A new programming language has been devised with the objective of plugging information leaks in software.
As many high profile stories of hackers obtaining information due to data leaks shows, it’s not easy to make sure your application keeps its data safe. Researchers at the University of Gothenburg have developed a language that is designed to do the checks for you while you’re writing your app
The idea behind the new Java-based language is that in many cases what goes wrong is that users are able to exploit leaks and loopholes that are unintentionally introduced during programming to obtain more information than they should have access to. In current languages the only way to overcome this is to proofread the code trying to spot where potential weaknesses occur; the alternative is to wait and see where the hackers break through.
The alternative, developed by Niklas Broberg at the University of Gothenburg is called Paragon, and the techniques used by the programming language are shown in his thesis "Practical, Flexible Programming with Information Flow Control".
“The main strength of Paragon is its ability to automatically identify potential information leaks while the program is being developed,”
says Niklas Broberg.
“Paragon is an extension of the commonly-used programming language Java and has been designed to be easy to use. A programmer will easily be able to add my specifications to his or her Java program, thus benefiting from the strong security guarantees that the language provides.”
The way Paragon works is that you specify how the information that will be accessed by the app should be used, who should be able to use it, and what conditions they should be able to use it under. When the app is compiled, the way it uses information is analysed. If the analysis shows up potential risks, you get a warning error telling you where the weakness lies.
You can read more about how the concept works, along with a lot of interesting analysis of just how you might apply security, in Broberg’s thesis, which is available here in the Gothenburg University Publications Electronic Archive.
Practical, Flexible Programming with Information Flow Control
To be informed about new articles on I Programmer, subscribe to the RSS feed, follow us on Google+, Twitter or Facebook or sign up for our weekly newsletter.