New programming language to plug information leaks in software

Nov 23, 2011

The current method for preventing users and unauthorised individuals from obtaining information to which they should not have access in data programs is often to have code reviewers check the code manually, looking for potential weaknesses. Niklas Broberg of the University of Gothenburg has developed a new programming language which automatically identifies potential information leaks while the program is being written.

The most common causes of in today's software are not inadequate , poor security protocols or weak encryption mechanisms. In most cases, they are the result of imperfectly written software that contains the potential for information leaks. Users are able to exploit leaks and that are unintentionally introduced during programming, to obtain more information than they should have access to.

Unauthorised users may also be able to manipulate sensitive information in the system, such as that contained in a database. Currently, the most common method of preventing leaks, loopholes and manipulation is to rely on so-called code reviewers, who "proof-read" the code manually in order to identify errors and deficiencies once the programmers are finished with the code.

Paragon identifies potential information leaks while the program is being written

As a solution to these problems, Niklas Broberg has developed the programming language Paragon. The methodology is presented in his thesis "Practical, Flexible Programming with Information Flow Control" which was written in August 2011.

"The main strength of Paragon is its ability to automatically identify potential information leaks while the program is being developed," says Niklas Broberg. "Paragon is an extension of the commonly-used Java and has been designed to be easy to use. A programmer will easily be able to add my specifications to his or her Java program, thus benefiting from the strong security guarantees that the language provides."

Two-stage security process

Niklas Broberg's method has two stages. The first stage specifies how information in the software may be used, who should be allowed access to it and under what conditions. Stage two of the security process takes place during compilation, where the program's use of information is analysed in depth. If the analysis identifies a risk for sensitive information leaking or being manipulated, the compiler reports an error, enabling the programmer to resolve the issue immediately. The analysis is proven to provide better guarantees than all previous attempts in this field.

"Achieving information security in a system requires a chain of different measures, with the system only being as secure as its weakest link," says Niklas Broberg. "We can have completely effective methods for guaranteeing the authentication of users or encryption of data, but which can be circumvented in practice due to information leaks. loopholes in software are currently the most common source of vulnerabilities in our computer systems and it is high time we take these problems seriously."

Explore further: Microsoft expands ad-free Bing search for schools

add to favorites email to friend print save as pdf

Related Stories

Software Tool Plugs Security Leaks

Aug 01, 2007

Often when you make an Internet transaction, symbols on the Web page assure you that your transaction will be secure and that private information about you, such as passwords, bank account or credit card numbers, will not ...

'Fabric' would tighten the weave of online security

Oct 01, 2010

(PhysOrg.com) -- As we become increasingly dependent on computers to manage our lives and businesses, our money and privacy become less and less secure. But now, Cornell researchers offer a way to build security ...

Trust in global computing

Jul 12, 2006

Access to distributed mobile resources by software agents of all types promises much for global computing. But it suffers from the same security and trust problems as the internet itself. Now new tools and ...

Software 'Chipper' Speeds Debugging

Oct 01, 2007

Computer scientists at UC Davis have developed a technique to speed up program debugging by automatically "chipping" the software into smaller pieces so that bugs can be isolated more easily.

Google Go gets going (w/ Video)

Nov 11, 2009

(PhysOrg.com) -- Google has introduced its new experimental programming language Go, which aims to combine speedy application development through simplified coding with high-speed program execution.

Recommended for you

Microsoft expands ad-free Bing search for schools

8 hours ago

Microsoft is expanding a program that gives schools the ability to prevent ads from appearing in search results when they use its Bing search engine. The program, launched in a pilot program earlier this year, is now available ...

Growing app industry has developers racing to keep up

Apr 20, 2014

Smartphone application developers say they are challenged by the glut of apps as well as the need to update their software to keep up with evolving phone technology, making creative pricing strategies essential to finding ...

Android gains in US, basic phones almost extinct

Apr 18, 2014

The Google Android platform grabbed the majority of mobile phones in the US market in early 2014, as consumers all but abandoned non-smartphone handsets, a survey showed Friday.

Hackathon team's GoogolPlex gives Siri extra powers

Apr 17, 2014

(Phys.org) —Four freshmen at the University of Pennsylvania have taken Apple's personal assistant Siri to behave as a graduate-level executive assistant which, when asked, is capable of adjusting the temperature ...

Microsoft CEO is driving data-culture mindset

Apr 16, 2014

(Phys.org) —Microsoft's future strategy: is all about leveraging data, from different sources, coming together using one cohesive Microsoft architecture. Microsoft CEO Satya Nadella on Tuesday, both in ...

User comments : 0

More news stories

Jacket works like a mobile phone

A fire is raging in a large building and the fire leader is sending a message to all firefighters at the scene. But they don't need a mobile phone – they simply check their jacket sleeves and read the message ...

Is nuclear power the only way to avoid geoengineering?

"I think one can argue that if we were to follow a strong nuclear energy pathway—as well as doing everything else that we can—then we can solve the climate problem without doing geoengineering." So says Tom Wigley, one ...

Male-biased tweeting

Today women take an active part in public life. Without a doubt, they also converse with other women. In fact, they even talk to each other about other things besides men. As banal as it sounds, this is far ...

High-calorie and low-nutrient foods in kids' TV

Fruits and vegetables are often displayed in the popular Swedish children's TV show Bolibompa, but there are also plenty of high-sugar foods. A new study from the University of Gothenburg explores how food is portrayed in ...