Software security—the idea of engineering software so that it continues to function correctly under malicious attack—is not really new, but it has received renewed interest over the last several years as reactive network-based security approaches such as firewalls have proven to be ineffective. Unfortunately, today’s software is riddled with both design flaws and implementation bugs, resulting in unacceptable security risk. As Cheswick and Bellovin put it, “any program, no matter how innocuous it seems, can harbor security holes” [Cheswick and Bellovin 1994]. The notion of software security risk has become common knowledge, ...