research-article

Wyvern: Impacting Software Security via Programming Language Design

Authors:

Darya Kurilova,

Alex Potanin,

Jonathan AldrichAuthors Info & Claims

PLATEAU '14: Proceedings of the 5th Workshop on Evaluation and Usability of Programming Languages and Tools

Pages 57 - 58

https://doi.org/10.1145/2688204.2688216

Published: 21 October 2014 Publication History

Get Access

Abstract

Breaches of software security affect millions of people, and therefore it is crucial to strive for more secure software systems. However, the effect of programming language design on software security is not easily measured or studied. In the absence of scientific insight, opinions range from those that claim that programming language design has no effect on security of the system, to those that believe that programming language design is the only way to provide "high-assurance software." In this paper, we discuss how programming language design can impact software security by looking at a specific example: the Wyvern programming language. We report on how the design of the Wyvern programming language leverages security principles, together with hypotheses about how usability impacts security, in order to prevent command injection attacks. Furthermore, we discuss what security principles we considered in Wyvern's design.

References

[1]

J. Aldrich, C. Omar, A. Potanin, and D. Li. Language-Based Architectural Control. In IWACO, 2014.

Google Scholar

[2]

K. Hickey. Most secure Web programming language? It depends., April 2014. URL http://gcn.com/articles/2014/04/24/programming-language-security.aspx.

Google Scholar

[3]

D. Kurilova, C. Omar, L. Nistor, B. Chung, A. Potanin, and J. Aldrich. Type-Specific Languages to Fight Injection Attacks. In HotSoS, 2014.

Digital Library

Google Scholar

[4]

L. Nistor, D. Kurilova, S. Balzer, B. Chung, A. Potanin, and J. Aldrich. Wyvern: A Simple, Typed, and Pure Object-oriented Language. In MASPEGHI, 2013.

Digital Library

Google Scholar

[5]

C. Omar, D. Kurilova, L. Nistor, B. Chung, A. Potanin, and J. Aldrich. Safely Composable Type-Specific Languages. In ECOOP, 2014.

Digital Library

Google Scholar

[6]

OWASP. Category:OWASP Top Ten Project, 2014. URL https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project.

Google Scholar

[7]

P. Perego. Which Is the Most Secure Programming Language Ever?, July 2012. URL http://armoredcode.com/blog/which-is-the-mostsecure-programming-language-ever/.

Google Scholar

[8]

J. H. Saltzer and M. D. Schroeder. The Protection of Information in Computer Systems. Proc. IEEE, 1975.

Google Scholar

Cited By

View all

Reis SAbreu RCruz L(2021)Fixing vulnerabilities potentially hinders maintainabilityEmpirical Software Engineering10.1007/s10664-021-10019-z26:6Online publication date: 22-Sep-2021
https://doi.org/10.1007/s10664-021-10019-z
Poll E(2018)LangSec Revisited: Input Security Flaws of the Second Kind2018 IEEE Security and Privacy Workshops (SPW)10.1109/SPW.2018.00051(329-334)Online publication date: May-2018
https://doi.org/10.1109/SPW.2018.00051
Mbelli TDwolatzky B(2016)Cyber Security, a Threat to Cyber Banking in South Africa: An Approach to Network and Application Security2016 IEEE 3rd International Conference on Cyber Security and Cloud Computing (CSCloud)10.1109/CSCloud.2016.18(1-6)Online publication date: Jun-2016
https://doi.org/10.1109/CSCloud.2016.18

Index Terms

Wyvern: Impacting Software Security via Programming Language Design
1. Software and its engineering
  1. Software notations and tools
    1. General programming languages
      1. Language features

Recommendations

A case study in language-based security: building an I/O library for Wyvern
Onward! 2020: Proceedings of the 2020 ACM SIGPLAN International Symposium on New Ideas, New Paradigms, and Reflections on Programming and Software

As the impact of vulnerabilities increases in practice, it is imperative for programming languages to include security as a first-class design consideration. While a number of security-related language features have been proposed to address this need, ...
Wyvern: a simple, typed, and pure object-oriented language
MASPEGHI '13: Proceedings of the 5th Workshop on MechAnisms for SPEcialization, Generalization and inHerItance

The simplest and purest practical object-oriented language designs today are seen in dynamically-typed languages, such as Smalltalk and Self. Static types, however, have potential benefits for productivity, security, and reasoning about programs. In this ...
Definitional Interpreters for Higher-Order Programming Languages

Higher-order programming languages (i.e., languages in which procedures or labels can occur as values) are usually defined by interpreters that are themselves written in a programming language based on the lambda calculus (i.e., an applicative language ...

Comments

Information & Contributors

Information

Published In

PLATEAU '14: Proceedings of the 5th Workshop on Evaluation and Usability of Programming Languages and Tools

October 2014

80 pages

ISBN:9781450322775

DOI:10.1145/2688204

Program Chairs:
Joshua Sunshine
Carnegie Mellon University, USA
,
Thomas LaToza
University of California, Irvine, USA
,
Craig Anslow
University of Calgary, Canada

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

SIGAda: ACM Special Interest Group on Ada Programming Language

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 October 2014

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

USA NSA Lablet

Conference

SPLASH '14

Sponsor:

SIGPLAN

SPLASH '14: Conference on Systems, Programming, and Applications: Software for Humanity

October 21, 2014

Oregon, Portland, USA

Acceptance Rates

PLATEAU '14 Paper Acceptance Rate 5 of 8 submissions, 63%;

Overall Acceptance Rate 5 of 8 submissions, 63%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
150
Total Downloads

Downloads (Last 12 months)2
Downloads (Last 6 weeks)2

Reflects downloads up to 13 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

View all

Reis SAbreu RCruz L(2021)Fixing vulnerabilities potentially hinders maintainabilityEmpirical Software Engineering10.1007/s10664-021-10019-z26:6Online publication date: 22-Sep-2021
https://doi.org/10.1007/s10664-021-10019-z
Poll E(2018)LangSec Revisited: Input Security Flaws of the Second Kind2018 IEEE Security and Privacy Workshops (SPW)10.1109/SPW.2018.00051(329-334)Online publication date: May-2018
https://doi.org/10.1109/SPW.2018.00051
Mbelli TDwolatzky B(2016)Cyber Security, a Threat to Cyber Banking in South Africa: An Approach to Network and Application Security2016 IEEE 3rd International Conference on Cyber Security and Cloud Computing (CSCloud)10.1109/CSCloud.2016.18(1-6)Online publication date: Jun-2016
https://doi.org/10.1109/CSCloud.2016.18

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

A case study in language-based security: building an I/O library for Wyvern

Wyvern: a simple, typed, and pure object-oriented language

Definitional Interpreters for Higher-Order Programming Languages