Taint checking

From Wikipedia, the free encyclopedia

Taint checking is a feature in some computer programming languages, such as Perl and Ruby, designed to increase security by preventing malicious users from executing commands on a host computer. Taint checks highlight specific security risks primarily associated with web sites which are attacked using techniques such as SQL injection or buffer overflow attack approaches.

The concept behind taint checking is that any variable that can be modified by an outside user (say, a field on a web form) poses a potential security risk. If that variable is used in an expression that sets a second variable, that second variable is now also suspicious. The taint checking tool proceeds variable by variable until it has a complete list of all variables which are potentially influenced by outside input. If any of these variables is used to execute dangerous commands (such as direct commands to a SQL database or the host computer operating system), the taint checker warns the program it is using a potentially dangerous tainted variable. The computer programmer can then redesign the program to erect a safe wall around the dangerous input.

[edit] Example

The following Perl code is very dangerous, as it presents a large SQL injection vulnerability by not checking the value of $name.

#!/usr/bin/perl
my $name = $cgi->param("name");  # Get the name from the browser
...
$dbh->TaintIn = 1;
$dbh->execute("SELECT * FROM users WHERE name = '$name';"); # Execute a SQL query

If taint checking is turned on, the code would exit with a warning, because a tainted variable is being used in a SQL query. Without taint checking, a user could enter foo'; DROP TABLE users --, thereby running a command that deletes the entire database table. Much safer would be to first make sure that the tainted variable $name is safe by passing it through a regular expression to verify it contains no dangerous commands, before executing the SQL query.

One thing to note is that perls DBI requires you set the TaintIn attribute of your database handle as well as enabling taint mode to check your SQL strings.

[edit] External link


Soft Eng logo This computer language-related article is a stub. You can help Wikipedia by expanding it.
Retrieved from "http://en.wikipedia.org../../../t/a/i/Taint_checking.html"