Author Archives: Michael Hicks

by | July 9, 2014 · 1:02 pm

Why are some languages adopted and others aren’t?

In my last article I discussed how the failure to find the Heartbleed bug sooner was in some sense a failure to refine or deploy what is otherwise effective technology for static analysis. In particular, commercial static analysis tools purposely will ignore potential bugs so as to avoid reporting too many false alarms, i.e., favoring completeness over soundness. The companies that make these tools aim to provide a profitable service to a broad market, and their own investigations indicate soundness is not important for sales. Instead, to be viable, tools must help developers find real, important bugs efficiently, and not necessarily every bug. A challenge to researchers is to find ways to push the business proposition back toward soundness while retaining efficiency (and other desirable criteria); Andy Chou’s POPL’14 keynote outlines other useful challenges.

While Heartbleed is ostensibly about the adoption and improvement of static analysis, in this article I explore the related question of fostering the adoption of programming languages. I summarize impressive research by Leo Meyerovich and Ariel Rabkin on adoption research questions and adoption practices that appeared at OOPSLA’12 and OOPSLA’13, respectively. I think there are some interesting results here, with implications for improving the adoption of languages. Their results also raise new questions for further research (but too late for yesterday’s POPL deadline — good luck to all submitters!).

Continue reading

26 Comments

Filed under Language adoption, PL in practice

Tagged as , , ,

by | July 1, 2014 · 10:56 am

How did Heartbleed remain undiscovered, and what should we do about it?

It was recently reported that the Heartbleed OpenSSL bug has still not been patched on over 300,000 servers. This is down from 600,000 that were discovered two months ago, when the bug was first publicized. Add to this delay the nearly two years that the bug went undetected, and that’s a lot of exposure.

In this blog post, I wonder about how programming languages and tools might have played a role in finding Heartbleed before it got into production code. Then I explore possible approaches to improving this state of the affairs. I welcome your thoughts and ideas! Continue reading

14 Comments

Filed under Formal verification, Software Security

by | June 23, 2014 · 8:25 am

ADS, generically, part II

This post is the second part of a post on using ideas from programming languages to assist the design of authenticated data structures (ADSs). I will describe a small programming language extension for building ADSs that I co-developed with Andrew Miller, Jonathan Katz, and Elaine Shi, called LambdaAuth. A paper on this language was presented at POPL’14 and the implementation is freely available.

As a word of warning, this post goes into some technical detail. The goal of doing so is to make, in detail, a general point: programming language researchers’ focus on ways of programming (often embodied as language features, patterns, transformations, or analyses), rather than particular programs, yields broadly applicable results, extending outside of the motivating examples or domain. In this case, LambdaAuth embodies a simple mechanism for programming any authenticated data structure, not just one particular kind.

Continue reading

Leave a Comment

Filed under Secure computation, Software Security, Uncategorized

by | June 11, 2014 · 7:04 am

Authenticated Data Structures (Generically)

This blog post is the first in my series on secure computation and will be presented in two parts. It briefly introduces some work my collaborators and I published this year, which illustrates a pleasant application of programming languages ideas to cryptographic computation.

In particular, we develop a general-purpose technique for programming authenticated data structures (ADSs) (an idea that this post will introduce). Our approach is implemented as a small extension to a general-purpose programming language. With this extension, we can establish security by typing: any type-correct program (which is a data structure implementation) implemented in our language will be secure. Thus we perform the proof once and for all, for all possible data structures, rather than having to prove security for each variation. Our approach exploits the compositional nature at the core of formal PL semantics and type systems to factor out the tedious part (the data structure logic) to focus on the security-relevant part (the use of cryptographic primitives). The proof ends up being pleasingly straightforward. The idea of security by typing is a powerful one that shows up frequently in PL-inspired work on security.

The remainder of this post — part 1 — introduces the idea of ADSs and why we want general-purpose support for them. The PL ideas show up in part 2, which will introduce our approach for building ADSs.

Continue reading

5 Comments

Filed under Secure computation

Tagged as

by | June 6, 2014 · 5:06 pm

Securing computation

This post is the introduction of a series that discusses research bringing together ideas from the Programming Languages and Cryptography (Crypto) communities. The combination of ideas aims to produce secure computation technologies that are easier to use efficiently in a general-purpose setting, and easier to reason about, than when applying the Crypto ideas directly. My next post will be on work I’ve recently published in this area in collaboration with colleague cryptographers. Subsequent posts will consider other areas of interesting research (mostly not mine).

Continue reading

1 Comment

Filed under Secure computation

Tagged as

by | June 4, 2014 · 6:20 am

Build-it, Break-it, Fix-it Programming Contest

Starting on August 28, Maryland is hosting an on-line, security-minded programming contest that we call Build-it, Break-it, Fix-it. If you are a graduate or undergraduate student at a US-based University, I encourage you to sign up – you could win significant prizes! Otherwise, please encourage students you know to participate.

The contest web site, with details about the event, is https://builditbreakit.org/

The subject of this blog post is a bit more about the contest, but primarily it is about our motivation for running it and what it has to do with programming languages. Continue reading

8 Comments

Filed under Software Security

Tagged as

by | June 2, 2014 · 7:53 am

Welcome to the PL Enthusiast!

Welcome to our blog about research and developments in programming languages (PL) and their applications and connections to areas across science and technology!

We are Michael Hicks and Swarat Chaudhuri, professors in computer science at the University of Maryland and Rice University, respectively, and we both have a great passion for programming languages.

More about our background and the goals and origins of this blog are explained on the About page.

We are now working on a series of posts across several threads:

  • The role of PL in computer security
  • Comparing PL theory and theory developed in the Algorithms community
  • How PL can help us think about machine learning
  • Highlights and tutorials on emerging programming languages

Stay tuned to this space; we look forward to your comments and contributions!

 

6 Comments

Filed under Uncategorized