This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Resource Securitization Language Project"

From OWASP
Jump to: navigation, search
(Created page with "=Main= <div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">link=</div> {| style="padding: 0;margin:0;margin-top:10px;t...")
 
Line 7: Line 7:
  
 
<span style="color:#ff0000">
 
<span style="color:#ff0000">
Instructions are in RED text and should be removed from your document by deleting the text with the span tags. This document is intended to serve as an example of what is required of an OWASP project wiki page. The text in red serves as instructions, while the text in black serves as an example. Text in black is expected to be replaced entirely with information specific to your OWASP project.
 
 
</span>
 
</span>
  
Line 23: Line 22:
  
 
== Project Resources ==
 
== Project Resources ==
<span style="color:#ff0000">
+
<span>
This is where you can link to the key locations for project files, including setup programs, the source code repository, online documentation, a Wiki Home Page, threaded discussions about the project, and Issue Tracking system, etc.  
+
Some information is discussed on the website <a href='www.scignscape.appspot.com' target='new'>
 
+
scignscape.appspot.com</a>.  However, a R/E-specific web site
 +
is under development.<br><br>  Please also visit pages about Clasp and E, for example:
 +
<ul>
 +
<li>Clasp: <a href='https://github.com/drmeister/clasp'>github.com/drmeister/clasp</a>
 +
<li>E in a nutsehll: <a href='http://www.skyhunter.com/marcs/ewalnut.html'>skyhunter.com/marcs/ewalnut.html</a>
 +
</ul>
 
== Project Leader ==
 
== Project Leader ==
 
[mailto:[email protected] Nathaniel Christian]
 
[mailto:[email protected] Nathaniel Christian]
Line 31: Line 35:
 
== Related Projects ==
 
== Related Projects ==
 
<span style="color:#ff0000">
 
<span style="color:#ff0000">
This is where you can link to other OWASP Projects that are similar to yours.
 
 
</span>
 
</span>
  
Line 50: Line 53:
  
 
== News and Events ==
 
== News and Events ==
<span style="color:#ff0000">
+
<span>
This is where you can provide project updates, links to any events like conference presentations, Project Leader interviews, case studies on successful project implementations, and articles written about your project.  
+
Although not specifically an OWASP meeting, I will be talking about R/E at two meetups co-organized
 +
by OWASP/Brooklyn and Semiotics Wem, on April 18th and 25th at 10:30 am, Morningside Heights Library
 +
community room in Manhattan.  I'll post links when they're available.
 
</span>
 
</span>
 
    
 
    
Line 60: Line 65:
 
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.-->
 
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.-->
 
<span style="color:#ff0000">
 
<span style="color:#ff0000">
Many projects have "Frequently Asked Questions" documents or pages. However, the point of such a document is not the questions. ''The point of a document like this are the '''answers'''''. The document contains the answers that people would otherwise find themselves giving over and over again. The idea is that rather than laboriously compose and post the same answers repeatedly, people can refer to this page with pre-prepared answers. Use this space to communicate your projects 'Frequent Answers.'
 
 
</span>
 
</span>
  
Line 70: Line 74:
 
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.-->
 
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.-->
 
<span style="color:#ff0000">
 
<span style="color:#ff0000">
The success of OWASP is due to a community of enthusiasts and contributors that work to make our projects great. This is also true for the success of your project.
 
Be sure to give credit where credit is due, no matter how small! This should be a brief list of the most amazing people involved in your project.
 
Be sure to provide a link to a complete list of all the amazing people in your project's community as well.
 
 
</span>
 
</span>
  
Line 85: Line 86:
  
 
==Roadmap==
 
==Roadmap==
The first priority is simply to port E-on-Common-Lisp to the embedded Clasp platform.  Whereas E-on-Common-Lisp relies on the original (Java) version of E for some core functionality, R/E will completely replace these components with Lisp or C++ equivalents.  In particular, the existing ANTLR-based parsing mechanism has been replaced by a Semantic-Network grammar engine which allows R/E code and components to be integrated with Semantic Web tools and concepts.  With a new working E dialect in place, the next step is to ensure cross-platform consistency by solidifying the Clasp base itself (since Clasp in turn is a very new language, R/E is being built with/alongside a modified version that is easier to use in different contexts; for example, one which builds on 64-bit platforms)Finally, as outlined in the Additional Comments, R/E will provide sample components, expected to use the Qt and UnQLite libraries, demonstrating how the language may be used to provide components isolating sensitive capabilities, such as database/filesystem access and http networking, integrated into other projectsAt this stage R/E will also provide a mechanism for developing alternate grammars that may be more suited for integrating into existing projects, as well as related Semantic Web resources such as an Ontology of R/E coding constructs and concerns; the R/E compiler will be guaranteed to compile any source whose internal representation conforms to the ontology, even if its surface syntax differs considerably from the E foundation. By way of illustration, R/E will provide a version of the language with a syntax adapted for ready integration into Lisp and/or C++ contexts.      
+
Whereas E-on-Common-Lisp relies on the original (Java) version of E for some core functionality, R/E will completely replace these components with Lisp, C++, or (in a single-language version) Ruby equivalents.  In particular, the existing ANTLR-based parsing mechanism has been replaced by a Semantic-Network grammar engine which allows R/E code and components to be integrated with Semantic Web tools and concepts.  I envision the development roughly as follows:
 +
<ul>
 +
<li>Basic language implementation: (all of these stages have been partially completed, so the
 +
basic development strategies involved are in place, but there are many details to sort out)
 +
<ol>
 +
<li>Establish an R/E grammar, first informally and then a formal specification using a Semantic Web-based
 +
grammar and parsing systemThis also involves polishing code for such a grammar and providing this
 +
code on githubThe idea of such a grammar is that users of R/E can customize the language for their
 +
purposes, including (eventually) embedding callbacks to R/E code within parsing itself.
 +
 
