A new computer programming language has been developed that lets coders use domain-specific languages as sub-languages.
Computer scientists at Carnegie Mellon University is developing a language called Wyvern that enables programmers to use the language most appropriate for each function while guarding against code injection attacks, one of the most severe security threats in Web applications today.
Wyvern determines which sublanguage is being used within the program based on the type of data being manipulated. Types specify the format of data, such as alphanumeric characters, floating-point numbers or more complex data structures, such as Web pages and database queries.
The type provides context, enabling Wyvern to identify a sublanguage associated with that type in the same way that a person would realise that a conversation about gourmet dining might include some French words and phrases.
The solution makes it possible to construct programs using a variety of targeted, domain-specific languages, such as SQL for querying databases or HTML for constructing Web pages, rather than writing the entire program using a general purpose language.
“Wyvern is like a skilled international negotiator who can smoothly switch between languages to get a whole team of people to work together," said Jonathan Aldrich, associate professor at Carnegie Mellon's Institute for Software Research.
"Such a person can be extremely effective and, likewise, I think our new approach can have a big impact on building software systems."
By using type-specific languages Wyvern can simplify that task for the programmer, Aldrich said, while also avoiding workarounds that can introduce security vulnerabilities.
One common but problematic practice is to paste together strings of characters to form a command in a specialised language, such as SQL, within a program.
If not implemented carefully, however, this practice can leave computers vulnerable to two of the most serious security threats on the Web today – cross-site scripting attacks and SQL injection attacks.
"Wyvern would make the use of strings for this purpose unnecessary and thus eliminate all sorts of injection vulnerabilities," Aldrich said.
Previous attempts to develop programming languages that could understand other languages have faced trade-offs between composability and expressiveness; they were either limited in their ability to unambiguously determine which embedded language was being used, or limited in which embedded languages could be used.
"With Wyvern, we're allowing you to use these languages, and define new ones, without worrying about composition," said Cyrus Omar, a PhD student in the Computer Science Department and the lead designer of Wyvern's type-specific language approach.
Wyvern is not yet fully engineered, Omar noted, but is an open source project that is ready for experimental use by early adopters. More information on the Wyvern programming language is available here.