Method for static security enforcement of a DSL
First Claim
Patent Images
1. A method for securing computer code, the method comprising:
- receiving the computer code, wherein the computer code is written using a dynamic Domain Specific Language (DSL) running in a General Purpose Language (GPL) computing environment;
using a compiler to perform static analysis on the computer code, the static analysis including referencing a security policy defining one or more unacceptable program behaviors;
performing, during compile time at the compiler, runtime security checking functionality leveraging compiler extensions, type information, and environment specific compile context;
indicating when execution of the computer code would result in performance of the one or more unacceptable program behaviors based on results of the static analysis, wherein the one or more unacceptable program behaviors include modifying preexisting computer code to incorporate the computer code written using the DSL;
accessing a predefined compile context for the DSL, wherein the compile context accessible by the compiler and used by the compiler to access metadata included in the security policy and applicable to the DSL, wherein the compiler is adapted to visit all expression nodes in a syntax tree associated with the computer code written using the DSL;
using the compile context, on visit of an expression node of the syntax tree, to determine if the expression node is secure; and
if access to a computing object associated with the expression node is not secure, then;
terminating compilation of the computer code written using the DSL and displaying a compiler error message.
1 Assignment
0 Petitions
Accused Products
Abstract
An example system and method for securing computer code of a dynamic Domain Specific Language (DSL) that leverages a General Purpose Language (GPL). An example method includes enhancing compile-time security enforcement functionality for computer code written using the DSL, in part by using a compiler to perform static analysis on the DSL computer code. The static analysis includes referencing a security policy defining one or more unacceptable program behaviors; and indicating when execution of the computer code would result in performance of the one or more unacceptable program behaviors based on results of the static analysis.
-
Citations
19 Claims
-
1. A method for securing computer code, the method comprising:
-
receiving the computer code, wherein the computer code is written using a dynamic Domain Specific Language (DSL) running in a General Purpose Language (GPL) computing environment; using a compiler to perform static analysis on the computer code, the static analysis including referencing a security policy defining one or more unacceptable program behaviors; performing, during compile time at the compiler, runtime security checking functionality leveraging compiler extensions, type information, and environment specific compile context; indicating when execution of the computer code would result in performance of the one or more unacceptable program behaviors based on results of the static analysis, wherein the one or more unacceptable program behaviors include modifying preexisting computer code to incorporate the computer code written using the DSL; accessing a predefined compile context for the DSL, wherein the compile context accessible by the compiler and used by the compiler to access metadata included in the security policy and applicable to the DSL, wherein the compiler is adapted to visit all expression nodes in a syntax tree associated with the computer code written using the DSL; using the compile context, on visit of an expression node of the syntax tree, to determine if the expression node is secure; and if access to a computing object associated with the expression node is not secure, then; terminating compilation of the computer code written using the DSL and displaying a compiler error message. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. An apparatus comprising:
-
a processor-readable storage device including one or more instructions; a digital processor coupled to a display and to the processor-readable storage device, wherein the digital processor executes the one or more instructions to perform the following acts; receiving computer code, wherein the computer code is written using a dynamic Domain Specific Language (DSL) running in a General Purpose Programming Language (GPL) computing environment; using a compiler to perform static analysis on the computer code, the static analysis including referencing a security policy defining one or more unacceptable program behaviors; performing, during compile time at the compiler, runtime security checking functionality leveraging compiler extensions, type information, and environment specific compile context; indicating when execution of the computer code would result in performance of the one or more unacceptable program behaviors based on results of the static analysis, wherein the one or more unacceptable program behaviors include modifying preexisting computer code to incorporate the computer code written using the DSL; accessing a predefined compile context for the DSL, wherein the compile context accessible by the compiler and used by the compiler to access metadata included in the security policy and applicable to the DSL, wherein the compiler is adapted to visit all expression nodes in a syntax tree associated with the computer code written using the DSL; using the compile context, on visit of an expression node of the syntax tree, to determine if the expression node is secure; and if access to a computing object associated with the expression node is not secure, then; terminating compilation of the computer code written using the DSL and displaying a compiler error message.
-
-
19. A processor-readable storage device including instructions when executed by a digital processor, the processor-readable storage device including one or more instructions for:
-
receiving computer code, wherein the computer code is written using a dynamic Domain Specific Language (DSL) running in a General Purpose Programming Language (GPL) computing environment; using a compiler to perform static analysis on the computer code, the static analysis including referencing a security policy defining one or more unacceptable program behaviors; performing, during compile time at the compiler, runtime security checking functionality leveraging compiler extensions, type information, and environment specific compile context; indicating when execution of the computer code would result in performance of the one or more unacceptable program behaviors based on results of the static analysis, wherein the one or more unacceptable program behaviors include modifying preexisting computer code to incorporate the computer code written using the DSL; accessing a predefined compile context for the DSL, wherein the compile context accessible by the compiler and used by the compiler to access metadata included in the security policy and applicable to the DSL, wherein the compiler is adapted to visit all expression nodes in a syntax tree associated with the computer code written using the DSL; using the compile context, on visit of an expression node of the syntax tree, to determine if the expression node is secure; and if access to a computing object associated with the expression node is not secure, then; terminating compilation of the computer code written using the DSL and displaying a compiler error message.
-
Specification