scispace - formally typeset
Search or ask a question
Author

Nikhil Swamy

Bio: Nikhil Swamy is an academic researcher from Microsoft. The author has contributed to research in topics: Compiler & Semantics (computer science). The author has an hindex of 29, co-authored 77 publications receiving 3333 citations. Previous affiliations of Nikhil Swamy include University of Maryland, College Park.


Papers
More filters
Proceedings ArticleDOI
24 Oct 2016
TL;DR: This paper outlines a framework to analyze and verify both the runtime safety and the functional correctness of Ethereum contracts by translation to F*, a functional programming language aimed at program verification.
Abstract: Ethereum is a framework for cryptocurrencies which uses blockchain technology to provide an open global computing platform, called the Ethereum Virtual Machine (EVM). EVM executes bytecode on a simple stack machine. Programmers do not usually write EVM code; instead, they can program in a JavaScript-like language, called Solidity, that compiles to bytecode. Since the main purpose of EVM is to execute smart contracts that manage and transfer digital assets (called Ether), security is of paramount importance. However, writing secure smart contracts can be extremely difficult: due to the openness of Ethereum, both programs and pseudonymous users can call into the public methods of other programs, leading to potentially dangerous compositions of trusted and untrusted code. This risk was recently illustrated by an attack on TheDAO contract that exploited subtle details of the EVM semantics to transfer roughly $50M worth of Ether into the control of an attacker.In this paper, we outline a framework to analyze and verify both the runtime safety and the functional correctness of Ethereum contracts by translation to F*, a functional programming language aimed at program verification.

551 citations

Proceedings ArticleDOI
08 May 2007
TL;DR: This paper proposes a simple alternative mechanism for preventing script injection called Browser-Enforced Embedded Policies (BEEP), which is that a web site can embed a policy in its pages that specifies which scripts are allowed to run.
Abstract: Web sites that accept and display content such as wiki articles or comments typically filter the content to prevent injected script code from running in browsers that view the site. The diversity of browser rendering algorithms and the desire to allow rich content make filtering quite difficult, however, and attacks such as the Samy and Yamanner worms have exploited filtering weaknesses. This paper proposes a simple alternative mechanism for preventing script injection called Browser-Enforced Embedded Policies (BEEP). The idea is that a web site can embed a policy in its pages that specifies which scripts are allowed to run. The browser, which knows exactly when it will run a script, can enforce this policy perfectly. We have added BEEP support to several browsers, and built tools to simplify adding policies to web applications. We found that supporting BEEP in browsers requires only small and localized modifications, modifying web applications requires minimal effort, and enforcing policies is generally lightweight.

333 citations

Proceedings ArticleDOI
11 Jan 2016
TL;DR: A new, completely redesigned, version of F*, a language that works both as a proof assistant as well as a general-purpose, verification-oriented, effectful programming language that confirms F*'s pay-as-you-go cost model.
Abstract: We present a new, completely redesigned, version of F*, a language that works both as a proof assistant as well as a general-purpose, verification-oriented, effectful programming language. In support of these complementary roles, F* is a dependently typed, higher-order, call-by-value language with _primitive_ effects including state, exceptions, divergence and IO. Although primitive, programmers choose the granularity at which to specify effects by equipping each effect with a monadic, predicate transformer semantics. F* uses this to efficiently compute weakest preconditions and discharges the resulting proof obligations using a combination of SMT solving and manual proofs. Isolated from the effects, the core of F* is a language of pure functions used to write specifications and proof terms---its consistency is maintained by a semantic termination check based on a well-founded order. We evaluate our design on more than 55,000 lines of F* we have authored in the last year, focusing on three main case studies. Showcasing its use as a general-purpose programming language, F* is programmed (but not verified) in F*, and bootstraps in both OCaml and F#. Our experience confirms F*'s pay-as-you-go cost model: writing idiomatic ML-like code with no finer specifications imposes no user burden. As a verification-oriented language, our most significant evaluation of F* is in verifying several key modules in an implementation of the TLS-1.2 protocol standard. For the modules we considered, we are able to prove more properties, with fewer annotations using F* than in a prior verified implementation of TLS-1.2. Finally, as a proof assistant, we discuss our use of F* in mechanizing the metatheory of a range of lambda calculi, starting from the simply typed lambda calculus to System F-omega and even micro-F*, a sizeable fragment of F* itself---these proofs make essential use of F*'s flexible combination of SMT automation and constructive proofs, enabling a tactic-free style of programming and proving at a relatively large scale.

