Researchers at the Massachusetts Institute of Technology have developed a software that represents a breakthrough in security for programs written in the popular web application framework Ruby on the Rails.
When tested on 50 web apps written in Ruby on Rails, the software identified 23 bugs without taking more than 63 seconds to inspect any single app. This new form of static analysis analyzes how information flows through a program using logical rather than programming language, allowing for quick searches and readily understood results.
“When you look at something like a Web application written in language like Ruby on Rails, if you try to do a conventional static analysis, you typically find yourself mired in this huge bog,” said Daniel Jackson, professor in the Department of Electrical Engineering and Computer Science in a statement to MIT News. “And this makes it really infeasible in practice.”
But because Ruby on Rails relies on a single library to define every property in the language, the MIT researchers were able to translate the entire language into a logical code that is machine-readable. So the software interprets the flow of information in a program using the logical language and reports a simple line-by-line description of how it works. With a little expertise, these read-outs point to areas of the program that may allow unauthorized users to access information they should not be able to see.
Considering the popularity of Ruby on Rails, the new software could play a role in clamping down on the digital security of a wide range of applications and websites. And the remarkable results of the first tests certainly reflect the current weakness of many, if not most, commercially available programs.
A strong debugging process for Ruby on Rails may even help convince programmers to choose Ruby for future projects. Clearly, we have a serious problem, and only now are we figuring out how to diagnose it.
According to MIT, the researchers will present their results at the International Conference on Software Engineering, May 14-22 in Austin, Texas.