Language-theoretic security or LangSec is a cyber-security approach that aims at eliminating cyber-risks from their programming roots. From this new perspective, all Internet cyber-risks originate in ad-hoc programming and untrusted inputs that form layer upon layer of coding with potential embedded vulnerabilities. Ensuring a base security level for the coding languages would eliminate an important part of the programming-induced vulnerabilities.
The solution? Language-theoretic security postulates that all valid inputs constitute a formal language for which there are recognizable patterns. These sum up and form the so-called “recognizer” element that should be able to eliminate the malicious exploits possibility.
In the ideal LangSec vision, the programmers’ assumptions about data safety and validity match the software deployment situations. In order for this to be possible, there is a right way to perform input handling, there are accepted standards and recommended protocols. The only truly dependable and secure programs would be the ones that follow these trustworthy protocols and systems – otherwise no amount of checking suffices in deciding a program’s security level.
To put it another way, the coding languages are treated as spoken languages – and a common safe zone would be the only real deterrent for cyber-crime. Once the programmers would “speak” this universal, standardized language, security checkups could easily identify the mapped protocols and patterns and any abnormalities and potential vulnerabilities would be easy to spot.
The novelty in language-theoretic security
Instead of trying to deal with the effects of uneven programming and mixed inputs, the language-theoretic security strives to eliminate the cause of cyber – vulnerabilities. In a standardized medium with clear information-flow policies the necessary analysis and assessments can deliver reliable results.
As a security enforcement mechanism, LangSec is extremely valuable in end-to-end security, surpassing both antivirus software and encryption in what the protection degree is concerned.
Language based mechanisms are not inherently new; it’s just their purpose that shifts to a whole new level with the LangSec approach. For example Java runtime environment is a case of such a mechanism being employed for security goals, and language-based techniques also characterize ongoing security research when the machines have to be protected from mobile code subversion. Yet applying these concepts in end-to-end security represents an upgrade and a novel approach.
As the people who support this approach have put it, LangSec represents “the next generation of application security controls that are broadening the solution space”.
Why is language-theoretic security re-emerging now?
This mostly overlooked approach (so far) – maybe because of its largely theoretical nature and its standardizing implications – is currently gaining traction.
What has suddenly changed – one may wonder. The answer is available when looking towards the latest technological trends. Automation and machine learning branch out into cyber-security and systems tend to get more complex, progressing day by day towards the IoT connectivity. In a connected digital micro-universe any pre-existent vulnerability will offer expansion space, opportunity and means for malicious interventions. In addition, the same entry-point could also be hard, if not harder to detect.
Cyber-security in connected systems could considerably have to gain out of language-theoretic security implementation: if programming is to be done by safer, recognizable rules, patterns and protocols, it can also be analyzed via automated means – and the results would be reliable.
A universe of machines, powered up in their functionality by trustworthy software, monitored by automated checkup programs that would make sure data remains secure and protected from intruders – here is an image for the future to think about. Moreover, the LangSec security approach tackles, as a group of Dutch researchers stated, “The possibility to automatically infer formal specifications of such languages, in the form of protocol state machines, from implementations by black box testing.”
The cyber-security background for language-theoretic security
The cyber-security field is on the raise, in what research activities, implemented products, community interactions, discussions and solutions are concerned, as well as in what providers and vendors are concerned. This technological sub-domain is effervescing with events, new topics, reports, monitoring activities and real-life law enforcement actions.
Rules and regulations have been established for the best practices, compliance guidelines and liability terms for the data handlers, since cyber privacy is a critical element that malicious entities relentlessly try to undermine.
Nevertheless, an equally active environment manifests in the world of cyber-criminals, often faceless malicious entities that can remotely steal data and use it to affect the financial possession or the entire life of unsuspecting citizens. The potential cyber-crime victims, end-targets or intermediate factors that have to stand the consequences pay a great deal of money in trying to avoid cyber-events from occurring, or in trying to minimize the aftermath.
Cyber-aggression does not take geographical borders into account, yet those who have to defend the data and fight off such attacks are circumscribed to national and international policies. Responding to global attacks with scattered and uneven methods describes a difficult fight that seems to never end.
The programming activity also emerges in a scattered and uneven manner, with innovations, overlapping languages, sometimes-mended software that sums up the work of more than one team of developers. The overall image is heterogeneous and the compatibility and associations determine subdivisions in this environment too.
Having his elements in mind, a coordinated method that tries to provide a clean, predictable and easy-to-monitor starter material in IT systems seems appealing. Although it needs a lot of coordination and a synchronized effort in order to go mainstream in the cyber-security world, LangSec has a lot to add to the cyber-defensive efforts – and it is worth a try.
