Harvard Researchers Take Aim at Shellshock-like Woes With New Scripting Language

by  Joab Jackson,  IDG News Service

News of the Unix shell bug Shellshock has helped give a boost to Shill, a new scripting language being developed by Harvard University researchers to help prevent those types of vulnerabilities. Shill is designed to limit the ability of shell-based scripts to access resources beyond what they need to handle the task at hand, following the principle of least privilege, according to doctoral student and Shill team member Scott Moore.

“The idea of Shill is to give you control over what you want a program or script to access,” Moore says. He notes that is unlike many existing scripting languages, which grant programs the same level of privileges as the current user. Moore says limiting its access allows Shill to head-off vulnerabilities such as Shellshock, which enable an attacker to inject commands into a script.

He compares Shill to the U.S. National Security Agency’s SE Linux technology, but applied to the script level. The Harvard team currently is developing Shill for the FreeBSD Unix operating system and is considering porting the language to Linux. They also will be presenting Shill at the USENIX Symposium on Operating Systems Design and Implementation this week in Broomfield, CO.  Article