 +
<li>Implement (at least a large part of) R/E basic data and function structures in the form of a generator
 +
for C++ code.
  
 +
<li>Using this base, build a version in Ruby which allows both the parsing and runtime interpretation
 +
to be carried out in a single language.  Compile this into a gem and use a Rails application to demonstrate it.
  
 +
<li>Port the same base to Clasp itself, adding the necessary C++ code to the underlying Clasp and
 +
using a &ldquo;Semantic Readtable&rdquo; to hook into the Clasp runtime for executing R/E code.
 +
</ol>
 +
<li>Implement many E feature for R/E:
 +
<ol>
 +
<li>Port E-on-Common-Lisp to the embedded Clasp platform, or at least determine how extensively this can be
 +
accomplished. 
 +
<li>Ensure cross-platform consistency by solidifying the Clasp base itself (since Clasp in turn is a very new language, R/E is being built with/alongside a modified Clasp version that is easier to use in different contexts; for example, minimize differences between Window/Unix and 32-bit/64-bit environments).
 +
<li>Provide sample components, expected to use the Qt and UnQLite libraries, demonstrating how the language may be used to provide components isolating sensitive capabilities, such as database/filesystem access and http networking, integrated into other projects.
 +
</ol>
 +
<li>Promote customization and cross-language support:
 +
<ol>
 +
<li>Integrate a markup language for code documentation, serialization, embedded rich text, etc., parsed
 +
directly by R/E
 +
<li>Provide a mechanism for developing alternate grammars that may be more suited for integrating into existing projects, including &ldquo;host languages&rdquo; other than the primary Clasp/C++ (or &ldquo;R/Z&rdquo;)
 +
runtime or the single-language Ruby host.
 +
<li>Publish an Ontology of R/E coding constructs and concerns; the R/E compiler will be guaranteed to compile any source whose internal representation conforms to the ontology, even if its surface syntax differs considerably from either R/E or E proper.
 
==Getting Involved==
 
==Getting Involved==
 
===Feedback===
 
===Feedback===

Revision as of 16:38, 9 April 2015

OWASP Project Header.jpg

OWASP Resource Securitization Language (R/E)

R/E is a version of E, an influential language to model/afford secure programming practices and designs, based on a Lisp E implementation. R/E uses a recent embedded Lisp dialect and is intrinsically oriented to modern (and "semantic") web patterns.


Description

The R/E (Resource Securitization Language) is envisioned as a modern adaptation of the E programming language and is intended to extend the Common Lisp implementation of E. E is one of the oldest "security" languages, as a language specifically designed for secure coding and to promote good security practices through language affordances. Originally implemented in Java, a Common Lisp version of E was developed (beginning 2008) by Kevin Reid (it should be noted that regardless of implementations in Lisp, E itself has a C-style syntax arguably easier for most programmers to use; however Common Lisp integration can support powerful Lisp-based extensions). The new R/E dialect is based on Clasp, a very recent Common Lisp implementation created by Christian Schafmeister of Temple University, which itself is based on Embedded Common Lisp and is designed for efficient embedding and integration with C++ applications and, in particular, with LLVM (a compiler and development toolkit whose initials originally stood for "Low Level Virtual Machine", which despite being officially obsolete is a good four-word summary). By being based on a Lisp intended for embedding, R/E as a dialect of E is suitable for embedded programming in which it integrates into applications primarily written in a different language: R/E can be used just for components which provide certain sensitive capabilities, like database and filesystem access (by fortuitous coincidence, the name Clasp is also used by the OWASP Comprehensive, Lightweight Application Security Process Project, and conceivably E-based code can be used to implement parts of CLASP-informed applications). Aside from using Clasp as a back-end, R/E is concerned to adapt Clasp to be easier to use as a cross-platform language environment and foundation for other languages. In particular, extending both Lisp and E implementations, R/E is based on a Semantic Networking or Semantic Web style compilation model which separates source-level syntax from canonical syntax, and uses Semantic Web compatible data structures to express pre- (or partly-) compiled code. This allows R/E components to be coded in extended (or alternate) syntaxes which may be more readily integrated into existing projects, based on the languages and data structures they favor. Semantic Network models of source code also allow for Semantic Web tools to gather and process information about code projects, documentation, requirements, and policies. In addition to the core language, this project will provide simple examples of a database, http client and server, and GUI integration that can be used for prototyping applications which may use R/E components. Finally, R/E will provide an OWL ontology (likely published in RDFa) to model the concepts relevant to creating, compiling, using, and evaluating R/E code and the components or applications which use it, with links as appropriate to other ontologies/taxonomies/vocabularies in the code security, privatization, and trust-description domains.

