Insecure programming: how culpable is a language's syntax

Abstract

Abstract — Vulnerabilities in software stem from poorly written code by programmers who are not aware of its security implications or some inadvertent errors that may have crept in. Writing secure code is largely a software engineering issue requiring the education of programmers about safe coding practices. Various projects and efforts such as memory usage profiling, meta-compilation and typing proofs that check correctness of the code at compile-time and runtime provide additional assistance in this regard. In this paper, we point out that in the context of security, one aspect that is perhaps underrated or overlooked is that errors could arise due to the syntax of a programming language. We show that it is possible to make very subtle errors with serious consequences. Our work will help caution programmers on the types of errors to avoid as well as serve as a guideline for language designers to lay emphasis not only on richness of language features but also the syntax of the language