The present application relates to computing and more specifically to software and accompanying systems and methods for enhancing security and associated features of computer programming languages and associated computer programs.
Software security enforcement systems and methods are employed in various demanding applications, including mechanisms for authenticating users for database access; anti-malware technologies for sandboxing untrusted programs; mechanisms for preventing overwriting of critical operating system files; mechanisms for defining unsafe software actions in a given computing environment, and so on. Such applications often demand efficient mechanisms for facilitating specification, implementation, and enforcement of security policies and associated features, and which reduce or minimize the need for software developers to recode programs that may otherwise trigger inadvertent software runtime errors.
Efficient security enforcement mechanisms can be particularly important in enterprise applications that employ software written in Domain Specific Languages (DSLs), e.g., Groovy-based DSLs, where the DSL programs run in a General Purpose Language (GPL) computing environment used to run the DSL software programs. In such computing environments, dynamic DSLs are often employed to create special-purpose enterprise applications, modules, or functions that leverage Application Programming Interfaces (APIs) of the host GPL environment to implement the special-purpose functions defined by the DSL code.
The dynamic DSLs may support program runtime behaviors that a conventional static GPL program may allow during program compilation. Such dynamic behaviors may include, for example, modifying the dynamic DSL program during running of the program. However, dynamic DSL programs can present a security challenge when used to bypass security features of the host GPL computing environment using the APIs provided thereby. For example, in certain scenarios, an application developer could use a DSL program to access a private file system accessible to the DSL program via the GPL APIs.
In general, dynamic DSL programs embedded within a GPL environment with access to GPL APIs may be particularly susceptible to bugs or security breaches arising from unsupported use of the DSL and associated GPL APIs.
Conventionally, dynamic security enforcement, i.e., ensuring that a dynamic DSL program is secure and does not perform risky or otherwise undesirable operations (e.g., in violation of a security policy) is performed during execution of the DSL program, i.e., at runtime. However, from a developer perspective, fixing program error arising during execution of a DSL program can be problematic.
In particular, fixing a dynamic issue may require that an end user of a DSL program file a bug report describing the issue. The developer may then resolve the security issue and then redeploy the code to the running system. However, such runtime resolution of security issues can be problematic or prohibitively expensive. Furthermore, such issues may be visible to end users, resulting in disgruntled customers.