New programming language accommodates multiple languages in same program

Aug 07, 2014

Computer scientists at Carnegie Mellon University have designed a way to safely use multiple programming languages within the same program, enabling programmers to use the language most appropriate for each function while guarding against code injection attacks, one of the most severe security threats in Web applications today.

A research group led by Jonathan Aldrich, associate professor in the Institute for Software Research (ISR), is developing a called Wyvern that makes it possible to construct programs using a variety of targeted, domain-specific languages, such as SQL for querying databases or HTML for constructing Web pages, as sublanguages, rather than writing the entire program using a general purpose language.

Wyvern determines which sublanguage is being used within the program based on the type of data that the programmer is manipulating. Types specify the format of data, such as alphanumeric characters, floating-point numbers or more complex data structures, such as Web pages and database queries.

The type provides context, enabling Wyvern to identify a sublanguage associated with that type in the same way that a person would realize that a conversation about gourmet dining might include some French words and phrases, explained Joshua Sunshine, ISR systems scientist.

"Wyvern is like a skilled international negotiator who can smoothly switch between languages to get a whole team of people to work together," Aldrich said. "Such a person can be extremely effective and, likewise, I think our new approach can have a big impact on building software systems."

Many programming tasks can involve multiple languages; when building a Web page, for instance, HTML might be used to create the bulk of the page, but the programmer might also include SQL to access databases and JavaScript to allow for user interaction. By using type-specific languages, Wyvern can simplify that task for the programmer, Aldrich said, while also avoiding workarounds that can introduce security vulnerabilities.

One common but problematic practice is to paste together strings of characters to form a command in a specialized language, such as SQL, within a program. If not implemented carefully, however, this practice can leave computers vulnerable to two of the most serious on the Web today—cross-site scripting attacks and SQL injection attacks. In the latter case, for instance, someone with knowledge of computer systems could use a login/password form or an order form on a Web site to type in a command to DROP TABLE that could wipe out a database.

"Wyvern would make the use of strings for this purpose unnecessary and thus eliminate all sorts of injection vulnerabilities," Aldrich said.

Previous attempts to develop programming languages that could understand other languages have faced tradeoffs between composability and expressiveness; they were either limited in their ability to unambiguously determine which embedded language was being used, or limited in which embedded languages could be used.

"With Wyvern, we're allowing you to use these languages, and define new ones, without worrying about composition," said Cyrus Omar, a Ph.D. student in the Computer Science Department and the lead designer of Wyvern's type-specific language approach.

Wyvern is not yet fully engineered, Omar noted, but is an open source project that is ready for experimental use by early adopters. More information is available at http://www.cs.cmu.edu/~aldrich/wyvern/.

Explore further: Grammatical habits in written English reveal linguistic features of non-native speakers' languages

More information: A research paper, "Safely Composable Type-Specific Languages," by Omar, Aldrich, Darya Kurilova, Ligia Nistor and Benjamin Chung of CMU and Alex Potanin of Victoria University of Wellington, recently won a distinguished paper award at the European Conference on Object-Oriented Programming in Uppsala, Sweden.

add to favorites email to friend print save as pdf

Related Stories

Facebook releases Hack programming language for HHVM

Mar 23, 2014

(Phys.org) —Facebook this week unveiled Hack, a programming language they had in use for a year but have now released as per an official announcement posted on the engineering blog on Thursday. What's in it for programmers? ...

Recommended for you

Forging a photo is easy, but how do you spot a fake?

Nov 21, 2014

Faking photographs is not a new phenomenon. The Cottingley Fairies seemed convincing to some in 1917, just as the images recently broadcast on Russian television, purporting to be satellite images showin ...

Algorithm, not live committee, performs author ranking

Nov 21, 2014

Thousands of authors' works enter the public domain each year, but only a small number of them end up being widely available. So how to choose the ones taking center-stage? And how well can a machine-learning ...

Professor proposes alternative to 'Turing Test'

Nov 19, 2014

(Phys.org) —A Georgia Tech professor is offering an alternative to the celebrated "Turing Test" to determine whether a machine or computer program exhibits human-level intelligence. The Turing Test - originally ...

Image descriptions from computers show gains

Nov 18, 2014

"Man in black shirt is playing guitar." "Man in blue wetsuit is surfing on wave." "Black and white dog jumps over bar." The picture captions were not written by humans but through software capable of accurately ...

Converting data into knowledge

Nov 17, 2014

When a movie-streaming service recommends a new film you might like, sometimes that recommendation becomes a new favorite; other times, the computer's suggestion really misses the mark. Yisong Yue, assistant ...

User comments : 2

Adjust slider to filter visible comments by rank

Display comments: newest first

baudrunner
5 / 5 (3) Aug 07, 2014
We used to call these YACCs (Yet Another Compiler Compiler).
Arties
Aug 07, 2014
This comment has been removed by a moderator.
alfie_null
5 / 5 (1) Aug 08, 2014
It's focused on web and mobile applications. Hardly the entire domain of computer science problems. Though if it finds a niche making the web safer, I'm all for it. But old habits die hard. Fifty years from now, we'll probably still have folks writing PHP.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.