Title :
Insecure programming: how culpable is a language´s syntax?
Author :
Chinchani, R. ; Iyer, A. ; Jayaraman, B. ; Upadhyaya, S.
Author_Institution :
Dept. of Comput. Sci. & Eng., Univ. at Buffalo, NY, USA
Abstract :
Vulnerabilities in software stem from poorly written code. Inadvertent errors may creep in due to programmers not being aware of the security implications of their code. Writing secure code is largely a software engineering issue requiring the education of programmers about safe coding practices. Various projects and efforts such as memory usage profiling, meta-compilation and typing proofs that verify correctness of the code at compile-time and run-time provide additional assistance in this regard. We point out that in the context of security, one aspect that is perhaps underrated or overlooked is that vulnerabilities may be inherent in the syntax and grammar of a programming language itself. We leverage on some well-studied problems to show that small syntactic discrepancies may lead to vast semantic differences in programs and in turn, correlate to hard security errors. This technique will helps caution programmers on the types of errors to avoid as well as serve as a guideline for language designers to lay emphasis not only on richness of language features but also the unambiguity of the syntax.
Keywords :
error handling; grammars; program control structures; program debugging; program verification; programming; programming language semantics; programming theory; security of data; ambiguous syntactic constructs; grammars; insecure programming; programming language security; secure software engineering; software vulnerability; syntax error; Computer errors; Computer languages; Computer science; Computer security; Creep; Data security; Java; Programming profession; Runtime; Writing;
Conference_Titel :
Information Assurance Workshop, 2003. IEEE Systems, Man and Cybernetics Society
Print_ISBN :
0-7803-7808-3
DOI :
10.1109/SMCSIA.2003.1232415