285 citations

Journal ArticleDOI
19 Sep 2011
TL;DR: This work presents F*, a full-fledged design and implementation of a new dependently typed language for secure distributed programming that provides arbitrary recursion while maintaining a logically consistent core, and proves type soundness (with proofs mechanized in Coq) and logical consistency for F*.
Abstract: Distributed applications are difficult to program reliably and securely. Dependently typed functional languages promise to prevent broad classes of errors and vulnerabilities, and to enable program verification to proceed side-by-side with development. However, as recursion, effects, and rich libraries are added, using types to reason about programs, specifications, and proofs becomes challenging.We present F*, a full-fledged design and implementation of a new dependently typed language for secure distributed programming. Unlike prior languages, F* provides arbitrary recursion while maintaining a logically consistent core; it enables modular reasoning about state and other effects using affine types; and it supports proofs of refinement properties using a mixture of cryptographic evidence and logical proof terms. The key mechanism is a new kind system that tracks several sub-languages within F* and controls their interaction. F* subsumes two previous languages, F7 and Fine. We prove type soundness (with proofs mechanized in Coq) and logical consistency for F*.We have implemented a compiler that translates F* to .NET bytecode, based on a prototype for Fine. F* provides access to libraries for concurrency, networking, cryptography, and interoperability with C#, F#, and the other .NET languages. The compiler produces verifiable binaries with 60% code size overhead for proofs and types, as much as a 45x improvement over the Fine compiler, while still enabling efficient bytecode verification.To date, we have programmed and verified more than 20,000 lines of F* including (1) new schemes for multi-party sessions; (2) a zero-knowledge privacy-preserving payment protocol; (3) a provenance-aware curated database; (4) a suite of 17 web-browser extensions verified for authorization properties; and (5) a cloud-hosted multi-tier web application with a verified reference monitor.

212 citations

Proceedings ArticleDOI
22 May 2011
TL;DR: This paper presents \ibex, a new framework for authoring, analyzing, verifying, and deploying secure browser extensions based on using type-safe, high-level languages to program extensions against an API providing access to a variety of browser features, and proposes using Data log to specify fine-grained access control and dataflow policies.
Abstract: Popup blocking, form filling, and many other features of modern web browsers were first introduced as third-party extensions. New extensions continue to enrich browsers in unanticipated ways. However, powerful extensions require capabilities, such as cross-domain network access and local storage, which, if used improperly, pose a security risk. Several browsers try to limit extension capabilities, but an empirical survey we conducted shows that many extensions are over-privileged under existing mechanisms. This paper presents \ibex, a new framework for authoring, analyzing, verifying, and deploying secure browser extensions. Our approach is based on using type-safe, high-level languages to program extensions against an API providing access to a variety of browser features. We propose using Data log to specify fine-grained access control and dataflow policies to limit the ways in which an extension can use this API, thus restricting its privilege over security-sensitive web content and browser resources. We formalize the semantics of policies in terms of a safety property on the execution of extensions and develop a verification methodology that allows us to statically check extensions for policy compliance. Additionally, we provide visualization tools to assist with policy analysis, and compilers to translate extension source code to either. NET byte code or JavaScript, facilitating cross-browser deployment of extensions. We evaluate our work by implementing and verifying~\NumExt extensions with a diverse set of features and security policies. We deploy our extensions in Internet Explorer, Chrome, Fire fox, and a new experimental HTML5 platform called C3. In so doing, we demonstrate the versatility and effectiveness of our approach.

133 citations


Cited by
More filters
Book
26 Mar 2008
TL;DR: A unique overview of this exciting technique is written by three of the most active scientists in GP, which starts from an ooze of random computer programs, and progressively refines them through processes of mutation and sexual recombination until high-fitness solutions emerge.
Abstract: Genetic programming (GP) is a systematic, domain-independent method for getting computers to solve problems automatically starting from a high-level statement of what needs to be done. Using ideas from natural evolution, GP starts from an ooze of random computer programs, and progressively refines them through processes of mutation and sexual recombination, until high-fitness solutions emerge. All this without the user having to know or specify the form or structure of solutions in advance. GP has generated a plethora of human-competitive results and applications, including novel scientific discoveries and patentable inventions. This unique overview of this exciting technique is written by three of the most active scientists in GP. See www.gp-field-guide.org.uk for more information on the book.

