Web and mobile applications would be a lot more secure if it weren’t for a common coding practice that leaves behind vulnerabilities. Different programming languages solve different problems, so developers are left to use different languages for different functions in an application. The problem is if the technique is not implemented correctly, it leaves applications open to code injection attacks, cross-site scripting attacks, SQL injection attacks, and other malicious attacks.
There are so many different programming languages that developers aren’t always sure which one to use. Computer scientists at Carnegie Mellon University are hoping to solve that dilemma with the development of Wyvern, a programming language that provides a safe way to use multiple languages in the same program.
“Different languages capture different patterns and abstractions more concisely than others, and each language involves trade-offs,” said Cyrus Omar, computer science student at CMU. “Computing is now used in so many problem domains that it’s hard to imagine one language designer capturing all possible uses.”
“We wanted to develop Wyvern as a way of stitching these languages seamlessly together, so that programmers can work more productively and can avoid these vulnerabilities,” he said.
Currently, Wyvern is able to use multiple special-purpose languages such as HTML or SQL within a general-purpose programming language. If Wyvern doesn’t support a certain special-purpose language, programmers can implement support.
“It’s also very easy for programmers to switch from one language to another within Wyvern, which lowers the barrier to getting the benefits of multiple languages in one program,” said Aldrich.
While there are already a number of approaches that integrate multiple languages in some shape or form, the researchers stressed that Wyvern stands out because it doesn’t use strings to represent languages like HTML. It also adds support for as many new sub-languages as the programmer wants, makes it easy for anyone to implement a compiler, and allows programmers to move between languages in a natural way.
“There have been a good number of previous efforts, like SugarJ,” said Omar. “These have generally thrown a bit of caution to the wind regarding composition: If a conflict arises, they assume that the programmer can work around it somehow. While this is sometimes true, it’s not a very clean solution from our perspective, which is one where we care a lot about the fundamental guarantees that a language provides.”
The programming language is sponsored by the NSA, the government agency that has been making headlines recently due to its spying strategies. But Aldrich and Omar assured that the NSA isn’t directly involved in the development itself.
“There has never been even a hint of direct influence from the NSA; they essentially give us money, we do what we think is reasonable with it, and then occasionally tell them what we did in the form of reports and poster sessions and presentations,” said Omar.
“I haven’t felt one iota of influence from the NSA in any of the work we’ve done.”
“The NSA plays many roles, and some of them are controversial,” added Aldrich. “What’s important to me is that with our lablet (mini-lab), the NSA is trying to strengthen the science of security in ways that will benefit the entire industry.”
The researchers hope Wyvern will be used in Web and mobile applications. Currently, Wyvern isn’t targeted at systems programming, but a systems programming language could be developed that leverages the language extension ideas from Wyvern, according to Aldrich.
In the future, the researchers plan to expand the language further and plan to provide developers with better architectural control over the source code.
More information about Wyvern is available here.