Insecure programming: how culpable is a language's syntax?

Vulnerabilities in software stem from poorly written code. Inadvertent errors may creep in due to programmers not being aware of the security implications of their code. Writing secure code is largely a software engineering issue requiring the education of programmers about safe coding practices. Various projects and efforts such as memory usage profiling, meta-compilation and typing proofs that verify correctness of the code at compile-time and run-time provide additional assistance in this regard. We point out that in the context of security, one aspect that is perhaps underrated or overlooked is that vulnerabilities may be inherent in the syntax and grammar of a programming language itself. We leverage on some well-studied problems to show that small syntactic discrepancies may lead to vast semantic differences in programs and in turn, correlate to hard security errors. This technique will helps caution programmers on the types of errors to avoid as well as serve as a guideline for language designers to lay emphasis not only on richness of language features but also the unambiguity of the syntax.

[1]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[2]  Gordon Lyon,et al.  Syntax-directed least-errors analysis for context-free languages , 1974, Commun. ACM.

[3]  Geoffrey Smith,et al.  A Type-Based Approach to Program Security , 1997, TAPSOFT.

[4]  Ricardo A. Baeza-Yates,et al.  Fast approximate string matching in a dictionary , 1998, Proceedings. String Processing and Information Retrieval: A South American Symposium (Cat. No.98EX207).

[5]  Dexter Kozen,et al.  Language-Based Security , 1999, MFCS.

[6]  Michael J. Fischer,et al.  The String-to-String Correction Problem , 1974, JACM.

[7]  Crispin Cowan,et al.  FormatGuard: Automatic Protection From printf Format String Vulnerabilities , 2001, USENIX Security Symposium.

[8]  Bjarne Stroustrup,et al.  C++ Programming Language , 1986, IEEE Softw..

[9]  Premkumar T. Devanbu,et al.  Software engineering for security: a roadmap , 2000, ICSE '00.

[10]  Susan L. Graham,et al.  Practical syntactic error recovery , 1975, CACM.

[11]  Matthias Felleisen,et al.  On the Expressive Power of Programming Languages , 1990, European Symposium on Programming.

[12]  Gregor Kiczales,et al.  Aspect-oriented programming , 1996, CSUR.

[13]  Cyril N. Alberga,et al.  String similarity and misspellings , 1967, CACM.

[14]  Fred B. Schneider,et al.  A Language-Based Approach to Security , 2001, Informatics.

[15]  Jan Jürjens,et al.  Towards Development of Secure Systems Using UMLsec , 2001, FASE.

[16]  Geoffrey Smith,et al.  A new type system for secure information flow , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[17]  David A. Wagner,et al.  A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities , 2000, NDSS.

[18]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[19]  Lutz Prechelt,et al.  An empirical comparison of C, C++, Java, Perl, Python, Rexx, and Tcl for a search/string-processing program , 2000 .

[20]  Lutz Prechelt,et al.  An Empirical Comparison of Seven Programming Languages , 2000, Computer.

[21]  Gregor Kiczales,et al.  Aspect-oriented programming , 2001, ESEC/FSE-9.

[22]  Peter N. Yianilos,et al.  Learning String-Edit Distance , 1996, IEEE Trans. Pattern Anal. Mach. Intell..

[23]  Ivar Jacobson,et al.  Software Reuse: Architecture, Process And Organization For Business Success , 1998, Proceedings. Technology of Object-Oriented Languages. TOOLS 26 (Cat. No.98EX176).