Posted on August 25, 1998 at 10:59:32 PM Central.

Data Tainting in Frontier

This is only a suggestion. I'm not trying to tell anyone what to do.

Many people are probably familiar with Java-style sandboxes, which would probably be a valuable addition to Frontier. But I don't think that sandboxes would have prevented the recent Frontier security bug, while tainting probably would have.

Data tainting is a simple idea: Every piece of data carries a taint bit indicating whether it is tainted or not. If a piece of data is "tainted", that means that it originated outside Frontier and can't be trusted to be correct. Most operations that take a tainted piece of data as input returns a tainted piece of data as output. The output of certain verbs is tainted by default, for example tcp.readStream (since the data comes from outside Frontier, it must be assumed tainted). Certain verbs like evaluate () thow an error if their input is tainted. That's it.

Tanting provides security by alerting scripters to possible bugs and security problems caused by relying on information provided by a (possibly hostile) user. Perl supports tainting and it is often used in a CGI environment. Perl allows a scripter to explicitly untaint a piece of data, but, like casts in strongly-typed languages, any occurrance of untaint () flags a possible bug. Tainting can be combined with sandboxes, particularly to prevent sandboxed code from calling untaint () and thus subverting the security. Any code should be allowed to taint () any data, since that can only increase security.

The implementation of tainting in Frontier wouldn't be easy, but I think it is an idea that deserves discussion.

The CGI/Perl Taint Mode FAQ provides details on how tainting is implemented in Perl.

This was originally posted to the Script Meridian Community mailing list.

Valid HTML 4.0! This page was last built on April 17, 1999 at 6:27:14 PM, with Frontier 6.0b5.
© copyright 1998-1999 Wesley Felter; see the full copyright notice. Validate this page.