String is not a sufficient type: how using your type system can help you make better software

Slide 1

Slide 1 text

String is not a sufﬁcient type (how using your type system can help you make better software)

Slide 2

Slide 2 text

About Me → Chris Dzombak → iOS Frameworks Team → [email protected] → @dzombak on Slack → @cdzombak on Twitter

Slide 3

Slide 3 text

Relax.

Slide 4

Slide 4 text

Let’s talk about String.

Slide 5

Slide 5 text

→ user input → human language words → output for the UI → SQL statements → keypaths for Cocoa KVO/KVC → …

Slide 6

Slide 6 text

→ … → XPath queries for XML → shell commands → HTML → regular expressions → and more!

Slide 7

Slide 7 text

String is totally insufﬁcient to represent all these different things

Slide 8

Slide 8 text

Documentation

Slide 9

Slide 9 text

SQL Injection SELECT * FROM items WHERE owner = 'hacker' AND itemname = 'name'; DELETE FROM items; --'

Slide 10

Slide 10 text

Shell Injection run("gpg" , "−−trust−model always −o \"#{File.expand_path(dst.path)}\" −e −r \"#{@recipient}\" \"#{File .expand_path(src .path)}\"") Code sample from the 2010 DC online voting pilot1. 1 https://jhalderm.com/pub/papers/dcvoting-fc12.pdf https://freedom-to-tinker.com/blog/jhalderm/hacking-dc-internet-voting-pilot

Slide 11

Slide 11 text

Messy UI failure modes

Slide 12

Slide 12 text

XSS

Slide 13

Slide 13 text

What if we used different String types for… → user input → HTML output → SQL statements → shell commands → etc…

Slide 14

Slide 14 text

let username = inputUsername() let sql: SQLString = "SELECT FROM `users` WHERE `name` = '" + username + "';" database.execute(sql)

Slide 15

Slide 15 text

let username = inputUsername() let sql: SQLString = "SELECT FROM `users` WHERE `name` = '" + username + "';" > error: ^^^ > error: cannot combine `username` of type UserInputString with type SQLString

Slide 16

Slide 16 text

I’m not crazy.

Slide 17

Slide 17 text

43,560

Slide 18

Slide 18 text

43,560 43,560 ft²

Slide 19

Slide 19 text

Units in math are just like your type system.

Slide 20

Slide 20 text

Units in math are just like your type system.

Slide 21

Slide 21 text

Exactly like in high school physics, we should attach meangingful information to our strings.

Slide 22

Slide 22 text

Exactly like in high school physics, we should attach meangingful information to our strings. Then, our compiler or runtime will make many common mistakes impossible.

Slide 23

Slide 23 text

What would it take to really do this?

Slide 24

Slide 24 text

Standard library → String → UserInputString → PathString and URLString → (or maybe ﬁlesystem paths and URLs should be represented by separate, more capable objects entirely)

Slide 25

Slide 25 text

Native UI library → UserFacingString → A function accepting Strings, numbers, null references; ﬁltering them; and outputting a “sane” string

Slide 26

Slide 26 text

Web templating library → HTMLEscapedString → A function accepting other Strings and escaping them for output

Slide 27

Slide 27 text

Database library → SQLStatement, SQLEscapedString → SQLStatement may only be constructed from programmer-controlled origins → Only SQLEscapedString may be combined into SQLStatement, in predeﬁned safe ways → A function accepting Strings and escaping them for SQL

Slide 28

Slide 28 text

Cocoa KVC/KVO → KeyPath → addObserver:forKeyPath:… et al. accept KeyPath → Build KeyPath from string literals, with validation → Build KeyPath from runtime reﬂection → KeyPath instances can only be manipulated in constrained, valid ways

Slide 29

Slide 29 text

This sounds hard !

Slide 30

Slide 30 text

This sounds hard !

Slide 31

Slide 31 text

Using plain old String everywhere in your program is like a professional physicist foregoing units in their calculations.

Slide 32

Slide 32 text

This is work we’re doing already.

Slide 33

Slide 33 text

This is work we’re doing already. Except when we forget.

Slide 34

Slide 34 text

This is work we’re doing already. → ESAPI.encoder() → mysql_real_escape_string (yes, I know it’s deprecated) → Escaping shell metacharacters2 → label.text = name.length ? name : "" 2 http://stackoverﬂow.com/a/20053121

Slide 35

Slide 35 text

Implementation?

Slide 36

Slide 36 text

Implementation? ¯\_(ϑ)_/¯

Slide 37

Slide 37 text

Conclusions Type systems exist and we should let them help us. ✅

Slide 38

Slide 38 text

Conclusions A few new types would help eliminate whole classes of vulnerabilities and other bugs. ✅

Slide 39

Slide 39 text

Conclusions This wouldn’t be hard or annoying; this is work we’re already doing. ✅

Slide 1

Slide 1 text

Slide 2

Slide 2 text

Slide 3

Slide 3 text

Slide 4

Slide 4 text

Slide 5

Slide 5 text

Slide 6

Slide 6 text

Slide 7

Slide 7 text

Slide 8

Slide 8 text

Slide 9

Slide 9 text

Slide 10

Slide 10 text

Slide 11

Slide 11 text

Slide 12

Slide 12 text

Slide 13

Slide 13 text

Slide 14

Slide 14 text

Slide 15

Slide 15 text

Slide 16

Slide 16 text

Slide 17

Slide 17 text

Slide 18

Slide 18 text

Slide 19

Slide 19 text

Slide 20

Slide 20 text

Slide 21

Slide 21 text

Slide 22

Slide 22 text

Slide 23

Slide 23 text

Slide 24

Slide 24 text

Slide 25

Slide 25 text

Slide 26

Slide 26 text

Slide 27

Slide 27 text

Slide 28

Slide 28 text

Slide 29

Slide 29 text

Slide 30

Slide 30 text

Slide 31

Slide 31 text

Slide 32

Slide 32 text

Slide 33

Slide 33 text

Slide 34

Slide 34 text

Slide 35

Slide 35 text

Slide 36

Slide 36 text

Slide 37

Slide 37 text

Slide 38

Slide 38 text

Slide 39

Slide 39 text

Slide 40

Slide 40 text