What is a Secure Programming Language?

Authors Cristina Cifuentes, Gavin Bierman

Thumbnail PDF


  • Filesize: 489 kB
  • 15 pages

Document Identifiers

Author Details

Cristina Cifuentes
  • Oracle Labs, Australia
Gavin Bierman
  • Oracle Labs, UK

Cite AsGet BibTex

Cristina Cifuentes and Gavin Bierman. What is a Secure Programming Language?. In 3rd Summit on Advances in Programming Languages (SNAPL 2019). Leibniz International Proceedings in Informatics (LIPIcs), Volume 136, pp. 3:1-3:15, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2019)


Our most sensitive and important software systems are written in programming languages that are inherently insecure, making the security of the systems themselves extremely challenging. It is often said that these systems were written with the best tools available at the time, so over time with newer languages will come more security. But we contend that all of today’s mainstream programming languages are insecure, including even the most recent ones that come with claims that they are designed to be "secure". Our real criticism is the lack of a common understanding of what "secure" might mean in the context of programming language design. We propose a simple data-driven definition for a secure programming language: that it provides first-class language support to address the causes for the most common, significant vulnerabilities found in real-world software. To discover what these vulnerabilities actually are, we have analysed the National Vulnerability Database and devised a novel categorisation of the software defects reported in the database. This leads us to propose three broad categories, which account for over 50% of all reported software vulnerabilities, that as a minimum any secure language should address. While most mainstream languages address at least one of these categories, interestingly, we find that none address all three. Looking at today’s real-world software systems, we observe a paradigm shift in design and implementation towards service-oriented architectures, such as microservices. Such systems consist of many fine-grained processes, typically implemented in multiple languages, that communicate over the network using simple web-based protocols, often relying on multiple software environments such as databases. In traditional software systems, these features are the most common locations for security vulnerabilities, and so are often kept internal to the system. In microservice systems, these features are no longer internal but external, and now represent the attack surface of the software system as a whole. The need for secure programming languages is probably greater now than it has ever been.

Subject Classification

ACM Subject Classification
  • Software and its engineering → Language features
  • Security and privacy → Software security engineering
  • memory safety
  • confidentiality
  • integrity


  • Access Statistics
  • Total Accesses (updated on a weekly basis)
    PDF Downloads


  1. Martín Abadi. Protection in Programming-Language Translations. In Secure Internet Programming, Security Issues for Mobile and Distributed Objects, pages 19-34, 1999. URL: http://dx.doi.org/10.1007/3-540-48749-2_2.
  2. CERT. Malicious HTML Tags, 2000. Google Scholar
  3. Sylvan Clebsch, Sophia Drossopoulou, Sebastian Blessing, and Andy McNeil. Deny Capabilities for Safe, Fast Actors. In Proceedings of the 5th International Workshop on Programming Based on Actors, Agents, and Decentralized Control, AGERE! 2015, pages 1-12, New York, NY, USA, 2015. ACM. URL: http://dx.doi.org/10.1145/2824815.2824816.
  4. NIST Computer Security Resource Center - Glossary, Last accessed April 8, 2019. URL: https://csrc.nist.gov/Glossary.
  5. Common Weakness Enumeration - CWE list version 3.2, Last accessed April 8, 2019. URL: https://cwe.mitre.org/data/index.html.
  6. William Enck, Peter Gilbert, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth. TaintDroid: An Information-flow Tracking System for Realtime Privacy Monitoring on Smartphones. In Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, OSDI'10, pages 393-407, Berkeley, CA, USA, 2010. USENIX Association. URL: http://dl.acm.org/citation.cfm?id=1924943.1924971.
  7. Cédric Fournet, Nikhil Swamy, Juan Chen, Pierre-Évariste Dagand, Pierre-Yves Strub, and Benjamin Livshits. Fully abstract compilation to JavaScript. In The 40th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL '13, Rome, Italy - January 23 - 25, 2013, pages 371-384, 2013. URL: http://dx.doi.org/10.1145/2429069.2429114.
  8. Peter Hornyack, Seungyeop Han, Jaeyeon Jung, Stuart Schechter, and David Wetherall. These Aren't the Droids You'Re Looking for: Retrofitting Android to Protect Data from Imperious Applications. In Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS '11, pages 639-652, New York, NY, USA, 2011. ACM. URL: http://dx.doi.org/10.1145/2046707.2046780.
  9. Ponemon Institute. 2018 Cost of Data Breach Study: Global Overview, July 2018. URL: https://databreachcalculator.mybluemix.net/assets/2018_Global_Cost_of_a_Data_Breach_Report.pdf.
  10. Benjamin Livshits. Dynamic Taint Tracking in Managed Runtimes. Technical Report MSR-TR-2012-114, Microsoft Research, November 2012. Google Scholar
  11. National Vulnerability Database - NVD CWE Slice, Last accessed February 7, 2019. URL: https://nvd.nist.gov/vuln/categories.
  12. Daniel Patterson and Amal Ahmed. Linking Types for Multi-Language Software: Have Your Cake and Eat It Too. CoRR, abs/1711.04559, 2017. URL: http://arxiv.org/abs/1711.04559.
  13. Nadia Polikarpova, Jean Yang, Shachar Itzhaky, Travis Hance, and Armando Solar-Lezama. Enforcing Information Flow Policies with Type-Targeted Program Synthesis, 2018. URL: http://arxiv.org/abs/1607.03445v2.
  14. rain.forest.puppy. NT web technology vulnerabilities. Phrack Magazine, 8(54), 1998. URL: http://www.phrack.org/archives/issues/54/8.txt.
  15. Daniel Schoepe, Musard Balliu, Frank Piessens, and Andrei Sabelfeld. Let’s Face It: Faceted Values for Taint Tracking. In ESORICS (1), volume 9878 of Lecture Notes in Computer Science, pages 561-580. Springer, 2016. Google Scholar
  16. E. H. Spafford. Crisis and Aftermath. Commun. ACM, 32(6):678-687, June 1989. URL: http://dx.doi.org/10.1145/63526.63527.
  17. TIOBE index, February 2019. URL: http://www.tiobe.com/tiobe-index.
  18. Wietse Venema. Taint Support for PHP, Last modified: 2017/09/22. URL: https://wiki.php.net/rfc/taint.
  19. Lucas Waye, Stephen Chong, and Christos Dimoulas. Whip: higher-order contracts for modern services. PACMPL, 1(ICFP):36:1-36:28, 2017. URL: http://dx.doi.org/10.1145/3110280.
  20. Thomas Würthinger, Christian Wimmer, Christian Humer, Andreas Wöß, Lukas Stadler, Chris Seaton, Gilles Duboscq, Doug Simon, and Matthias Grimmer. Practical Partial Evaluation for High-performance Dynamic Language Runtimes. In Proceedings of the 38th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2017, pages 662-676, New York, NY, USA, 2017. ACM. URL: http://dx.doi.org/10.1145/3062341.3062381.
  21. Jean Yang, Travis Hance, Thomas H. Austin, Armando Solar-Lezama, Cormac Flanagan, and Stephen Chong. Precise, Dynamic Information Flow for Database-backed Applications. In Proceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI '16, pages 631-647, New York, NY, USA, 2016. ACM. URL: http://dx.doi.org/10.1145/2908080.2908098.
  22. Yves Younan. 25 Years of Vulnerabilites: 1988-2012. Research report, Sourcefire, 2013. Google Scholar