-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathTAINT-TODO
52 lines (37 loc) · 1.17 KB
/
TAINT-TODO
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
taint C API:
PyString_FromStringAndSizeT(char *s, int len, PyObject *taint)
PyString_ExportCheck(PyObject *s, PyObject *outport)
0 for OK, -1 for exception
Python API:
s = "abc"
s.taint(taint_object)
s.__taint__ returns taint_object
f = open("/etc/passwd", "r")
f.set_taint(taint_object)
f.readline().__taint__ returns taint_object
s = socket...
s.set_taint(taint_object)
s.recv(512).__taint__ returns taint_object
taint_object methods:
merge(self, other_taint_object)
should return new taint object
export_check(self, export_object)
check if OK to send via export_object (file, socket)
return None if ok; throw exception if not
things where it might be worth adding taint:
propagation
PyString_Format()
stringlib/string_format.h
marshalling
sock_recv_into, sock_recvfrom_into
objects
PyUnicode
PyBuffer
PyByteArray
covert channels, likely don't care
concatenating with an empty string discards the empty string's taint
apps
eddie's password bug
sensitive data, diff. classes of data for same user (CC#, SSN, etc)
convert taint into something else at the edges?
taint in Ruby?