中文

Compile-time Security Analysis and Optimization of Sensitive String Producers

编程语言 2026-05-19 v1 密码学与安全

摘要

Content composition vulnerabilities remain among the most prevalent and persistent classes of security weakness in deployed software. Prior mitigations, including developer training, static analysis tools, and domain-specific template languages, each face diminishing returns; AI code generation inherits these limitations and introduces new ones, reproducing insecure patterns from training data and lacking reliable context for self-correction. This paper introduces a general framework for secure content composition that extends across content languages and integrates directly into general-purpose programming languages via additive changes to string expression syntax. We define a language design goal of minimizing the lexical distance between secure and insecure idioms, and show that this goal admits practical compilation strategies: static analyses specified in terms of dynamic semantics, runtime performance approaching na\"ive string concatenation, and developer-facing diagnostics surfaced as compile-time errors or warnings. The approach enables an effective division of labor: security engineers encode composition hazards in libraries once; developers and AI coding agents select the appropriate library primitive to implement features correctly without needing to internalize specialist security knowledge; compiler diagnostics provide objective, position-keyed feedback that grounds both human review and iterative AI self-correction; and security responders focus on keeping libraries current rather than auditing ad-hoc security decisions distributed across a codebase.

关键词

引用

@article{arxiv.2605.16561,
  title  = {Compile-time Security Analysis and Optimization of Sensitive String Producers},
  author = {Mike Samuel and Tom Palmer and Shaw Summa and Robert Grayson},
  journal= {arXiv preprint arXiv:2605.16561},
  year   = {2026}
}

备注

10 pages, 9 figures