Safely Composable Type-Specific Languages

Omar, Cyrus; Kurilova, Darya; Nistor, Ligia; Chung, Benjamin; Potanin, Alex; Aldrich, Jonathan

doi:10.1007/978-3-662-44202-9_5

Cited by 36 publications

(35 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…One way to imbue string literals with meaning is creating new programming languages that allow the de nition of arbitrary literal types, such as Wyvern [15]. However, we cannot disregard existing languages such as JavaScript.…”

Section: Resultsmentioning

confidence: 99%

See 1 more Smart Citation

Lifting the curse of stringly-typed code

Santos

Ali

2017

Preprint

View full text Add to dashboard Cite

How o en do JavaScript programmers embed structured languages into strings literals? We conduct an empirical investigating mining nearly 500 thousand JavaScript source files from almost ten thousand repositories from GitHub. We parsed each string literal with seven separate common grammars, and found the most common data type that is hidden within the confines of string literals. To AbstractHow o en do JavaScript programmers embed structured languages into strings literals? We conduct an empirical investigating mining nearly 500 thousand JavaScript source files from almost ten thousand repositories from GitHub. We parsed each string literal with seven separate common grammars, and found the most common data type that is hidden within the confines of string literals. To reduce the overuse of strings for structured data types, we present a static program analyzer that finds embedded languages and warns the developer, providing an optional fix.

show abstract

Section: Resultsmentioning

confidence: 99%

“…For example, the Wyvern language [15] has rst-class support for type-speci c languages that allows the developer to write grammars that parse their own custom data types in the language. Alas, this is not the case for JavaScript.…”

Section: Preprintsmentioning

confidence: 99%

Lifting the curse of stringly-typed code

Santos

Ali

2017

Preprint

View full text Add to dashboard Cite

show abstract

“…The Wyvern programming language introduced a general framework for writing syntax extensions like this [10]. Unlike this work, our solution to the input sanitation problem retains a string representation and thus has a very low barrier to adoption.…”

Section: Related Workmentioning

confidence: 96%

Statically typed string sanitation inside a python

Fulton

Omar

Aldrich

2014

Proceedings of the 2014 International Workshop on Privacy &Amp; Security in Programming - PSP '14

Self Cite

View full text Add to dashboard Cite

Web applications must ultimately command systems like web browsers and database engines using strings. Strings derived from improperly sanitized user input can as a result be a vector for command injection attacks. In this paper, we introduce regular string types, which classify strings constrained statically to be in a regular language specified by a regular expression. Regular strings support standard string operations like concatenation and substitution, as well as safe coercions, so they can be used to implement, in an essentially conventional manner, the pieces of a web application or framework that handle strings arising from user input. Simple type annotations at function interfaces can be used to statically verify that sanitization has been performed correctly without introducing redundant run-time checks. We specify this type system first as a minimal typed lambda calculus, λ RS .To be practical, adopting a specialized type system like this should not require the adoption of a new programming language. Instead, we advocate for extensible type systems: new type system fragments like this should be implemented as libraries atop a mechanism that guarantees that they can be safely composed. We support this with two contributions. First, we specify a translation from λ RS to a calculus with only standard strings and regular expressions. Then, taking Python as a language with these constructs, we implement the type system together with the translation as a library using typy, an extensible static type system for Python.

show abstract

“…Our work applies programming language theory to discover a new foundational principle for modular language extensibility [13]. This, in turn, adds to the body of scientific knowledge concerning defense against injection attacks.…”

Section: The Sciencementioning

confidence: 99%