A few days ago, I had a nice idea on how to build a programming language which can handle input in different ways for different users.
Let’s start at the beginning of my idea. Think about a webapplication like a blog, where the admin should have the possibility to add content which is formatet trough HTML or even more, he can add script code in the content, for example JavaScript. Now you don’t have only the admin who write new content, you also have the visitors of the blog, which can post their comments and here the problem starts. The visitors should be able to post hyperlinks for example or write some text in a bold font but how is it possible to have the visitor under control?
In the case I wrote above, this is not that hard to manage because you can set some filters and if they’re good enough you can protect your stuff but think ahead. For example in your admin area you send also some variables to the server and the only protection you have are the filters in your webapplication or also in your application firewall. Now, what’s the problem with this? Have a look at the folowing example.
If you’re an admin, you can search the content you wrote with a function, which sends a request like /search.php?string=test Ok, now what happened if a normal user which shouldn’t be able to search something sends this request? If your session management is ok, he’s not able to search something but anyway it could be, that he can inject code or something like that trough a request like that. Wouldn’t it be great if you can define for each function in your code, who can use it an in which way and also for example set different regular expressions as filters for different types of users?
My idea now is to have a modular language which have a role concept which will be included in any of the pieces of your application. The following graphic should illustrate my idea:
I know it’s not so easy to understand but the basic idea should be clear: The developer can define who can do what an when and he can also set defaults for each function or also global. The big difference between normal session based control is, that there you have to check if the session owner is authorized to do something and when you forget that somewhere it can be very dangerous for your application but now in the idea of this programming language with it’s own role model, nobody can do anything without being in a group which can access a specific functionality.
For example we have a normal user, then he automatically gets the status of a default user. The default user is part of the default group and to the default group belongs the default rule set. Now think of the following two functions:
function a (*, var1, var2) {
A function which can be used by any user.
}
function b (admins, var1, var2) {
A function which can only be used by administrators.
}
As you see, you can make mistakes in implementing functionalities without have vulnerabilities because the “vulnerable” functions can only be accessed by people which are allowed to do so. This doesn’t mean that you don’t have to care about your code but it eliminates many security risks, also some which have to do with processes.
Now of course you’ll ask when I’m going to release this programming language but I have to say, that I’m not looking forward to do so. Not, because I think that it wouldn’t work, of course not but I think that I’m not the guy who’s able to build such a language and even the I won’t have the time to do it. So if someone is interested in the idea don’t hesitate to ask some more questions.
PS: Of course it would also be possible to implement such a functionality in a already existing programming language but I think this makes no because the core then never will be based on the concept.
This exists already, if I understand what you mean.
Have a look at the Zope API – http://wiki.zope.org/zope2/APIReference
The ability to interact with objects is dependent on which role a particular user has. How restrictions / permission errors are handled is imo up to whoever does the implementation, i.e.
user: Joe – manager role: may view, add, delete, modify, publish, unpublish documents
user: Bob – moderator role: may (add, delete, modify) only in his home directory and subtree
and may view. modify and (un)publish any private or public documents
that are owned by authorized users and moderators
users: Jane, Jake – registered users: may (add, delete, modify) only in their own home directory and subtree and may submit their documents for publishing, may view any published document
anonymous users: may view any published document.
Example from how this is implemented in Zope’s Content Management Framework:
The manage_editDocument is available only to users who have the ModifyPortalContent permission. This
permission can be granted based on a combination of user’s roles, as well as context. Roles can be acquired
by objects further down the document tree…
security.declareProtected(ModifyPortalContent, ‘manage_editDocument’)
def manage_editDocument( self, text, text_format, file=”, REQUEST=None ):
“”" A ZMI (Zope Management Interface) level editing method “”"
Document.edit( self, text_format=text_format, text=text, file=file )
if REQUEST is not None:
REQUEST['RESPONSE'].redirect(
self.absolute_url()
‘/manage_edit’
‘?manage_tabs_message=Document updated’
)
It look a bit like an idea I had (and still have) I made a post about it on my blog a while back. Though my approach is to build a secure ‘kernel’ a web application kernel so to say. and outside applications which are not stand alone, or cannot operate standalone. This would fix much security issues. interessting to see that you are also thinking of ways around the current issues. keep it up, Nice blog!