New programming language to plug information leaks in software

Nov 23, 2011

The current method for preventing users and unauthorised individuals from obtaining information to which they should not have access in data programs is often to have code reviewers check the code manually, looking for potential weaknesses. Niklas Broberg of the University of Gothenburg has developed a new programming language which automatically identifies potential information leaks while the program is being written.

The most common causes of in today's software are not inadequate , poor security protocols or weak encryption mechanisms. In most cases, they are the result of imperfectly written software that contains the potential for information leaks. Users are able to exploit leaks and that are unintentionally introduced during programming, to obtain more information than they should have access to.

Unauthorised users may also be able to manipulate sensitive information in the system, such as that contained in a database. Currently, the most common method of preventing leaks, loopholes and manipulation is to rely on so-called code reviewers, who "proof-read" the code manually in order to identify errors and deficiencies once the programmers are finished with the code.

Paragon identifies potential information leaks while the program is being written

As a solution to these problems, Niklas Broberg has developed the programming language Paragon. The methodology is presented in his thesis "Practical, Flexible Programming with Information Flow Control" which was written in August 2011.

"The main strength of Paragon is its ability to automatically identify potential information leaks while the program is being developed," says Niklas Broberg. "Paragon is an extension of the commonly-used Java and has been designed to be easy to use. A programmer will easily be able to add my specifications to his or her Java program, thus benefiting from the strong security guarantees that the language provides."

Two-stage security process

Niklas Broberg's method has two stages. The first stage specifies how information in the software may be used, who should be allowed access to it and under what conditions. Stage two of the security process takes place during compilation, where the program's use of information is analysed in depth. If the analysis identifies a risk for sensitive information leaking or being manipulated, the compiler reports an error, enabling the programmer to resolve the issue immediately. The analysis is proven to provide better guarantees than all previous attempts in this field.

"Achieving information security in a system requires a chain of different measures, with the system only being as secure as its weakest link," says Niklas Broberg. "We can have completely effective methods for guaranteeing the authentication of users or encryption of data, but which can be circumvented in practice due to information leaks. loopholes in software are currently the most common source of vulnerabilities in our computer systems and it is high time we take these problems seriously."

Explore further: SHORE facial analysis spots emotions on Google Glass

add to favorites email to friend print save as pdf

Related Stories

Software Tool Plugs Security Leaks

Aug 01, 2007

Often when you make an Internet transaction, symbols on the Web page assure you that your transaction will be secure and that private information about you, such as passwords, bank account or credit card numbers, will not ...

'Fabric' would tighten the weave of online security

Oct 01, 2010

(PhysOrg.com) -- As we become increasingly dependent on computers to manage our lives and businesses, our money and privacy become less and less secure. But now, Cornell researchers offer a way to build security ...

Trust in global computing

Jul 12, 2006

Access to distributed mobile resources by software agents of all types promises much for global computing. But it suffers from the same security and trust problems as the internet itself. Now new tools and ...

Software 'Chipper' Speeds Debugging

Oct 01, 2007

Computer scientists at UC Davis have developed a technique to speed up program debugging by automatically "chipping" the software into smaller pieces so that bugs can be isolated more easily.

Google Go gets going (w/ Video)

Nov 11, 2009

(PhysOrg.com) -- Google has introduced its new experimental programming language Go, which aims to combine speedy application development through simplified coding with high-speed program execution.

Recommended for you

Watching others play video games is the new spectator sport

6 hours ago

As the UK's largest gaming festival, Insomnia, wrapped up its latest event on August 25, I watched a short piece of BBC Breakfast news reporting from the festival. The reporter and some of the interviewees appeared baff ...

SHORE facial analysis spots emotions on Google Glass

Aug 28, 2014

One of the key concerns about facial recognition software has been over privacy. The very idea of having tracking mechanisms as part of an Internet-connected wearable would be likely to upset many privacy ...

Does your computer know how you're feeling?

Aug 22, 2014

Researchers in Bangladesh have designed a computer program that can accurately recognize users' emotional states as much as 87% of the time, depending on the emotion.

User comments : 0