Taint checking is a feature in some

computer programming Computer programming is the process of performing a particular computation (or more generally, accomplishing a specific computing result), usually by designing and building an executable computer program. Programming involves tasks such as anal ...

languages, such as

Perl Perl is a family of two high-level, general-purpose, interpreted, dynamic programming languages. "Perl" refers to Perl 5, but from 2000 to 2019 it also referred to its redesigned "sister language", Perl 6, before the latter's name was offic ...

Ruby A ruby is a pinkish red to blood-red colored gemstone, a variety of the mineral corundum ( aluminium oxide). Ruby is one of the most popular traditional jewelry gems and is very durable. Other varieties of gem-quality corundum are called ...

Ballerina A ballet dancer ( it, ballerina fem.; ''ballerino'' masc.) is a person who practices the art of classical ballet. Both females and males can practice ballet; however, dancers have a strict hierarchy and strict gender roles. They rely on ye ...

designed to increase security by preventing malicious users from executing commands on a host computer. Taint checks highlight specific security risks primarily associated with web sites which are attacked using techniques such as

SQL injection In computing, SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL in ...

or buffer overflow attack approaches.

Overview

The concept behind taint checking is that any variable that can be modified by an outside user (for example a variable set by a field in a

web form A webform, web form or HTML form on a web page allows a user to enter data that is sent to a server for processing. Forms can resemble paper or database forms because web users fill out the forms using checkboxes, radio buttons, or text fields. ...

) poses a potential security risk. If that

variable Variable may refer to: * Variable (computer science), a symbolic name associated with a value and whose associated value may be changed * Variable (mathematics), a symbol that represents a quantity in a mathematical expression, as used in many ...

is used in an expression that sets a second variable, that second variable is now also suspicious. The taint checking tool can then proceed variable by variable forming a list of variables which are potentially influenced by outside input. If any of these variables is used to execute dangerous commands (such as direct commands to a SQL database or the host computer

operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs. Time-sharing operating systems schedule tasks for efficient use of the system and may also i ...

), the taint checker warns that the program is using a potentially dangerous tainted variable. The computer programmer can then redesign the program to erect a safe wall around the dangerous input. Taint checking may be viewed as a conservative approximation of the full verification of non-interference or the more general concept of secure information flow. Because information flow in a system cannot be verified by examining a single execution trace of that system, the results of taint analysis will necessarily reflect approximate information regarding the information flow characteristics of the system to which it is applied.

Example

The following dangerous

code opens a large

vulnerability by not checking the value of the $name variable: #!/usr/bin/perl my $name = $cgi->param("name"); # Get the name from the browser ... $dbh-> = 1; $dbh->execute("SELECT * FROM users WHERE name = '$name';"); # Execute an SQL query If taint checking is turned on, Perl would refuse to run the command and exit with an error message, because a tainted variable is being used in a SQL query. Without taint checking, a user could enter foo'; DROP TABLE users --, thereby running a command that deletes the entire database table. Much safer would be to encode the tainted value of $name to a SQL

string literal A string literal or anonymous string is a string value in the source code of a computer program. Modern programming languages commonly use a quoted sequence of characters, formally " bracketed delimiters", as in x = "foo", where "foo" is a string ...

and use the result in the SQL query, guaranteeing that no dangerous command embedded in $name will be evaluated. Another way to achieve that is to use a prepared statement to sanitize all variable input for a query. One thing to note is that Perl DBI requires one to set the TaintIn attribute of a database handle ''as well as'' enabling taint mode to check one's SQL strings.

History

Perl supported tainting in setuid scripts from at least version 3.0 (released in 1989), though it was not until version 5.0 (released in 1994) that the -T switch was introduced integrating tainting into a single runtime. In 1996, Netscape implemented data tainting for

JavaScript JavaScript (), often abbreviated as JS, is a programming language that is one of the core technologies of the World Wide Web, alongside HTML and CSS. As of 2022, 98% of websites use JavaScript on the client side for webpage behavior, of ...

in Netscape Navigator 3. However, since support was considered experimental, it shipped disabled (requiring user intervention to activate) and required page authors to modify scripts to benefit from it. Other browser vendors never implemented the functionality.

References

External links

Guidelines from the W3C about taint-checking CGI scripts
- Perl security documentation {{DEFAULTSORT:Taint Checking Static program analysis Computer programming