[PRL] A type-based solution to the "strings problem":
Matthias Felleisen
matthias at ccs.neu.edu
Thu Oct 19 22:30:58 EDT 2006
How about pushing the Herman-Meunier approach? I thought there was a
promising dissertation seed in there. -- Matthias
On Oct 19, 2006, at 8:17 PM, Mitchell Wand wrote:
> --Perhaps a fitting follow-up to yesterday's talk by Cormac... --
> Mitch
>
> A type-based solution to the "strings problem": a fitting end to XSS
> and SQL-injection holes?
>
> by Tom Moertel
>
> http://blog.moertel.com/articles/2006/10/18/a-type-based-solution-
> to-the-strings-problem
>
> First few paras....
>
> Even skilled programmers have a hard time keeping their web
> applications free of XSS and SQL-injection vulnerabilities. And it
> shows: a sobering portion of web sites are open to some scary security
> threats.
>
> Why are so many sites vulnerable to these well-known holes? Probably
> because it's insanely hard for programmers to solve the fundamental
> "strings problem" at the heart of these vulnerabilities. The problem
> itself is easy to understand, but we humans aren't equipped to carry
> out the solution. Simply put, we just plain suck at keeping a
> bazillion different strings straight in our heads, let alone
> consistently and reliably rendering their interactions safe whenever
> they cross paths in a modern web application. It's easy to say, "just
> escape the little buggers," but it's hard to get it right, every
> single time.
>
> Computers, on the other hand, are pretty good at keeping track of
> details by the bucket-full. Wouldn't it be nice, then, if our
> programming languages gave us the power to delegate this nasty
> "strings problem" to our computers, which could then devote their
> unwavering mechanical precision to grinding the problem out of
> existence? Isn't that the kind of thing modern programming languages
> are supposed to be good at?
>
> I'd like to think the answer to that question is a big, you betcha.
>
> So let's grab a modern programming language and solve the strings
> problem.
> Let's solve the strings problem in Haskell
> A type-based solution to the "strings problem": a fitting end to XSS
> and SQL-injection holes?
>
> Posted by Tom Moertel 10 hours ago
>
> Even skilled programmers have a hard time keeping their web
> applications free of XSS and SQL-injection vulnerabilities. And it
> shows: a sobering portion of web sites are open to some scary security
> threats.
>
> Why are so many sites vulnerable to these well-known holes? Probably
> because it's insanely hard for programmers to solve the fundamental
> "strings problem" at the heart of these vulnerabilities. The problem
> itself is easy to understand, but we humans aren't equipped to carry
> out the solution. Simply put, we just plain suck at keeping a
> bazillion different strings straight in our heads, let alone
> consistently and reliably rendering their interactions safe whenever
> they cross paths in a modern web application. It's easy to say, "just
> escape the little buggers," but it's hard to get it right, every
> single time.
>
> Computers, on the other hand, are pretty good at keeping track of
> details by the bucket-full. Wouldn't it be nice, then, if our
> programming languages gave us the power to delegate this nasty
> "strings problem" to our computers, which could then devote their
> unwavering mechanical precision to grinding the problem out of
> existence? Isn't that the kind of thing modern programming languages
> are supposed to be good at?
>
> I'd like to think the answer to that question is a big, you betcha.
>
> So let's grab a modern programming language and solve the strings
> problem.
> Let's solve the strings problem in Haskell....
>
> ..rest at http://blog.moertel.com/articles/2006/10/18/a-type-based-
> solution-to-the-strings-problem
>
> _______________________________________________
> PRL mailing list
> PRL at lists.ccs.neu.edu
> https://lists.ccs.neu.edu/bin/listinfo/prl
More information about the PRL
mailing list