New programming language accommodates multiple languages in same program Computer scientists have designed a way to safely use multiple programming languages within the same program, enabling programmers to use the language most appropriate for each function while guarding against code injection attacks, one of the most severe security threats in Web applications today. A research group is developing a programming language called Wyvern that makes it possible to construct programs using a variety of targeted, domain-specific languages, such as SQL for querying databases or HTML for constructing Web pages, as sublanguages, rather than writing the entire program using a general purpose language. Wyvern determines which sublanguage is being used within the program based on the type of data that the programmer is manipulating. Types specify the format of data, such as alphanumeric characters, floating-point numbers or more complex data structures, such as Web pages and database queries. The type provides context, enabling Wyvern to identify a sublanguage associated with that type. Wyvern is like a skilled international negotiator who can smoothly switch between languages to get a whole team of people to work together. Many programming tasks can involve multiple languages; when building a Web page, for instance, HTML might be used to create the bulk of the page, but the programmer might also include SQL to access databases and JavaScript to allow for user interaction. By using type-specific languages, Wyvern can simplify that task for the programmer, while also avoiding workarounds that can introduce security vulnerabilities. One common but problematic practice is to paste together strings of characters to form a command in a specialized language, such as SQL, within a program. If not implemented carefully, however, this practice can leave computers vulnerable to two of the most serious security threats on the Web today -- cross-site scripting attacks and SQL injection attacks. In the latter case, for instance, someone with knowledge of computer systems could use a login/password form or an order form on a Web site to type in a command to DROP TABLE that could wipe out a database. Wyvern would make the use of strings for this purpose unnecessary and thus eliminate all sorts of injection vulnerabilities. Previous attempts to develop programming languages that could understand other languages have faced tradeoffs between composability and expressiveness; they were either limited in their ability to unambiguously determine which embedded language was being used, or limited in which embedded languages could be used. With Wyvern, one can use these languages, and define new ones, without worrying about composition. This new approach can have a big impact on building software systems.
Posted on: Mon, 11 Aug 2014 06:37:15 +0000
Trending Topics
Recently Viewed Topics
© 2015