Thursday
Room 3
11:40 - 12:40
(UTC±00)
Talk (60 min)
Trust No Input: Taint Analysis at Compile Time
As software systems become increasingly interconnected, protecting data confidentiality and integrity is more critical than ever. When traditional access control mechanisms fall short, we must turn to deeper, language-level solutions.
This talk introduces language-based security: leveraging programming languages and their type systems to enforce security policies at compile time. We’ll focus on taint analysis, a technique for tracking the flow of potentially harmful (or "tainted") data. In particular, we'll see how we can apply it statically to detect and prevent security vulnerabilities before they reach Production. Through practical examples in Java and Scala, we'll see how to model data sensitivity, propagate taint status and catch violations at compile time.
As more code is written or suggested by GenAI, the risk of subtle security flaws increases, making compiler-enforced security guarantees more valuable than ever.
By the end of the talk, you will see how language-based techniques can reduce reliance on dynamic checks and support building secure systems by construction.
Matteo Di Pirro
Matteo is a software engineer with a deep interest in programming languages and type systems. He works on the design and development of embedded and distributed applications, primarily using JVM-based languages like Java and Scala, to build complex systems that remain simple and maintainable. A frequent conference speaker and technical author, Matteo enjoys exploring how language design and type safety can lead to more robust software. He has authored a Scala course on testing best practices and regularly shares insights on functional programming, type-driven development, and secure coding techniques.