Abstract
Vulnerabilities in web applications present threats to on-line systems. SQL injection and cross-site scripting attacks are among the most common threats found nowadays. These attacks are often result of improper or none input validation. To help discover such vulnerabilities, popular web scripting languages like Perl, Ruby, PHP, and Python perform taint analysis. Such analysis is often implemented as an execution monitor, where the interpreter needs to be adapted to provide a taint mode. However, modifying interpreters might be a major task in its own right. In fact, it is very probably that new releases of interpreters require to be adapted to provide a taint mode. Differently from previous approaches, we show how to provide taint analysis for Python via a library written entirely in Python, and thus avoiding modifications in the interpreter. The concepts of classes, decorators and dynamic dispatch makes our solution lightweight, easy to use, and particularly neat. With minimal or none effort, the library can be adapted to work with different Python interpreters.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
List of Python software, http://en.wikipedia.org/wiki/List_of_Python_software
The Ruby programming language, http://www.ruby-lang.org
The Twisted programming framework, http://twistedmatrix.com
Andrews, M.: Guest Editor’s Introduction: The State of Web Security. IEEE Security and Privacy 4(4), 14–15 (2006)
Balzarotti, D., Cova, M., Felmetsger, V., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Saner: Composing static and dynamic analysis to validate sanitization in web applications. In: Proceedings of the 2008 IEEE Symposium on Security and Privacy. IEEE Computer Society, Washington, DC (2008)
Bekman, S., Cholet, E.: Practical mod_perl. O’Reilly and Associates (2003)
Bird, R., Wadler, P.: An introduction to functional programming. Prentice Hall International (UK) Ltd. (1988)
Chang, W., Streiff, B., Lin, C.: Efficient and extensible security enforcement using dynamic data flow analysis. In: Proceedings of the 15th ACM Conference on Computer and Communications Security. ACM, New York (2008)
Tsai, T.C., Russo, A., Hughes, J.: A library for secure multi-threaded information flow in Haskell. In: IEEE Computer Security Foundations Symposium, pp. 187–202 (2007)
Conti, J.J., Russo, A.: A Taint Mode for Python via a Library. Software release (April 2010), http://www.cse.chalmers.se/~russo/juanjo.htm
Denning, D.E., Denning, P.J.: Certification of programs for secure information flow. Comm. of the ACM 20(7), 504–513 (1977)
Federal Aviation Administration (US). Review of Web Applications Security and Intrusion Detection in Air Traffic Control Systems (June 2009), http://www.oig.dot.gov/sites/dot/files/pdfdocs/ATC_Web_Report.pdf Note: thousands of vulnerabilities were discovered.
Futoransky, A., Gutesman, E., Waissbein, A.: A dynamic technique for enhancing the security and privacy of web applications. In: Black Hat USA Briefings (August 2007)
Haldar, V., Chandra, D., Franz, M.: Dynamic Taint Propagation for Java. In: Proceedings of the 21st Annual Computer Security Applications Conference, pp. 303–311 (2005)
Huang, Y., Yu, F., Hang, C., Tsai, C., Lee, D., Kuo, S.: Securing web application code by static analysis and runtime protection. In: Proceedings of the 13th International Conference on World Wide Web, pp. 40–52. ACM (2004)
Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper). In: 2006 IEEE Symposium on Security and Privacy, pp. 258–263. IEEE Computer Society (2006)
Kozlov, D., Petukhov, A.: Implementation of Tainted Mode approach to finding security vulnerabilities for Python technology. In: Proc. of Young Researchers’ Colloquium on Software Engineering (SYRCoSE) (June 2007)
Li, P., Zdancewic, S.: Encoding information flow in Haskell. In: Computer Security Foundations Workshop, IEEE, p. 16 (2006)
Livshits, V.B., Lam, M.S.: Finding security vulnerabilities in Java applications with static analysis. In: Proceedings of the 14th Conference on USENIX Security Symposium. USENIX Association, Berkeley (2005)
Lutz, M., Ascher, D.: Learning Python. O’Reilly & Associates, Inc. (1999)
Monga, M., Paleari, R., Passerini, E.: A hybrid analysis framework for detecting web application vulnerabilities. In: IWSESS 2009: Proceedings of the 2009 ICSE Workshop on Software Engineering for Secure Systems, pp. 25–32. IEEE Computer Society, Washington, DC (2009)
Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., Evans, D.: Automatically Hardening Web Applications Using Precise Tainting. In: 20th IFIP International Information Security Conference, pp. 372–382 (2005)
Perl. The Perl programming language, http://www.perl.org/
Pietraszek, T., Berghe, C.V.: Defending Against Injection Attacks Through Context-Sensitive String Evaluation. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 124–145. Springer, Heidelberg (2006)
Russo, A., Claessen, K., Hughes, J.: A library for light-weight information-flow security in Haskell. In: Proceedings of the First ACM SIGPLAN Symposium on Haskell, pp. 13–24. ACM (2008)
Russo, A., Sabelfeld, A., Li, K.: Implicit flows in malicious and nonmalicious code. Marktoberdorf Summer School. IOS Press (2009)
Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Selected Areas in Communications 21(1), 5–19 (2003)
Sabelfeld, A., Russo, A.: From Dynamic to Static and Back: Riding the Roller Coaster of Information-Flow Control Research. In: Pnueli, A., Virbitskaite, I., Voronkov, A. (eds.) PSI 2009. LNCS, vol. 5947, pp. 352–365. Springer, Heidelberg (2010)
Seo, J., Lam, M.S.: InvisiType: Object-Oriented Security Policies. In: 17th Annual Network and Distributed System Security Symposium, Internet Society, ISOC (February 2010)
Thomas, D., Fowler, C., Hunt, A.: Programming Ruby. The Pragmatic Programmer’s Guide. Pragmatic Programmers (2004)
Tripp, O., Pistoia, M., Fink, S.J., Sridharan, M., Weisman, O.: TAJ: effective taint analysis of web applications. In: Hind, M., Diwan, A. (eds.) Proc. ACM SIGPLAN Conference on Programming language Design and Implementation, pp. 87–97. ACM Press (2009)
van der Stock, A., Williams, J., Wichers, D.: OWASP Top 10 2007 (2007), http://www.owasp.org/index.php/Top_10_2007
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Conti, J.J., Russo, A. (2012). A Taint Mode for Python via a Library. In: Aura, T., Järvinen, K., Nyberg, K. (eds) Information Security Technology for Applications. NordSec 2010. Lecture Notes in Computer Science, vol 7127. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-27937-9_15
Download citation
DOI: https://doi.org/10.1007/978-3-642-27937-9_15
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-27936-2
Online ISBN: 978-3-642-27937-9
eBook Packages: Computer ScienceComputer Science (R0)