Researchers develop a programming language capable of integrating multiple languages into one. His name is Wyvern and aims to solve security problems
Computer scientists from Carnegie Mellon University have devised a method of using multiple programming languages in the same program, allowing developers to use the most appropriate language for each function. This concept allows protect services against code injection attacks , one of the most serious threats they may face a Web application today.
In the ISR ( Institute for Software Research ), Professor Jonathan Aldrich is developing a programming language called Wyvern , which makes it possible to build pages and Web applications using multiple programming languages one , each focused in your area. That way, you could use SQL to send requests to databases, HTML for layout pages … etc. They act as a kind of sublanguages. To better understand the concept, one of the developers made the following analogy:
We could say that Wyvern is a skillfully negotiator, able to easily switch between languages with the aim of a group of People can work well together. I think our new approach can have a big impact on the way that has been developed so far.
– Jonathan Aldrich, associate professor in the ISR
. Wyvern determines the sublanguage being used in the program by the data types the programmer is manipulating. The types specify the format of the data, whether alphanumeric characters or more complex data structures, as it could be a request for data to a database on a Web page.
Your goal is to increase security
A common practice is to copy strings to form commands in a specialized language like SQL. If not implemented correctly, this practice can let our project vulnerable against two of the most serious security threats that could face today . The first would scripts Cross-site ( cross-site scripting ) or the SQL injection attacks. In the latter case, for example, an attacker could use a simple login form to insert the
DROP TABLE command, with which may eliminate vital information from the database.
– TTIVanguard (TTIVanguard) October 1, 2014
Avoid this type of security problems requires care, experience and testing, but a specialist for this as Wyvern language could facilitate our work. Wyvern understands and identifies the different languages of context data and objects treated as literal (fixed values). Thus, following the example above, instead of using a special function to pass the values directly use SQL code. Understand the concept can be tricky, but we can get an idea seeing some examples code.
Wyvern is not finished yet, only been implemented at a basic level so many functions have not been fully developed. To find out what happens behind the curtains of the project can visit their website at GitHub. Anything that helps you solve security problems is welcome. However, I miss a friendlier documentation to see in practice the concepts proposed by the developers of Wyvern language. What comes closest to this are the research papers and is not to be very digestible . For now, we look forward to bringing new products to be
February 5, 2015
- ← Review Lanix Ilium S520, low-end 5-inch Android KitKat
- A nova trilogia de ‘Stargate’ já tem roteiristas →