of information within an entire system, information-flow security can express and enforce strong and precise security policies with high assurance. My research on information flow has ranged from designing new type systems and enforcement mechanisms for policies like assured information erasure and progress-sensitive security to developing static analyses that make it easier to apply information-flow security to existing programs.

2015 Cryptographic Enforcement of Language-based Erasure. Aslan Askarov, Scott Moore, Christos Dimoulas, and Stephen Chong. In Proceedings of the 28th IEEE Computer Security Foundations Symposium (CSF), July 2015.

Exploring and Enforcing Security Guarantees via Program Dependence Graphs. Andrew Johnson, Lucas Waye, Scott Moore, and Stephen Chong. In Proceedings of the 36th ACM SIGPLAN conference on Programming Language Design and Implementation (PLDI), June 2015.

2012 Precise Enforcement of Progress-Sensitive Security. Scott Moore, Aslan Askarov, and Stephen Chong. In Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS), October 2012.

2011 Static analysis for efficient hybrid information-flow control. Scott Moore and Stephen Chong. In Proceedings of the 24th IEEE Computer Security Foundations Symposium (CSF), June 2011.

Logic programming§

Logic programming is a programming paradigm where computations are declaratively specified as collections of logical relations. Logic programming excels at clearly defining search and inference problems. In my work, I have applied logic programming to simplify the development of programs for model-checking security properties and synthesizing disparate sources of provenance data.

2013 Declaratively Processing Provenance Metadata. Scott Moore, Ashish Gehani, and Natarajan Shankar. In Proceedings of the 5th USENIX Conference on the Theory and Practice of Provenance (TaPP), April 2013.

2009 ActionScript Bytecode Verification With Co-Logic Programming. Brian W. DeVries, Gopal Gupta, Kevin W. Hamlen, Scott Moore, and Meera Sridhar. In Proceedings of the ACM SIGPLAN Workshop on Programming Languages and Analysis for Security (PLAS), June 2009.