[PRL] A type-based solution to the "strings problem":
Mitchell Wand
wand at ccs.neu.edu
Thu Oct 19 20:17:29 EDT 2006
--Perhaps a fitting follow-up to yesterday's talk by Cormac... --Mitch
A type-based solution to the "strings problem": a fitting end to XSS
and SQL-injection holes?
by Tom Moertel
http://blog.moertel.com/articles/2006/10/18/a-type-based-solution-to-the-strings-problem
First few paras....
Even skilled programmers have a hard time keeping their web
applications free of XSS and SQL-injection vulnerabilities. And it
shows: a sobering portion of web sites are open to some scary security
threats.
Why are so many sites vulnerable to these well-known holes? Probably
because it's insanely hard for programmers to solve the fundamental
"strings problem" at the heart of these vulnerabilities. The problem
itself is easy to understand, but we humans aren't equipped to carry
out the solution. Simply put, we just plain suck at keeping a
bazillion different strings straight in our heads, let alone
consistently and reliably rendering their interactions safe whenever
they cross paths in a modern web application. It's easy to say, "just
escape the little buggers," but it's hard to get it right, every
single time.
Computers, on the other hand, are pretty good at keeping track of
details by the bucket-full. Wouldn't it be nice, then, if our
programming languages gave us the power to delegate this nasty
"strings problem" to our computers, which could then devote their
unwavering mechanical precision to grinding the problem out of
existence? Isn't that the kind of thing modern programming languages
are supposed to be good at?
I'd like to think the answer to that question is a big, you betcha.
So let's grab a modern programming language and solve the strings problem.
Let's solve the strings problem in Haskell
A type-based solution to the "strings problem": a fitting end to XSS
and SQL-injection holes?
Posted by Tom Moertel 10 hours ago
Even skilled programmers have a hard time keeping their web
applications free of XSS and SQL-injection vulnerabilities. And it
shows: a sobering portion of web sites are open to some scary security
threats.
Why are so many sites vulnerable to these well-known holes? Probably
because it's insanely hard for programmers to solve the fundamental
"strings problem" at the heart of these vulnerabilities. The problem
itself is easy to understand, but we humans aren't equipped to carry
out the solution. Simply put, we just plain suck at keeping a
bazillion different strings straight in our heads, let alone
consistently and reliably rendering their interactions safe whenever
they cross paths in a modern web application. It's easy to say, "just
escape the little buggers," but it's hard to get it right, every
single time.
Computers, on the other hand, are pretty good at keeping track of
details by the bucket-full. Wouldn't it be nice, then, if our
programming languages gave us the power to delegate this nasty
"strings problem" to our computers, which could then devote their
unwavering mechanical precision to grinding the problem out of
existence? Isn't that the kind of thing modern programming languages
are supposed to be good at?
I'd like to think the answer to that question is a big, you betcha.
So let's grab a modern programming language and solve the strings problem.
Let's solve the strings problem in Haskell....
..rest at http://blog.moertel.com/articles/2006/10/18/a-type-based-solution-to-the-strings-problem
More information about the PRL
mailing list