New programming language accommodatesmultiple languages in same program7 August 2014

Computer scientists at Carnegie Mellon Universityhave designed a way to safely use multipleprogramming languages within the same program,enabling programmers to use the language mostappropriate for each function while guardingagainst code injection attacks, one of the mostsevere security threats in Web applications today.

A research group led by Jonathan Aldrich,associate professor in the Institute for SoftwareResearch (ISR), is developing a programminglanguage called Wyvern that makes it possible toconstruct programs using a variety of targeted,domain-specific languages, such as SQL forquerying databases or HTML for constructing Webpages, as sublanguages, rather than writing theentire program using a general purpose language.

Wyvern determines which sublanguage is beingused within the program based on the type of datathat the programmer is manipulating. Types specifythe format of data, such as alphanumericcharacters, floating-point numbers or morecomplex data structures, such as Web pages anddatabase queries.

The type provides context, enabling Wyvern toidentify a sublanguage associated with that type inthe same way that a person would realize that aconversation about gourmet dining might includesome French words and phrases, explainedJoshua Sunshine, ISR systems scientist.

"Wyvern is like a skilled international negotiatorwho can smoothly switch between languages toget a whole team of people to work together,"Aldrich said. "Such a person can be extremelyeffective and, likewise, I think our new approachcan have a big impact on building softwaresystems."

Many programming tasks can involve multiplelanguages; when building a Web page, forinstance, HTML might be used to create the bulk of

the page, but the programmer might also includeSQL to access databases and JavaScript to allowfor user interaction. By using type-specificlanguages, Wyvern can simplify that task for theprogrammer, Aldrich said, while also avoidingworkarounds that can introduce securityvulnerabilities.

One common but problematic practice is to pastetogether strings of characters to form a command ina specialized language, such as SQL, within aprogram. If not implemented carefully, however,this practice can leave computers vulnerable to twoof the most serious security threats on the Webtoday—cross-site scripting attacks and SQL injectionattacks. In the latter case, for instance, someonewith knowledge of computer systems could use alogin/password form or an order form on a Web siteto type in a command to DROP TABLE that couldwipe out a database.

"Wyvern would make the use of strings for thispurpose unnecessary and thus eliminate all sorts ofinjection vulnerabilities," Aldrich said.

Previous attempts to develop programminglanguages that could understand other languageshave faced tradeoffs between composability andexpressiveness; they were either limited in theirability to unambiguously determine whichembedded language was being used, or limited inwhich embedded languages could be used.

"With Wyvern, we're allowing you to use theselanguages, and define new ones, without worryingabout composition," said Cyrus Omar, a Ph.D.student in the Computer Science Department andthe lead designer of Wyvern's type-specificlanguage approach.

Wyvern is not yet fully engineered, Omar noted, butis an open source project that is ready forexperimental use by early adopters. Moreinformation is available at

1 / 2

http://www.cs.cmu.edu/~aldrich/wyvern/.

More information: A research paper, "SafelyComposable Type-Specific Languages," by Omar,Aldrich, Darya Kurilova, Ligia Nistor and BenjaminChung of CMU and Alex Potanin of VictoriaUniversity of Wellington, recently won adistinguished paper award at the EuropeanConference on Object-Oriented Programming inUppsala, Sweden.

Provided by Carnegie Mellon UniversityAPA citation: New programming language accommodates multiple languages in same program (2014,August 7) retrieved 26 November 2018 from https://phys.org/news/2014-08-language-accommodates-multiple-languages.html

This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, nopart may be reproduced without the written permission. The content is provided for information purposes only.

Powered by TCPDF (www.tcpdf.org)

2 / 2