It's Time for Secure Languages
Director of Oracle Labs Australia
COM2 Level 4
Executive Classroom, COM2-04-02
Abstract:
In the cloud world, the attack surface for an application is much larger than in an on-premise deployment. Current commonly used languages provide limited support for security - over the past 20 years we have gone from 25 exploited vulnerabilities reported worldwide to 6,000+ reported on a year by year basis. What's most alarming is that the top two vulnerabilities, buffer overflows and injections, have been known for over 15+ years, and most popular languages used today in the cloud do not provide security support for these issues; i.e., applications written in these languages are prone to attacks due to inadvertent vulnerabilities written into the code by developers. As developers, it's time to start using more secure languages in our applications.
In this talk, I'll summarise data on vulnerabilities during the past 5 years to explain why the need for secure languages. I'll review the systems programming language Rust and it's static language support for memory safety. I'll discuss first steps by others in migrating parts of their C-based code to Rust, along with our experiences in porting the non-volatile memory library to Rust. I'll review Perl and Ruby from the point of view of preventing injection attacks. I'll also describe the concept of policy-agnostic programming, a new paradigm that prevents information leak attacks. With cloud deployments being the bread and butter in upcoming years, it's time for a change; we need to start using more secure languages in our code development practices.
Biodata:
Cristina is the Director of Oracle Labs Australia and an Architect at Oracle. Headquartered in Brisbane, the Lab focuses on Program Analysis as it applies to finding vulnerabilities in software and enhancing the productivity of developers worldwide.
Prior to founding Oracle Labs Australia, Cristina was the Principal Investigator of the Parfait bug tracking project at Sun Microsystems, then Oracle. Today, Oracle Parfait has become the defacto tool used by thousands of Oracle developers for bug and vulnerability detection in real-world, commercially sized C/C++/Java applications. Parfait's success is founded on the pioneering work in advancing static program analysis techniques by Cristina's team of Researchers and Engineers at Oracle Labs Australia.
Cristina's passion for tackling the big issues in the field of Program Analysis began with her doctoral work in binary decompilation at Queensland's University of Technology. In an interview with Richard Morris for Geek of the Week, Cristina talks about Parfait, Walkabout and her career journey in this field.
Before she joined Oracle and Sun Microsystems, Cristina held teaching posts at major Australian Universities, co-edited Going Digital, a landmark book on cybersecurity, and served on the executive committees of ACM SIGPLAN and IEEE Reverse Engineering.
Cristina continues to play an active role in the international programming language, compiler construction and software security communities. On the weekends, she channels her interests into mentoring young programmers through the CoderDojo network.