Skip to main content
SpringerLink
Log in

A Taint Mode for Python via a Library

  • Conference paper
Information Security Technology for Applications (NordSec 2010)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7127))

Included in the following conference series:

Abstract

Vulnerabilities in web applications present threats to on-line systems. SQL injection and cross-site scripting attacks are among the most common threats found nowadays. These attacks are often result of improper or none input validation. To help discover such vulnerabilities, popular web scripting languages like Perl, Ruby, PHP, and Python perform taint analysis. Such analysis is often implemented as an execution monitor, where the interpreter needs to be adapted to provide a taint mode. However, modifying interpreters might be a major task in its own right. In fact, it is very probably that new releases of interpreters require to be adapted to provide a taint mode. Differently from previous approaches, we show how to provide taint analysis for Python via a library written entirely in Python, and thus avoiding modifications in the interpreter. The concepts of classes, decorators and dynamic dispatch makes our solution lightweight, easy to use, and particularly neat. With minimal or none effort, the library can be adapted to work with different Python interpreters.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. List of Python software, http://en.wikipedia.org/wiki/List_of_Python_software

  2. The Ruby programming language, http://www.ruby-lang.org

  3. The Twisted programming framework, http://twistedmatrix.com

  4. Andrews, M.: Guest Editor’s Introduction: The State of Web Security. IEEE Security and Privacy 4(4), 14–15 (2006)

    Article  Google Scholar 

  5. Balzarotti, D., Cova, M., Felmetsger, V., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Saner: Composing static and dynamic analysis to validate sanitization in web applications. In: Proceedings of the 2008 IEEE Symposium on Security and Privacy. IEEE Computer Society, Washington, DC (2008)

    Google Scholar 

  6. Bekman, S., Cholet, E.: Practical mod_perl. O’Reilly and Associates (2003)

    Google Scholar 

  7. Bird, R., Wadler, P.: An introduction to functional programming. Prentice Hall International (UK) Ltd. (1988)

    Google Scholar 

  8. Chang, W., Streiff, B., Lin, C.: Efficient and extensible security enforcement using dynamic data flow analysis. In: Proceedings of the 15th ACM Conference on Computer and Communications Security. ACM, New York (2008)

    Google Scholar 

  9. Tsai, T.C., Russo, A., Hughes, J.: A library for secure multi-threaded information flow in Haskell. In: IEEE Computer Security Foundations Symposium, pp. 187–202 (2007)

    Google Scholar 

  10. Conti, J.J., Russo, A.: A Taint Mode for Python via a Library. Software release (April 2010), http://www.cse.chalmers.se/~russo/juanjo.htm

  11. Denning, D.E., Denning, P.J.: Certification of programs for secure information flow. Comm. of the ACM 20(7), 504–513 (1977)

    Article  MATH  Google Scholar 

  12. Federal Aviation Administration (US). Review of Web Applications Security and Intrusion Detection in Air Traffic Control Systems (June 2009), http://www.oig.dot.gov/sites/dot/files/pdfdocs/ATC_Web_Report.pdf Note: thousands of vulnerabilities were discovered.

  13. Futoransky, A., Gutesman, E., Waissbein, A.: A dynamic technique for enhancing the security and privacy of web applications. In: Black Hat USA Briefings (August 2007)

    Google Scholar 

  14. Haldar, V., Chandra, D., Franz, M.: Dynamic Taint Propagation for Java. In: Proceedings of the 21st Annual Computer Security Applications Conference, pp. 303–311 (2005)

    Google Scholar 

  15. Huang, Y., Yu, F., Hang, C., Tsai, C., Lee, D., Kuo, S.: Securing web application code by static analysis and runtime protection. In: Proceedings of the 13th International Conference on World Wide Web, pp. 40–52. ACM (2004)

    Google Scholar 

  16. Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper). In: 2006 IEEE Symposium on Security and Privacy, pp. 258–263. IEEE Computer Society (2006)

    Google Scholar 

  17. Kozlov, D., Petukhov, A.: Implementation of Tainted Mode approach to finding security vulnerabilities for Python technology. In: Proc. of Young Researchers’ Colloquium on Software Engineering (SYRCoSE) (June 2007)

