RockSalt boosts app security

A new tool developed by a team of Harvard researchers could step up security and ensure enhanced performance for commonly used Web and mobile applications, The Times of India reports.

Called RockSalt, the clever bit of code can verify that native computer programming languages comply with a particular security policy.

Tech2 says the use of native code, especially in an online environment, opens up the door to hackers who can exploit vulnerabilities and readily gain access to other parts of a computer or device. An initial solution to this problem was offered over a decade ago by computer scientists at the University of California, Berkeley, who developed software fault isolation (SFI), according to a Harvard statement.

SFI forces native code to "behave" by rewriting machine code to limit itself to functions that fall within particular parameters. This "sandbox process" sets up a contained environment for running native code. A separate "checker" programme can then ensure that the executable code adheres to regulations before running the program.

"When a user opens an external application, such as Gmail or Angry Birds, Web browsers such as Google Chrome typically run the programme's code in an intermediate and safer language, such as JavaScript," says Greg Morrisett, professor of computer science at the Harvard School of Engineering and Applied Sciences (SEAS).

Presented at the ACM Conference on Programming Language Design and Implementation (PLDI), in Beijing, RockSalt was created by Morrisett, Allen B Cutting, professor of computer science at SEAS, two of his undergraduate students, Edward Gan and Joseph Tassarotti, former postdoctoral fellow Jean-Baptiste Tristan (now at Oracle), and Gang Tan of Lehigh University, Science Daily states.

When bugs and vulnerabilities were found in the checker for NaCl, Google sent out a call to arms. Morrisett took on the challenge, turning the problem into an opportunity for his students. The result was RockSalt.

RockSalt comprises a mere 80 lines of code, as compared to the 600 lines of the original Google native code checker. The new checker is also faster, and, to date, no vulnerabilities have been uncovered. The tool offers tremendous advantages to programmers and users alike, allowing programmers to code in any language, compile it to native executable code, and secure it without going through intermediate languages such as JavaScript, and even to cross back and forth between Java and native code. This allows coders to choose the benefits of multiple languages, such as using one to ensure portability while using others to enhance performance.