Licensing

Boost Software License (amended)

Project Resources

Some information is discussed on the website <a href='www.scignscape.appspot.com' target='new'> scignscape.appspot.com</a>. However, a R/E-specific web site is under development.

Please also visit pages about Clasp and E, for example:

Project Leader

Nathaniel Christian

Related Projects


Classifications

Project Type Files CODE.jpg
Incubator Project Owasp-builders-small.png

News and Events

Although not specifically an OWASP meeting, I will be talking about R/E at two meetups co-organized by OWASP/Brooklyn and Semiotics Wem, on April 18th and 25th at 10:30 am, Morningside Heights Library community room in Manhattan. I'll post links when they're available.



Volunteers


The first contributors to the project were:


Roadmap

Whereas E-on-Common-Lisp relies on the original (Java) version of E for some core functionality, R/E will completely replace these components with Lisp, C++, or (in a single-language version) Ruby equivalents. In particular, the existing ANTLR-based parsing mechanism has been replaced by a Semantic-Network grammar engine which allows R/E code and components to be integrated with Semantic Web tools and concepts. I envision the development roughly as follows:

  • Basic language implementation: (all of these stages have been partially completed, so the basic development strategies involved are in place, but there are many details to sort out)
    1. Establish an R/E grammar, first informally and then a formal specification using a Semantic Web-based grammar and parsing system. This also involves polishing code for such a grammar and providing this code on github. The idea of such a grammar is that users of R/E can customize the language for their purposes, including (eventually) embedding callbacks to R/E code within parsing itself.
    2. Implement (at least a large part of) R/E basic data and function structures in the form of a generator for C++ code.
    3. Using this base, build a version in Ruby which allows both the parsing and runtime interpretation to be carried out in a single language. Compile this into a gem and use a Rails application to demonstrate it.
    4. Port the same base to Clasp itself, adding the necessary C++ code to the underlying Clasp and using a “Semantic Readtable” to hook into the Clasp runtime for executing R/E code.
  • Implement many E feature for R/E:
    1. Port E-on-Common-Lisp to the embedded Clasp platform, or at least determine how extensively this can be accomplished.
    2. Ensure cross-platform consistency by solidifying the Clasp base itself (since Clasp in turn is a very new language, R/E is being built with/alongside a modified Clasp version that is easier to use in different contexts; for example, minimize differences between Window/Unix and 32-bit/64-bit environments).
    3. Provide sample components, expected to use the Qt and UnQLite libraries, demonstrating how the language may be used to provide components isolating sensitive capabilities, such as database/filesystem access and http networking, integrated into other projects.
  • Promote customization and cross-language support:
    1. Integrate a markup language for code documentation, serialization, embedded rich text, etc., parsed directly by R/E
    2. Provide a mechanism for developing alternate grammars that may be more suited for integrating into existing projects, including “host languages” other than the primary Clasp/C++ (or “R/Z”) runtime or the single-language Ruby host.
    3. Publish an Ontology of R/E coding constructs and concerns; the R/E compiler will be guaranteed to compile any source whose internal representation conforms to the ontology, even if its surface syntax differs considerably from either R/E or E proper.

      Getting Involved

      Feedback

R/E (the Resource Securitization Language) is a modern adaptation of the E programming language (one of the first and most influential languages specifically designed to address security concerns and "Capability-Oriented Programming"), intended to extend the Common Lisp implementation of E, by using a very recent embedded version of Common Lisp, called Clasp. R/E will be available in source code form and in the form of binaries for platforms for which Clasp itself is also available (or perhaps additional platforms as well, since R/E can be configured to use a simplified subset of Clasp/Lisp to focus on building components for sensitive capabilities like database, networking, and filesystem access, which are then embedded into application written in other languages).



Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Resource_Securitization_Language_Project&oldid=192972"