Programming language theoretic security in the realworld: A mirage or the future?

Abstract

The last decade has seen computer security rise from a niche field to a household term. Previously, executive level responses to computer security were disbelief and dismissal, while today the responses are questions of budget and risk. Computer security is a complicated issue with many moving parts and it is difficult to present a coherent view of its issues and problems. We believe that computer security issues have their root in programming languages and language runtime decisions. We argue that computer intrusion, malware, and network security issues all fundamentally arise from tradeoffs made in programming language design and the structure of the benign programs that are exploited. We present a case for addressing fundamental computer security problems at this root, by using advancements in programming language technology. We also present a case against relying on advancements in programming language technology, arguing that even when using the most sophisticated programming language technology available today, attacks are still possible, and that the current state of research is insufficient to guarantee security. We also discuss practical issues relating to the implementation of large-scale reforms in software development based on advancements in programming language technology.