Insecure programming: How culpable is a language's syntax?

IEEE Systems, Man and Cybernetics Society Information Assurance Workshop

Volumn , Issue , 2003, Pages 158-163

  Chinchani, R ^a   Iyer, A ^a   Jayaraman, B ^a   Upadhyaya, S ^a  

^a SUNY ^*  (United States)

Author keywords

Computer errors; Computer languages; Computer science; Computer security; Creep; Data security; Java; Programming profession; Runtime; Writing

Indexed keywords

CODES (SYMBOLS); COMPUTATIONAL LINGUISTICS; COMPUTER PROGRAMMING; COMPUTER PROGRAMMING LANGUAGES; COMPUTER SCIENCE; CREEP; CYBERNETICS; ERRORS; SECURITY OF DATA; SEMANTICS; SOFTWARE ENGINEERING; SYNTACTICS; TECHNICAL WRITING;

COMPUTER ERRORS; JAVA; LANGUAGE FEATURES; MEMORY USAGE; PROGRAMMING PROFESSION; RUNTIMES; SECURITY IMPLICATIONS; SEMANTIC DIFFERENCE;

JAVA PROGRAMMING LANGUAGE;

EID: 84946417213     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SMCSIA.2003.1232415     Document Type: Conference Paper

References (23)

1. A. One, "Smashing the Stack for Fun and Profit." Phrack 49, Vol. 7, Issue 49, November 1996.
2. "Wu-Ftpd File Globbing Heap Corruption Vulnerability," 2001. http://www.securiteam.com/unixfocus/6U00V0035Q.html.
3. D. Wagner, J. S. Foster, E. A. Brewer, and A. Aiken, "A First Step towards Automated Detection of Buffer Overrun Vulnerabilities," in Network and Distributed System Security Symposium, (San Diego, CA), pp. 3-17, February 2000.
4. C. Cowan, C. Pu, D. Maier, H. Hinton, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang, "StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks," in 7th USENIX Security Symposium, (San Antonio, TX), January 1998.
5. C. Cowan, M. Barringer, S. Beattie, G. Kroah-Hartman, M. Frantzen, and J. Lokier, "FormatGuard: Automatic Protection From printf Format String Vulnerabilities " in 10th USENIX Security Symposium, (Washington DC), August 2001.
6. M. Brader, "Fortran Story - The Real Scoop." Forum on Risks to the Public in Computer and Related Systems, Vol. 9 #54, ACM Committee on Computers and Public Policy, 1989.
7. "Trusted computer security evaluation criteria," DOD 5200.28-STD, 1985.
8. J. Jfurjens, "Towards development of secure systems using UML," in Fundamental Approaches to Software Engineering (FASEiETAPS, International Conference) (H. HutJmann, ed.), LNCS, Springer, 2001.
9. G. Kiczales. J. Lamping, A. Menhdhekar, C. Maeda, C. Lopes, J.-M. Loingtier, and J. Irwin, "Aspect-oriented programming," in Proceedings European Conference on Object-Oriented Programming, vol. 1241, pp. 220-242, Berlin, Heidelberg, and New York: Springer-Verlag, 1997.
10. P. T. Devanbu and S. G. Stubblebine, "Software engineering for security: a roadmap," in ICSE - Future of SE Track, pp. 227-239, 2000.
11. I. Jacobson, M. Griss, and P. Jonsson, "Software reuse: Architecture, process and organization for business reuse," 1997.
12. M. Felleisen, "On the expressive power of programming languages," in ESOP '90 3rd European Symposium on Programming, Copenhagen, Denmark (N. Jones, ed.), vol. 432, pp. 134-151, New York, N.Y.: Springer-Verlag, 1990.
13. L. Prechelt, "An empirical comparison of seven programming languages," Computer, vol. 33, no. 10, pp. 23-29, 2000.
14. D. Kozen, "Language-based security," in Mathematical Foundations of Computer Science, pp. 284-298, 1999.
15. D. M. Volpano and G. Smith, "A type-based approach to program security," in TAPSOFT, pp. 607-621, 1997.
16. F. B. Schneider, G. Morrisett, and R. Harper, "A language-based approach to security," Lecture Notes in Computer Science, vol. 2000, pp. 86-??, 2001.
17. R. Wagner and M. Fischer, "The string-to-string correction problem," Journal of the ACM (JACM), vol. 21, no. 1, pp. 168-173, 1974.
18. R. Baeza-Yates and G. Navarro, "Fast approximate string matching in a dictionary," in String Processing and Information Retrieval, pp. 14-22, 1998.
19. E. S. Ristad and P. N. Yianilos, "Learning string-edit distance," IEEE Transactions on Pattern Analysis and Machine Intelligence, vol. 20, no. 5, pp. 522-532, 1998.
20. G. Lyon, "Syntax-directed least-errors analysis for context-free languages: a practical approach," Communications of the ACM, vol. 17, no. 1, pp. 3-14, 1974.
21. S. Graham and S. Rhodes, "Practical syntactic error recovery," Communications of the ACM, vol. 18, pp. 639-650, November 1975.
22. G. C. Necula, "Proof-Carrying Code," in Proceedings of the 24th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Langauges (POPL '97), (Paris), pp. 106-119, Jan. 1997.
23. G. Smith, "A new type system for secure information flow," in CSFW14, IEEE Computer Society Press, Jun 2001.