Taint checking

Taint checking is a feature in some computer programming languages, such as Perl[1] and Ruby,[2] designed to increase security by preventing malicious users from executing commands on a host computer. Taint checks highlight specific security risks primarily associated with web sites which are attacked using techniques such as SQL injection or buffer overflow attack approaches.

Overview

The concept behind taint checking is that any variable that can be modified by an outside user (for example a variable set by a field in a web form) poses a potential security risk. If that variable is used in an expression that sets a second variable, that second variable is now also suspicious. The taint checking tool can then proceed variable by variable forming a list of variables which are potentially influenced by outside input. If any of these variables is used to execute dangerous commands (such as direct commands to a SQL database or the host computer operating system), the taint checker warns that the program is using a potentially dangerous tainted variable. The computer programmer can then redesign the program to erect a safe wall around the dangerous input.

Taint checking may be viewed as a conservative approximation of the full verification of non-interference or the more general concept of secure information flow.[3] Because information flow in a system cannot be verified by examining a single execution trace of that system,[4] the results of taint analysis will necessarily reflect approximate information regarding the information flow characteristics of the system to which it is applied.[5]

Example

The following dangerous Perl code opens a large SQL injection vulnerability by not checking the value of the $name variable:

#!/usr/bin/perl
my $name = $cgi->param("name");  # Get the name from the browser
...
$dbh->{TaintIn} = 1;
$dbh->execute("SELECT * FROM users WHERE name = '$name';"); # Execute an SQL query

If taint checking is turned on, Perl would refuse to run the command and exit with an error message, because a tainted variable is being used in a SQL query. Without taint checking, a user could enter foo'; DROP TABLE users --, thereby running a command that deletes the entire database table. Much safer would be to encode the tainted value of $name to a SQL string literal and use the result in the SQL query, guaranteeing that no dangerous command embedded in $name will be evaluated. Another way to achieve that is to use a prepared statement to sanitize all variable input for a query.

One thing to note is that Perl DBI requires one to set the TaintIn attribute of a database handle as well as enabling taint mode to check one's SQL strings.

History

Perl supported tainting from at least 1989 as the -T switch[6] was included in Perl 3.[7]

In 1996 Netscape implemented data tainting in server-side JavaScript in Netscape Communications Server, as well as client-side for Netscape Navigator 3.[8] However, since the client-side support was considered experimental it shipped disabled (requiring user intervention to activate), and required page authors to modify scripts to benefit from it. Other browser vendors never implemented the functionality; nor did Communications Server's primary competition, Microsoft's (then) new Internet Information Server.

gollark: What makes them better than the advertising companies then?
gollark: I am leaving off the second half so as not to fill more than a screen or so.
gollark: No, Richard, it's 'Linux', not 'GNU/Linux'. The most important contributions that the FSF made to Linux were the creation of the GPL and the GCC compiler. Those are fine and inspired products. GCC is a monumental achievement and has earned you, RMS, and the Free Software Foundation countless kudos and much appreciation.Following are some reasons for you to mull over, including some already answered in your FAQ.One guy, Linus Torvalds, used GCC to make his operating system (yes, Linux is an OS -- more on this later). He named it 'Linux' with a little help from his friends. Why doesn't he call it GNU/Linux? Because he wrote it, with more help from his friends, not you. You named your stuff, I named my stuff -- including the software I wrote using GCC -- and Linus named his stuff. The proper name is Linux because Linus Torvalds says so. Linus has spoken. Accept his authority. To do otherwise is to become a nag. You don't want to be known as a nag, do you?(An operating system) != (a distribution). Linux is an operating system. By my definition, an operating system is that software which provides and limits access to hardware resources on a computer. That definition applies whereever you see Linux in use. However, Linux is usually distributed with a collection of utilities and applications to make it easily configurable as a desktop system, a server, a development box, or a graphics workstation, or whatever the user needs. In such a configuration, we have a Linux (based) distribution. Therein lies your strongest argument for the unwieldy title 'GNU/Linux' (when said bundled software is largely from the FSF). Go bug the distribution makers on that one. Take your beef to Red Hat, Mandrake, and Slackware. At least there you have an argument. Linux alone is an operating system that can be used in various applications without any GNU software whatsoever. Embedded applications come to mind as an obvious example.
gollark: Oh, wait, better idea.
gollark: Hey, I *said* (GNU[+/])Linux, isn't that good enough for you, Stallman?!

References

  1. perlsec - Perl security. Perl 5 development team. 2012-05-20.
  2. Programming Ruby --- The Pragmatic Programmer's Guide. Addison Wesley Longman. 2001. pp. 253 (Ch. 20).
  3. A. Sabelfeld and A. C. Myers, "Language-based information-flow security", IEEE Journal on Selected Areas in Communications, 2003.
  4. J. Ligatti, L. Bauer, D. Walker. "Edit automata: Enforcement mechanisms for run-time security policies". International Journal of Information Security, 2005
  5. T. Terauchi and A. Aiken. "Secure information flow as a safety problem". In 12th International Static Analysis Symposium, September 2005.
  6. Contact details. "perlsec". perldoc.perl.org. Retrieved 2012-05-29.
  7. Perl in a Nutshell, Second Edition, Patwardhan, Siever and Spainhour, ISBN 0-596-00241-6
  8. "JavaScript: The Definitive Guide". Docstore.mik.ua. Retrieved 2012-05-29. [...] the data-tainting security model is experimental in Navigator 3.0, and is not enabled by default. It is expected to be the default security model in version 4.0 of Navigator, however.
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.