Visible to the public Wyvern Programming Language

SoS Newsletter- Advanced Book Block

Wyvern Programming Language


Researchers at Carnegie Mellon University, led by associate professor Jonathan Aldrich of the university's Institute for Software research (ISR), have been working on developing an innovative breakthrough programming language for building secure web and mobile applications. The new programming language, called Wyvern - aptly named for the legendary two-legged, winged dragon fiercely protective of its treasure, aims to help software engineers build secure mobile and web applications using several type-based, domain-specific languages (DSLs) within the same program. Wyvern is able to identify sublanguages (SQL, HTML, etc.) used in the program based on types and their context, which signify the format of the data, according to CMU's press release (Spice 2014, accessed at . Just as a Wyvern dragon ensures protection of its treasure, the Wyvern language is designed to help create secure programs.

Dr. Aldrich and his team recognized the proliferation of programming languages used in the development of web and mobile applications to be incredibly inefficient. Though software development has come a long way, from Fortran to JavaScript, the web and mobile arenas struggle to cobble together a "...mishmash of artifacts written in different languages, file formats, and technologies", according to CMU's web page on Wyvern rationale ( For example, constructing most commercial web pages often require HTML for structure, CSS for design, with JavaScript to appease user interaction, as well as SQL to access the database back-end. The diversity of current languages and tools used to create an application increases the associated time, cost, and security risks, opening the door for particularly prevalent Cross-Site Scripting and SQL Injection attacks. In light of this, Wyvern has eliminated the need for use of character strings as commands, which, for instance, is seen in SQL. By allowing character strings, malicious users with a rough knowledge of a system's structure could execute destructive commands such as DROP TABLE, or manipulate instituted access controls.

Dr. Aldrich likens Wyvern's capabilities to that of a "...skilled international negotiator who can smoothly switch between languages...", able to discern which sublanguage is being used through context, much like the way "...a person would realize that a conversation about gourmet dining might include some French words and phrases" (Spice 2013). Wyvern strives to provide
* Flexible Syntax, using an internal DSL strategy.
* Typechecking, a static type-checking based on defined rules in Wyvern-internal DSLs
* Secure language and library constructs, providing secure built-in datatypes and database access through an internal DSL
* High-level abstractions, wherein programmers will be able to define an application's architecture, to be enforced by the type system, and implemented by the compiler and runtime.

A succinct PowerPoint presentation of Wyvern and examples may be accessed at


Similar to languages such as Python, Wyvern is a pure object-oriented language that is value-based, statically type-safe, and supports functional programming (Nistor et al. 2013, accessed at Wyvern follows the principle that objects should only be accessible by invoking their methods. As such, with Wyvern's use of type-specific languages (TSLs), a type is invoked only when a literal appears in the context of the expected type, ensuring non-interference (Omar 2014, accessed at ).

Wyvern is currently ongoing, and is an open-source project. Interested potential users may explore the language at .


Interest in Wyvern programming language has been shown enthusiastically in the security world. Gizmag, which covers new and emerging technological innovations, mentions Wyvern as "something of a meta-language", and agrees that the web would be a much more secure place if not for vulnerabilities due to the common coding practice of "pasted-together strings of database commands" (Moss 2014, accessed at The CMU Lablet and Wyvern were featured in a press release by SD Times, which mentions the integration of multiple languages, citing flexibility in terms of additional sublanguages, and easy-to-implement compilers. The article may be accessed at ACM Communications explains Wyvern as a host language that allows developers to import other languages for use on a project, but warns that Wyvern, as a meta-language, could be vulnerable to attack. The ACM article can be accessed at

Learn more about Wyvern at .


Spice, Byron (2014). Carnegie Mellon developing programming language that accommodates multiple languages in same program. Carnegie Mellon University School of Computer Science. Retrieved from

Cyrus Omar, Darya Kurilova, Ligia Nistor, Benjamin Chung, Alex Potanin, and Jonathan Aldrich. Safely composable type-specific languages. Proc. European Conference on Object-Oriented Programming, 2014. Retrieved from

Ligia Nistor, Darya Kurilova, Stephanie Balzer, Benjamin Chung, Alex Potanin, and Jonathan Aldrich. Wayvern: a simple, typed, and pure object-oriented language. In Mechanisms for Specialization, Generalization, and Inheritance (MASPEGHI), 2013. Retrieved from

Moss, Richard (2014). Wyvern system allows multiple programming languages within one computer system. Gizmag. Retrieved from

(ID: 14-2494)


Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to SoS.Project (at) for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.