A Taint Mode for Python via a Library

Vulnerabilities in web applications present threats to on-line systems. SQL injection and cross-site scripting attacks are among the most common threats found nowadays. These attacks are often result of improper or none input validation. To help discover such vulnerabilities, popular web scripting languages like Perl, Ruby, PHP, and Python perform taint analysis. Such analysis is often implemented as an execution monitor, where the interpreter needs to be adapted to provide a taint mode. However, modifying interpreters might be a major task in its own right. In fact, it is very probably that new releases of interpreters require to be adapted to provide a taint mode. Differently from previous approaches, we show how to provide taint analysis for Python via a library written entirely in Python, and thus avoiding modifications in the interpreter. The concepts of classes, decorators and dynamic dispatch makes our solution lightweight, easy to use, and particularly neat. With minimal or none effort, the library can be adapted to work with different Python interpreters.

[1]  Mark A. Hillebrand,et al.  Invariants, Modularity, and Rights , 2009, Ershov Memorial Conference.

[2]  Dave Thomas,et al.  Programming Ruby , 2004 .

[3]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[4]  Jules J. Berman,et al.  Ruby: The Programming Language , 2008 .

[5]  Tadeusz Pietraszek,et al.  Defending Against Injection Attacks Through Context-Sensitive String Evaluation , 2005, RAID.

[6]  Manu Sridharan,et al.  TAJ: effective taint analysis of web applications , 2009, PLDI '09.

[7]  Richard S. Bird,et al.  Introduction to functional programming , 1988, Prentice Hall International series in computer science.

[8]  Monica S. Lam,et al.  InvisiType: Object-Oriented Security Policies , 2010, NDSS.

[9]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[10]  Jules J Berman,et al.  Perl: The Programming Language , 2008 .

[11]  Christopher Krügel,et al.  Pixy: a static analysis tool for detecting Web application vulnerabilities , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[12]  Dmitry Kozlov,et al.  Implementation of Tainted Mode approach to finding security vulnerabilities for Python technology , 2007 .

[13]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[14]  Anh Nguyen-Tuong,et al.  Automatically Hardening Web Applications Using Precise Tainting , 2005, SEC.

[15]  Stas Bekman,et al.  Practical mod_perl , 2003 .

[16]  Ezequiel Gutesman,et al.  A dynamic technique for enhancing the security and privacy of web applications , 2007 .

[17]  Peng Li,et al.  Encoding information flow in Haskell , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[18]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[19]  Calvin Lin,et al.  Efficient and extensible security enforcement using dynamic data flow analysis , 2008, CCS.

[20]  Mike Andrews Guest Editor's Introduction: The State of Web Security , 2006, IEEE Security & Privacy Magazine.

[21]  Mattia Monga,et al.  A hybrid analysis framework for detecting web application vulnerabilities , 2009, 2009 ICSE Workshop on Software Engineering for Secure Systems.

[22]  Alejandro Russo,et al.  A Library for Secure Multi-threaded Information Flow in Haskell , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[23]  Christopher Krügel,et al.  Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[24]  Keqin Li,et al.  Implicit flows in malicious and nonmalicious code , 2010, Logics and Languages for Reliability and Security.

[25]  David Thomas,et al.  Programming Ruby: the pragmatic programmer's guide , 2000 .

[26]  Alejandro Russo,et al.  From Dynamic to Static and Back: Riding the Roller Coaster of Information-Flow Control Research , 2009, Ershov Memorial Conference.

[27]  Mark Lutz,et al.  Learning Python , 1999 .

[28]  David Flanagan,et al.  The Ruby Programming Language , 2007 .

[29]  Michael Franz,et al.  Dynamic taint propagation for Java , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[30]  Koen Claessen,et al.  A library for light-weight information-flow security in haskell , 2008, Haskell '08.