Taint checking

Last updated May 07, 2022

Taint checking is a feature in some computer programming languages, such as Perl,^[1] Ruby ^[2] or Ballerina ^[3] designed to increase security by preventing malicious users from executing commands on a host computer. Taint checks highlight specific security risks primarily associated with web sites which are attacked using techniques such as SQL injection or buffer overflow attack approaches.

Overview

The concept behind taint checking is that any variable that can be modified by an outside user (for example a variable set by a field in a web form) poses a potential security risk. If that variable is used in an expression that sets a second variable, that second variable is now also suspicious. The taint checking tool can then proceed variable by variable forming a list of variables which are potentially influenced by outside input. If any of these variables is used to execute dangerous commands (such as direct commands to a SQL database or the host computer operating system), the taint checker warns that the program is using a potentially dangerous tainted variable. The computer programmer can then redesign the program to erect a safe wall around the dangerous input.

Taint checking may be viewed as a conservative approximation of the full verification of non-interference or the more general concept of secure information flow.^[4] Because information flow in a system cannot be verified by examining a single execution trace of that system,^[5] the results of taint analysis will necessarily reflect approximate information regarding the information flow characteristics of the system to which it is applied.^[6]

Example

The following dangerous Perl code opens a large SQL injection vulnerability by not checking the value of the $name variable:

#!/usr/bin/perlmy$name=$cgi->param("name");# Get the name from the browser...$dbh->{TaintIn}=1;$dbh->execute("SELECT * FROM users WHERE name = '$name';");# Execute an SQL query

If taint checking is turned on, Perl would refuse to run the command and exit with an error message, because a tainted variable is being used in a SQL query. Without taint checking, a user could enter foo'; DROP TABLE users --, thereby running a command that deletes the entire database table. Much safer would be to encode the tainted value of $name to a SQL string literal and use the result in the SQL query, guaranteeing that no dangerous command embedded in $name will be evaluated. Another way to achieve that is to use a prepared statement to sanitize all variable input for a query.

One thing to note is that Perl DBI requires one to set the TaintIn attribute of a database handle as well as enabling taint mode to check one's SQL strings.^[7]

History

Perl supported tainting in setuid scripts from at least version 3.0 (released in 1989),^[8] though it was not until version 5.0 (released in 1994)^[8] that the -T switch^[1] was introduced integrating tainting into a single runtime.

In 1996, Netscape implemented data tainting for JavaScript in Netscape Navigator 3.^[9] However, since support was considered experimental, it shipped disabled (requiring user intervention to activate) and required page authors to modify scripts to benefit from it. Other browser vendors never implemented the functionality.

Related Research Articles

In computing, Common Gateway Interface (CGI) is an interface specification that enables web servers to execute an external program, typically to process user requests.

JavaScript, often abbreviated JS, is a programming language that is one of the core technologies of the World Wide Web, alongside HTML and CSS. Over 97% of websites use JavaScript on the client side for web page behavior, often incorporating third-party libraries. All major web browsers have a dedicated JavaScript engine to execute the code on users' devices.

Perl is a family of two high-level, general-purpose, interpreted, dynamic programming languages. "Perl" refers to Perl 5, but from 2000 to 2019 it also referred to its redesigned "sister language", Perl 6, before the latter's name was officially changed to Raku in October 2019.

Server-side scripting is a technique used in web development which involves employing scripts on a web server which produces a response customized for each user's (client's) request to the website. The alternative is for the web server itself to deliver a static web page. Scripts can be written in any of a number of server-side scripting languages that are available. Server-side scripting is distinguished from client-side scripting where embedded scripts, such as JavaScript, are run client-side in a web browser, but both techniques are often used together.

ScriptBasic is a scripting language variant of BASIC. The source of the interpreter is available as a C program under the LGPL license.

In computer science, program analysis is the process of automatically analyzing the behavior of computer programs regarding a property such as correctness, robustness, safety and liveness. Program analysis focuses on two major areas: program optimization and program correctness. The first focuses on improving the program’s performance while reducing the resource usage while the latter focuses on ensuring that the program does what it is supposed to do.

A stored procedure is a subroutine available to applications that access a relational database management system (RDBMS). Such procedures are stored in the database data dictionary.

The Microsoft Windows Script Host (WSH) is an automation technology for Microsoft Windows operating systems that provides scripting abilities comparable to batch files, but with a wider range of supported features. This tool was first provided on Windows 95 after Build 950a on the installation discs as an optional installation configurable and installable by means of the Control Panel, and then a standard component of Windows 98 and subsequent and Windows NT 4.0 Build 1381 and by means of Service Pack 4. The WSH is also a means of automation for Internet Explorer via the installed WSH engines from IE Version 3.0 onwards; at this time VBScript became means of automation for Microsoft Outlook 97. The WSH is also an optional install provided with a VBScript and JScript engine for Windows CE 3.0 and following and some third-party engines including Rexx and other forms of Basic are also available.

SQL injection Computer hacking technique

SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution. SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.

In computing, a data source name is a string that has an associated data structure used to describe a connection to a data source. Most commonly used in connection with ODBC, DSNs also exist for JDBC and for other data access mechanisms. The term often overlaps with "connection string". Most systems do not make a distinction between DSNs or connection strings and the term can often be used interchangeably.

