Type-specific languages to fight injection attacks

Kurilova, Darya; Omar, Cyrus; Nistor, Ligia; Chung, Benjamin; Potanin, Alex; Aldrich, Jonathan

doi:10.1145/2600176.2600194

Cited by 2 publications

(3 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Wyvern is able to prevent command injection vulnerabilities [3], and we now illustrate how the design of the Wyvern programming language is able to do it by looking specifically at SQL injections.…”

Section: Command Injection Defense In Wyvernmentioning

confidence: 99%

See 1 more Smart Citation

Wyvern

Kurilova

Potanin

Aldrich

2014

Proceedings of the 5th Workshop on Evaluation and Usability of Programming Languages and Tools

Self Cite

View full text Add to dashboard Cite

Breaches of software security affect millions of people, and therefore it is crucial to strive for more secure software systems. However, the effect of programming language design on software security is not easily measured or studied. In the absence of scientific insight, opinions range from those that claim that programming language design has no effect on security of the system, to those that believe that programming language design is the only way to provide "high-assurance software." In this paper, we discuss how programming language design can impact software security by looking at a specific example: the Wyvern programming language. We report on how the design of the Wyvern programming language leverages security principles, together with hypotheses about how usability impacts security, in order to prevent command injection attacks. Furthermore, we discuss what security principles we considered in Wyvern's design.

show abstract

Section: Command Injection Defense In Wyvernmentioning

confidence: 99%

“…Thus, any command language can be incorporated, guarding against any kind of command injection attack [3], not just SQL injections. In many prior extensible languages it was possible for language extensions to conflict.…”

Section: Command Injection Defense In Wyvernmentioning

confidence: 99%

Wyvern

Kurilova

Potanin

Aldrich

2014

Proceedings of the 5th Workshop on Evaluation and Usability of Programming Languages and Tools

Self Cite

View full text Add to dashboard Cite

show abstract

“…To redress the balance, this paper considers the second category and looks at ideas and (anti)patterns in tackling injection flaws. One approach here is to address the problem at the level of the programming language, as proposed in Wyvern [1], with a so-called type-specific programming language that offers native support for input and output formats handled by programs. Another approach is the ongoing evolution in mechanisms to tackle XSS in applications [2].…”

Section: Introductionmentioning

confidence: 99%

LangSec Revisited: Input Security Flaws of the Second Kind

Poll

2018

2018 IEEE Security and Privacy Workshops (SPW)

View full text Add to dashboard Cite

We consider a simple classification of input flaws in two categories: (1) flaws in processing input, with buffer overflows in parsers as the classic example and (2) flaws in forwarding input to some other system, aka injection flaws, with SQL injection and XSS as classic examples. The LangSec paradigm identifies common root causes for both categories of flaws, but much of the LangSec literature and efforts focus on the first category of flaws, esp. on techniques to eliminate parser bugs. Therefore we take a look at some existing approaches to tackling the second category of flaws, to identify (anti)patterns and place these in the LangSec perspective.

show abstract

Type-specific languages to fight injection attacks

Cited by 2 publications

References 15 publications

Wyvern

Wyvern

LangSec Revisited: Input Security Flaws of the Second Kind

Contact Info

Product

Resources

About