Fabric weaves security into program code
Wouldn’t it be wonderful if we could build security into a program as it is written? This idea spurred a number of researchers from Cornell University to try and develop a new platform and a new language for building secure information systems, which they dubbed Fabric.
Comparing the current situation of software patching with messy layers of duct tape, Andrew Myers, one of the researchers and a professor of computer science says that security vulnerabilities are nearly inevitable. With Fabric, they plan to replace all those software layers with one that will enforce security from the get-go.
“Fabric provides a rich, Java-like object model, but data resources are labeled with confidentiality and integrity policies that are enforced through a combination of compile-time and run-time mechanisms,” says the research paper written on the subject. “Results from applications built using Fabric suggest that Fabric has a clean, concise programming model, offers good performance, and enforces security.”
Cornell University Chronicle Online reports that the Fabric programming language is an extension to the Jif programming language – which is, in turn, based on the widely used Java. Fabric uses “objects” that are labeled with policies defining who can access the data and how it can be used. Blocks of program code have built-in policies about when and where they can be run. And the compiler enforces security policies – making it impossible for the programmer to produce insecure code.
An initial release of Fabric has already made available, but it is still being tested and its “security” has not been proved beyond the shadow of a doubt. In the meantime, we can hope that this is a step in the right direction.