1,856 citations

Journal ArticleDOI
Kuk-Hyun Han1, Jong-Hwan Kim1
TL;DR: The results show that QEA performs well, even with a small population, without premature convergence as compared to the conventional genetic algorithm, and a Q-gate is introduced as a variation operator to drive the individuals toward better solutions.
Abstract: This paper proposes a novel evolutionary algorithm inspired by quantum computing, called a quantum-inspired evolutionary algorithm (QEA), which is based on the concept and principles of quantum computing, such as a quantum bit and superposition of states. Like other evolutionary algorithms, QEA is also characterized by the representation of the individual, evaluation function, and population dynamics. However, instead of binary, numeric, or symbolic representation, QEA uses a Q-bit, defined as the smallest unit of information, for the probabilistic representation and a Q-bit individual as a string of Q-bits. A Q-gate is introduced as a variation operator to drive the individuals toward better solutions. To demonstrate its effectiveness and applicability, experiments were carried out on the knapsack problem, which is a well-known combinatorial optimization problem. The results show that QEA performs well, even with a small population, without premature convergence as compared to the conventional genetic algorithm.

1,335 citations

Book ChapterDOI
22 Apr 2017
TL;DR: This work analyses the security vulnerabilities of Ethereum smart contracts, providing a taxonomy of common programming pitfalls which may lead to vulnerabilities, and shows a series of attacks which exploit these vulnerabilities, allowing an adversary to steal money or cause other damage.
Abstract: Smart contracts are computer programs that can be correctly executed by a network of mutually distrusting nodes, without the need of an external trusted authority. Since smart contracts handle and transfer assets of considerable value, besides their correct execution it is also crucial that their implementation is secure against attacks which aim at stealing or tampering the assets. We study this problem in Ethereum, the most well-known and used framework for smart contracts so far. We analyse the security vulnerabilities of Ethereum smart contracts, providing a taxonomy of common programming pitfalls which may lead to vulnerabilities. We show a series of attacks which exploit these vulnerabilities, allowing an adversary to steal money or cause other damage.

