rfc:taint
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
rfc:taint [2008/07/06 23:04] – wietse | rfc:taint [2012/08/03 07:12] – laruence | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Taint support for PHP ====== | ====== Taint support for PHP ====== | ||
- | * **Author:** Wietse Venema (wietse@porcupine.org) \\ IBM T.J. Watson Research Center \\ Hawthorne, NY, USA | + | * **Author: |
* **Version: | * **Version: | ||
* **Source code:** [[ftp:// | * **Source code:** [[ftp:// | ||
* **Win32 binaries:** [[ftp:// | * **Win32 binaries:** [[ftp:// | ||
+ | * **Mailing list: ** [[http:// | ||
* **Miscellaneous: | * **Miscellaneous: | ||
* **Status:** In the works | * **Status:** In the works | ||
- | | + | |
===== Introduction ===== | ===== Introduction ===== | ||
Line 41: | Line 42: | ||
At this point I can either leave taint support turned on as a safety net in case someone introduces new mistakes into the PHP script, or I can disable taint support altogether. The run-time performance will not differ measurably, as long as the application does not trigger any alarms. | At this point I can either leave taint support turned on as a safety net in case someone introduces new mistakes into the PHP script, or I can disable taint support altogether. The run-time performance will not differ measurably, as long as the application does not trigger any alarms. | ||
- | |||
===== Introducing multiple flavors of taint ===== | ===== Introducing multiple flavors of taint ===== | ||
Line 50: | Line 50: | ||
To encourage programmers to use the RIGHT conversion function, I have implemented multiple flavors of taint. Each time data enters a PHP application from the web, from database or from elsewhere, it may be " | To encourage programmers to use the RIGHT conversion function, I have implemented multiple flavors of taint. Each time data enters a PHP application from the web, from database or from elsewhere, it may be " | ||
- | In the case of the buggy example program, data is marked as " | + | In the case of the buggy example program, data is marked as " |
The table below summarizes a number of taint flavors: it shows where a specific flavor may be added to data, where its presence may raise warnings, and how you get rid of the taint flavor. Please ignore the ugly TC_XXX names for now. That's low-level stuff that still needs to be hidden behind a user interface. | The table below summarizes a number of taint flavors: it shows where a specific flavor may be added to data, where its presence may raise warnings, and how you get rid of the taint flavor. Please ignore the ugly TC_XXX names for now. That's low-level stuff that still needs to be hidden behind a user interface. | ||
Line 63: | Line 63: | ||
The TC_SELF flavor is different from the other flavors. Instead of code injection, its purpose is to detect opportunities to hijack control over the PHP application itself. Currently, there is no conversion function that makes all data safe as input for " | The TC_SELF flavor is different from the other flavors. Instead of code injection, its purpose is to detect opportunities to hijack control over the PHP application itself. Currently, there is no conversion function that makes all data safe as input for " | ||
+ | |||
===== What has been implemented sofar ===== | ===== What has been implemented sofar ===== | ||
- | I have built taint support with the following server APIs: cli, cgi; apache1, apache2 and apache2filter plug-in; and with the the following extensions: mysqli, mysql and mbstring. Other server APIs and extensions will follow as time permits. | + | I have implemented |
What about the other extensions? The other extensions will work just fine as long as you leave " | What about the other extensions? The other extensions will work just fine as long as you leave " | ||
Extensions that haven' | Extensions that haven' | ||
+ | |||
===== Using taint support with real PHP applications ===== | ===== Using taint support with real PHP applications ===== | ||
Line 128: | Line 130: | ||
Taint support is implemented with some of the unused bits in the zval data structure. The zval is the PHP equivalent of a memory cell. Besides a type (string, integer, etc.) and value, each zval has a reference count and a flag that says whether the zval is a reference to yet another zval that contains the actual value. | Taint support is implemented with some of the unused bits in the zval data structure. The zval is the PHP equivalent of a memory cell. Besides a type (string, integer, etc.) and value, each zval has a reference count and a flag that says whether the zval is a reference to yet another zval that contains the actual value. | ||
- | Right now I am using eight bits, but there is room for more: 32-bit UNIX compilers such as GCC add 16 bits of padding to the current zval data structure, and this amount of padding isn't going to be smaller on 64-bit architectures; | + | Right now I am using eight bits, but there is room for more: 32-bit UNIX compilers such as GCC add 16 bits of padding to the current zval data structure, and this amount of padding isn't going to be smaller on 64-bit architectures; |
The preliminary configuration user interface is rather low-level, somewhat like MS-DOS file permissions :-( This is good enough for testing and debugging the taint support itself, but I would not want to have wires hanging out of the machine like this forever. The raw bits will need to be encapsulated so that applications can work with meaningful names and abstractions. | The preliminary configuration user interface is rather low-level, somewhat like MS-DOS file permissions :-( This is good enough for testing and debugging the taint support itself, but I would not want to have wires hanging out of the machine like this forever. The raw bits will need to be encapsulated so that applications can work with meaningful names and abstractions. |
rfc/taint.txt · Last modified: 2017/09/22 13:28 by 127.0.0.1