    Google Scholar 

  18. Li, P., Zdancewic, S.: Encoding information flow in Haskell. In: Computer Security Foundations Workshop, IEEE, p. 16 (2006)

    Google Scholar 

  19. Livshits, V.B., Lam, M.S.: Finding security vulnerabilities in Java applications with static analysis. In: Proceedings of the 14th Conference on USENIX Security Symposium. USENIX Association, Berkeley (2005)

    Google Scholar 

  20. Lutz, M., Ascher, D.: Learning Python. O’Reilly & Associates, Inc. (1999)

    Google Scholar 

  21. Monga, M., Paleari, R., Passerini, E.: A hybrid analysis framework for detecting web application vulnerabilities. In: IWSESS 2009: Proceedings of the 2009 ICSE Workshop on Software Engineering for Secure Systems, pp. 25–32. IEEE Computer Society, Washington, DC (2009)

    Chapter  Google Scholar 

  22. Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., Evans, D.: Automatically Hardening Web Applications Using Precise Tainting. In: 20th IFIP International Information Security Conference, pp. 372–382 (2005)

    Google Scholar 

  23. Perl. The Perl programming language, http://www.perl.org/

  24. Pietraszek, T., Berghe, C.V.: Defending Against Injection Attacks Through Context-Sensitive String Evaluation. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 124–145. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  25. Russo, A., Claessen, K., Hughes, J.: A library for light-weight information-flow security in Haskell. In: Proceedings of the First ACM SIGPLAN Symposium on Haskell, pp. 13–24. ACM (2008)

    Google Scholar 

  26. Russo, A., Sabelfeld, A., Li, K.: Implicit flows in malicious and nonmalicious code. Marktoberdorf Summer School. IOS Press (2009)

    Google Scholar 

  27. Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Selected Areas in Communications 21(1), 5–19 (2003)

    Article  Google Scholar 

  28. Sabelfeld, A., Russo, A.: From Dynamic to Static and Back: Riding the Roller Coaster of Information-Flow Control Research. In: Pnueli, A., Virbitskaite, I., Voronkov, A. (eds.) PSI 2009. LNCS, vol. 5947, pp. 352–365. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  29. Seo, J., Lam, M.S.: InvisiType: Object-Oriented Security Policies. In: 17th Annual Network and Distributed System Security Symposium, Internet Society, ISOC (February 2010)

    Google Scholar 

  30. Thomas, D., Fowler, C., Hunt, A.: Programming Ruby. The Pragmatic Programmer’s Guide. Pragmatic Programmers (2004)

    Google Scholar 

  31. Tripp, O., Pistoia, M., Fink, S.J., Sridharan, M., Weisman, O.: TAJ: effective taint analysis of web applications. In: Hind, M., Diwan, A. (eds.) Proc. ACM SIGPLAN Conference on Programming language Design and Implementation, pp. 87–97. ACM Press (2009)

    Google Scholar 

  32. van der Stock, A., Williams, J., Wichers, D.: OWASP Top 10 2007 (2007), http://www.owasp.org/index.php/Top_10_2007

Download references

Author information

Authors and Affiliations

  1. Facultad Regional Santa Fe, Universidad Tecnológica Nacional, Argentina

    Juan José Conti

  2. Chalmers University of Technology, Sweden

    Alejandro Russo

Authors
  1. Juan José Conti
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Alejandro Russo
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. School of Science and Technology, Aalto University, Konemiehentie 2, 02150, Espoo, Finland

    Tuomas Aura

  2. Department of Information and Computer Science, Aalto University, Konemiehentie 2, 02150, Aalto, Finland

    Kimmo Järvinen  & Kaisa Nyberg  & 

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Conti, J.J., Russo, A. (2012). A Taint Mode for Python via a Library. In: Aura, T., Järvinen, K., Nyberg, K. (eds) Information Security Technology for Applications. NordSec 2010. Lecture Notes in Computer Science, vol 7127. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-27937-9_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-27937-9_15

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-27936-2

  • Online ISBN: 978-3-642-27937-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation