Mixing Programming Languages
Most programming languages come with built in support for handling common data types, however using and manipulating user-defined data types has to be done via general purpose syntax. This often leads to using Strings rather than structured data. Computer scientists have designed safe way to use multiple programming languages within the same program, which will allow programmers to use the language most suitable for each function while also guarding against code injection. Their language, called Wyvern, is available as an Open Source Project.
The full paper is available as a PDF.
The full paper is available as a PDF.
Wyvern determines which sublanguage is being used within the program based on the type of data the programmer is manipulating. Types specify the format of data, such as alphanumeric characters, floating-point numbers or more complex data structures, such as Web pages and database queries.
The type provides context, enabling Wyvern to identify a sublanguage associated with that type in the same way that a person would realize that a conversation about gourmet dining might include some French words and phrases, explained Joshua Sunshine, ISR systems scientist.
"Wyvern is like a skilled international negotiator who can smoothly switch between languages to get a whole team of people to work together," Aldrich said. "Such a person can be extremely effective and, likewise, I think our new approach can have a big impact on building software systems."
Many programming tasks can involve multiple languages; when building a Web page, for instance, HTML might be used to create the bulk of the page, but the programmer might also include SQL to access databases and JavaScript to allow for user interaction. By using type-specific languages, Wyvern can simplify that task for the programmer, Aldrich said, while also avoiding workarounds that can introduce security vulnerabilities.
One common but problematic practice is to paste together strings of characters to form a command in a specialized language, such as SQL, within a program. If not implemented carefully, however, this practice can leave computers vulnerable to two of the most serious security threats on the Web today — cross-site scripting attacks and SQL injection attacks. In the latter case, for instance, someone with knowledge of computer systems could use a login/password form or an order form on a Web site to type in a command to DROP TABLE that could wipe out a database.