New programming language to plug information leaks in software

The current method for preventing users and unauthorised individuals from obtaining information to which they should not have access in data programs is often to have code reviewers check the code manually, looking for potential weaknesses. Niklas Broberg of the University of Gothenburg has developed a new programming language which automatically identifies potential information leaks while the program is being written.

The most common causes of in today's software are not inadequate , poor security protocols or weak encryption mechanisms. In most cases, they are the result of imperfectly written software that contains the potential for information leaks. Users are able to exploit leaks and that are unintentionally introduced during programming, to obtain more information than they should have access to.

Unauthorised users may also be able to manipulate sensitive information in the system, such as that contained in a database. Currently, the most common method of preventing leaks, loopholes and manipulation is to rely on so-called code reviewers, who "proof-read" the code manually in order to identify errors and deficiencies once the programmers are finished with the code.

Paragon identifies potential information leaks while the program is being written

As a solution to these problems, Niklas Broberg has developed the programming language Paragon. The methodology is presented in his thesis "Practical, Flexible Programming with Information Flow Control" which was written in August 2011.

"The main strength of Paragon is its ability to automatically identify potential information leaks while the program is being developed," says Niklas Broberg. "Paragon is an extension of the commonly-used Java and has been designed to be easy to use. A programmer will easily be able to add my specifications to his or her Java program, thus benefiting from the strong security guarantees that the language provides."

Two-stage security process

Niklas Broberg's method has two stages. The first stage specifies how information in the software may be used, who should be allowed access to it and under what conditions. Stage two of the security process takes place during compilation, where the program's use of information is analysed in depth. If the analysis identifies a risk for sensitive information leaking or being manipulated, the compiler reports an error, enabling the programmer to resolve the issue immediately. The analysis is proven to provide better guarantees than all previous attempts in this field.

"Achieving information security in a system requires a chain of different measures, with the system only being as secure as its weakest link," says Niklas Broberg. "We can have completely effective methods for guaranteeing the authentication of users or encryption of data, but which can be circumvented in practice due to information leaks. loopholes in software are currently the most common source of vulnerabilities in our computer systems and it is high time we take these problems seriously."


Explore further

Software Tool Plugs Security Leaks

Citation: New programming language to plug information leaks in software (2011, November 23) retrieved 6 December 2019 from https://phys.org/news/2011-11-language-leaks-software.html
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.
0 shares

Feedback to editors

User comments