New programming language accommodates multiple languages in same program
August 7, 2014
Carnegie Mellon University
http://www.cs.cmu.edu/~aldrich/wyvern
http://www.cs.cmu.edu/~aldrich/papers/ecoop14-tsls.pdf
http://www.sciencedaily.com/releases/2014/08/140807145906.htm
Computer scientists at Carnegie Mellon University have designed a way to safely
use multiple programming languages within the same program.
Using multiple languages enables programmers to use the language most
appropriate for each function while guarding against code injection attacks,
one of the most severe security threats in Web applications today.
A research group led by Jonathan Aldrich, associate professor in the Institute
for Software Research (ISR), is developing a programming language called Wyvern
that makes it possible to construct programs using a variety of targeted,
domain-specific languages, such as SQL for querying databases or HTML for
constructing Web pages, as sublanguages, rather than writing the entire program
using a general purpose language.
Wyvern determines which sublanguage is being used within the program based on
the type of data that the programmer is manipulating. Types specify the format
of data, such as alphanumeric characters, floating-point numbers or more
complex data structures, such as Web pages and database queries.
The type provides context, enabling Wyvern to identify a sublanguage associated
with that type in the same way that a person would realize that a conversation
about gourmet dining might include some French words and phrases, explained
Joshua Sunshine, ISR systems scientist.
"Wyvern is like a skilled international negotiator who can smoothly switch
between languages to get a whole team of people to work together," Aldrich
said. "Such a person can be extremely effective and, likewise, I think our new
approach can have a big impact on building software systems."
Many programming tasks can involve multiple languages; when building a Web
page, for instance, HTML might be used to create the bulk of the page, but the
programmer might also include SQL to access databases and JavaScript to allow
for user interaction. By using type specific languages, Wyvern can simplify
that task for the programmer, Aldrich said, while also avoiding workarounds
that can introduce security vulnerabilities.
One common but problematic practice is to paste together strings of characters
to form a command in a specialized language, such as SQL, within a program. If
not implemented carefully, however, this practice can leave computers
vulnerable to two of the most serious security threats on the Web today --
cross-site scripting attacks and SQL injection attacks. In the latter case, for
instance, someone with knowledge of computer systems could use a login/password
form or an order form on a Web site to type in a command to DROP TABLE that
could wipe out a database.
"Wyvern would make the use of strings for this purpose unnecessary and thus
eliminate all sorts of injection vulnerabilities," Aldrich said.
Previous attempts to develop programming languages that could understand other
languages have faced tradeoffs between composability and expressiveness; they
were either limited in their ability to unambiguously determine which embedded
language was being used, or limited in which embedded languages could be used.
"With Wyvern, we're allowing you to use these languages, and define new ones,
without worrying about composition," said Cyrus Omar, a Ph.D. student in the
Computer Science Department and the lead designer of Wyvern's type-specific
language approach.
Wyvern is not yet fully engineered, Omar noted, but is an open source project
that is ready for experimental use by early adopters. More information is
available at http://www.cs.cmu.edu/~aldrich/wyvern/.
The paper can be found online at:
http://www.cs.cmu.edu/~aldrich/papers/ecoop14-tsls.pdf
--
Cheers,
Stephen
_______________________________________________
Link mailing list
[email protected]
http://mailman.anu.edu.au/mailman/listinfo/link