988 citations

Journal Article
TL;DR: The Commission's report really does add enormous amounts of history to the sound bites and 30-second visuals that have pervaded politics and the world assessment of the US since that time.
Abstract: Twenty-five years ago, as an American GP living and practising in Wales, I would watch BBC sports programmes, such as darts and bowls and snooker, all unknown to me and, therefore, fascinating. I always found it odd — pairings such as Scotland (or Wales) versus The Rest of the World. It either seemed overly ambitious for Scotland or slim pickings for the rest of the world. After the recent US presidential election, it appears as if it will continue to be the US versus The Rest of the World. Three books might help you, who are of ‘the rest of the world’, begin to grapple with what is going on in the US. Written from the short, medium, and long view, each has a somewhat parochial twist. Each also, however, contains a great deal of useful history. The 9/11 Commission Report refutes the old saw that nothing good can be written by a committee. The report is a remarkable book and its recent nomination as a finalist for the National Book Award is a first for a government document, and well deserved. What is contained in this report is well known by most of us — the cast of characters has been in the news for over 3 years. And the sequence of events and many of the details that were gleaned from the ongoing hearings have been contained in news stories, long and short. However, to have published what is known until this point in a single narrative, which is at once accessible and clearly written, is a truly historical achievement. Reading the events of the day — regarding the planes that crashed in the city of New York, as the rescue squads from police and fire departments move into place and act — is both familiar and detailed in a way that helps us understand better than I would ever have imagined the why and how of all the death and destruction. So much about those days have been parsed into documentaries — long analyses of causation of issues, like why the towers fell — that one would think that everything that could be written had been. But the Commission's report really does add enormous amounts of history to the sound bites and 30-second visuals that have pervaded politics and the world assessment of the US since that time. The report deals extensively and thoughtfully with the history of Islam, both ancient and recent, and describes the history of terrorism as it evolved from highjackings of the 1970s to the use of bombs and targeted destruction of military targets in the late 1980s and 1990s. Events that occurred in the time that preceded the attacks of 9/11 are written in a way that shows the convergence of intelligence reports, a long history of threats from Bin Laden, and many alerts and warnings (‘the system was blinking red’ in the words of Tenet, CIA director). The information about the movements of the terrorists in their planning and the worldwide involvement of cells, support systems, and finances makes it clear that these events were truly the result of a network that reaches virtually everywhere. After the attacks, reading of the efforts of the fire, police, and other rescue squads in New York adds specifics that are terrible and remarkable. On 9/11, I ran up and down the stairs between patients to watch on television as it was all happening. All of us who watched that day wondered what those people who were clearly doomed were thinking, feeling, and seeing. Their actual words in this report are not fiction, they are the words, for most the last words, of people who died as we watched. Their words are the hardest part of this long, detailed report to deal with. Much of the final third of the report is devoted to what a fire captain friend of mine once called a PFE — a post-fire evaluation — which he mandated for his squad after every fire. In a PFE, the entire squad reconstructed, relived, and discussed the events to see what could be improved next time. The 9/11 Commission engaged in a world-scale PFE. Although all US politicians state that they intend to follow the recommendations of The 9/11 Commission Report, the backing and filling is already well underway. What politician, for example, is going to agree that major conurbations, and political and tactical targets should receive preference over their hometown fire departments and that homeland security money should ‘not be used as a pork barrel’? Rather than bringing a grieving country together in a way that will make such events unlikely to happen again, the reactions from the report have begun to cleave along party lines once again. The 9/11 Commission was almost unique in its thoroughness, transparency, and its ability to focus on the real issue of terror and lawlessness. However, the extent to which a violent stateless ideology has negatively affected the tolerance of differences, the sense of community, and the level of civic discourse in the US means that terrorism has affected our neighborhoods as much as it has affected our country. And fear rather than determination, despite the President's stump speech, has become the dominant emotion. Robert Byrd, from his 45-year perspective in the US Senate, understands that cheques and balances are essential to avoid tragedy, even if they, at times, impede progress. His book, Losing America, contains several ‘under-the-table’ looks at Congress and the manipulations and arrogance of the coterie of ideologues who surround George W. Bush. Byrd, from the Southern tradition of politeness and respect, which often cloaks bar-room politics, is steeped in the history of the institution of the Senate. He is personally offended by Bush's lack of interest or curiosity in the legislative process prior to 9/11, and his dishonesty and deception afterwards. Byrd's address to the Senate on the eve of the war on Iraq was widely quoted and is contained in this book. While people marching in the streets made headlines, it was an 85-year-old senator, not previously known as an outraged progressive, who took on both the Administration for its hypocrisy and many of his colleagues for their lack of courage and principle. He voted against the war and continues to point out the dishonesty of the people who guide it. The book reads with a sensibility from another age. Although his own history is certainly not without problems, Senator Byrd's belief in the true democratic process, rather than the gun-barrel approach of George W. Bush, should be given the respect that he, and it, deserve. Arthur Schlesinger Jr has been writing history since 1946 and has Pulitzer prizes to prove he does it well. His voice is considered, thoughtful, and scholarly — as one might expect from a historian and distinguished teacher. Toward the end of his book War and the American Presidency, however, Schlesinger's voice rises with outrage at those who surround and influence George W. Bush, the ‘small group of Messianic statesman whose self righteousness bids fair to wreck our age’. He writes of the imperial presidencies of the early years of the country, which repressed dissent during wartime, and how the US moved from wars based on pique to engaging international diplomacy and internationalism. Schlesinger reminds us that all presidents since Wilson, with George W. Bush being the glaring exception, believed in statesmanship, diplomacy, alliances to guard against capricious choices and, when necessary, taking on common enemies. Much of Schlesinger's book, however, also chronicles the record of the current Administration which, by being ‘judge, jury, and executioner resurrects the imperial presidency’. An imperial presidency in the age of frigates and single-shot rifles cannot be compared with one that possesses weapons of mass destruction and a wooly-headed sense of divine guidance. We used to think of Henry Kissinger as the prototype for Dr Strangelove, but I wish Kubrick were still alive to do the remake with Dick Cheney and Donald Rumsfeld in mind. Needless to say, the recent election, instead of relegating George W. Bush and his hangers-on to the historical trashbin, has pushed them to the front of the international agenda. A secretive, defensive, unreflective president will now shape the world for our grandchildren. Each of these books elaborates on the ineffectiveness of Bush dealing with the real enemy while he digs deeper into a country where he is creating more enemies by the day. One has to ask why, instead of quietly writing their memoirs, two distinguished 87-year-old statesmen are raising the alarm and shaking us by the throat — like the aging Thomas Jefferson who, in his famous letter of 1820, said of the first compromise to try to divide the country between slave and free states: ‘this momentous question, like a firebell in the night, awakened and filled me with terror’. Byrd and Schlesinger hear the firebell and are ringing it to wake us up. Another quote that might better capture Bush and his legacy would be from the Bible he uses as justification for his policies: ‘He that troubleth his own house shall inherit the wind’ (Proverbs 11, 29).

962 citations