Code injection Computer bug exploit caused by invalid data

Code injection is the exploitation of a computer bug that is caused by processing invalid data. The injection is used by an attacker to introduce code into a vulnerable computer program and change the course of execution. The result of successful code injection can be disastrous, for example, by allowing computer viruses or computer worms to propagate.

Pugs is a compiler and interpreter for the Raku programming language, started on February 1, 2005, by Audrey Tang.

In computing, the same-origin policy is an important concept in the web application security model. Under the policy, a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin. An origin is defined as a combination of URI scheme, host name, and port number. This policy prevents a malicious script on one page from obtaining access to sensitive data on another web page through that page's Document Object Model.

Catalyst is an open source web application framework written in Perl, that closely follows the model–view–controller (MVC) architecture, and supports a number of experimental web patterns. It is written using Moose, a modern object system for Perl. Its design is heavily inspired by such frameworks as Ruby on Rails, Maypole, and Spring.

A webform, web form or HTML form on a web page allows a user to enter data that is sent to a server for processing. Forms can resemble paper or database forms because web users fill out the forms using checkboxes, radio buttons, or text fields. For example, forms can be used to enter shipping or credit card data to order a product, or can be used to retrieve search results from a search engine.

Magic quotes was a feature of the PHP scripting language, wherein strings are automatically escaped—special characters are prefixed with a backslash—before being passed on. It was introduced to help newcomers write functioning SQL commands without requiring manual escaping. It was later described as intended to prevent inexperienced developers from writing code that was vulnerable to SQL injection attacks.

Extromatica Network Monitor is a network monitoring application created and maintained by Extromatica company. It is designed to monitor network hardware, servers and network services for faults and performance degradation. It alerts users when things go wrong and again when they get better. The software supports a variety of real-time notification mechanisms, including Short Message Service (SMS).

Apache Hive is a data warehouse software project built on top of Apache Hadoop for providing data query and analysis. Hive gives an SQL-like interface to query data stored in various databases and file systems that integrate with Hadoop. Traditional SQL queries must be implemented in the MapReduce Java API to execute SQL applications and queries over distributed data. Hive provides the necessary SQL abstraction to integrate SQL-like queries (HiveQL) into the underlying Java without the need to implement queries in the low-level Java API. Since most data warehousing applications work with SQL-based querying languages, Hive aids portability of SQL-based applications to Hadoop. While initially developed by Facebook, Apache Hive is used and developed by other companies such as Netflix and the Financial Industry Regulatory Authority (FINRA). Amazon maintains a software fork of Apache Hive included in Amazon Elastic MapReduce on Amazon Web Services.

In database management systems (DBMS), a prepared statement or parameterized statement is a feature used to pre-compile SQL code, separating it from data. Benefits of prepared statements are:

The following outline is provided as an overview of and topical guide to the Perl programming language:

References

1 2 "perlsec - Perl security". Perl 5 development team. Retrieved 2012-05-20.
↑ Programming Ruby --- The Pragmatic Programmer's Guide. Addison Wesley Longman. 2001. pp. 253 (Ch. 20).
↑ Inc, WSO2. "Ballerina - Taint Checking". ballerina.io. Retrieved 2022-02-15.
↑ A. Sabelfeld and A. C. Myers, "Language-based information-flow security", IEEE Journal on Selected Areas in Communications, 2003.
↑ J. Ligatti, L. Bauer, D. Walker. "Edit automata: Enforcement mechanisms for run-time security policies". International Journal of Information Security, 2005
↑ T. Terauchi and A. Aiken. "Secure information flow as a safety problem". In 12th International Static Analysis Symposium, September 2005.
↑ "DBI - Database independent interface for Perl" . Retrieved 2020-08-29.
1 2 "perlhist - the Perl history records". Perl 5 development team. Retrieved 2020-08-29.
↑ Flanagan, David (1997). JavaScript: The Definitive Guide (2nd ed.). O'Reilly & Associates. p. 321. ISBN 9781565922341. [...] the data-tainting security model is experimental in Navigator 3.0, and is not enabled by default. It is expected to be the default security model in version 4.0 of Navigator, however.

External links

Guidelines from the W3C about taint-checking CGI scripts
perlsec - Perl security documentation

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[perlsec-1] 1 2 "perlsec - Perl security". Perl 5 development team. Retrieved 2012-05-20.

[2] Programming Ruby --- The Pragmatic Programmer's Guide. Addison Wesley Longman. 2001. pp. 253 (Ch. 20).

[3] Inc, WSO2. "Ballerina - Taint Checking". ballerina.io. Retrieved 2022-02-15.

[4] A. Sabelfeld and A. C. Myers, "Language-based information-flow security", IEEE Journal on Selected Areas in Communications, 2003.

[5] J. Ligatti, L. Bauer, D. Walker. "Edit automata: Enforcement mechanisms for run-time security policies". International Journal of Information Security, 2005

[6] T. Terauchi and A. Aiken. "Secure information flow as a safety problem". In 12th International Static Analysis Symposium, September 2005.

[7] "DBI - Database independent interface for Perl" . Retrieved 2020-08-29.

[perlhist-8] 1 2 "perlhist - the Perl history records". Perl 5 development team. Retrieved 2020-08-29.

[9] Flanagan, David (1997). JavaScript: The Definitive Guide (2nd ed.). O'Reilly & Associates. p. 321. ISBN 9781565922341. [...] the data-tainting security model is experimental in Navigator 3.0, and is not enabled by default. It is expected to be the default security model in version 4.0 of Navigator, however.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]