Trust No Input: Taint Analysis at Compile Time

Transcript

1. Trust No Input Taint Analysis at Compile Time Matteo Di

   Pirro Kynetics, Inc

2. • Principal Software Engineer @ Kynetics Inc • DevOps +

   application software ◦ Embedded ◦ Cloud • Been writing Scala code for ~ 5 years • Academic major on programming languages and type systems

3. IBM’s 2025 Cost of a Data Breach Report estimated the

   global average cost of a data breach is $4.44 million

4. Data vulnerabilities are expensive to fix after release Data vulnerabilities

   are difficult to find Aliases Multiple inputs Proximity

5. The purpose of taint analysis is to track data flows

   of interest throughout the program to ensure they’re properly handled.

6. 1. apiKey = readApiKeyFromSecretFile(); 2. apiClient = new Client(apiKey); 3.

   4. logger.debug(“Created new client with API key: “, apiKey);

7. 1. pathToFile = readUserInput(); 2. 3. File.delete(pathToFile); // Absolute paths!!

8. Source Sanitiser Sink

9. None

10. X Static Taint Analysis is undecidable! ◦ Cannot exclude false

    positives and false negatives at the same time ◦ Approximation based on assumptions • Usually based on call graphs for efficiency ✓ Comprehensive coverage

11. • Dynamic taint analysis instruments the code ✓ Can flag

    vulnerabilities in real-time • Useful when the code is not available ◦ Malwares ◦ Binaries X Might take a long time to complete X Only inspects paths triggered by the input
12. None

13. If the program is well-typed (~ compiles), no unsanitised values

    are used in security-sensitive contexts

14. • Three Taint levels ◦ Tainted, Sanitised, Pure • Use

    Tainted values only after sanitisation • Taint propagation ◦ Tainted always wins ◦ Sanitised dominates over Pure ◦ Pure remains so only if combined with itself

15. 1. enum TaintLevel: 2. case Pure, Sanitised, Tainted 3. 4.

    type TaintPropagation[P0 <: TaintLevel, P1 <: TaintLevel] <: TaintLevel = (P0, P1) match 5. case (TaintLevel.Tainted.type, _) => TaintLevel.Tainted.type 6. case (_, TaintLevel.Tainted.type) => TaintLevel.Tainted.type 7. case (TaintLevel.Sanitised.type, _) => TaintLevel.Sanitised.type 8. case (_, TaintLevel.Sanitised.type) => TaintLevel.Sanitised.type 9. case (TaintLevel.Pure.type, TaintLevel.Pure.type) => TaintLevel.Pure.type 10. 11. // TaintPropagation[TaintLevel.Tainted.type, TaintLevel.Pure.type] => TaintLevel.Tainted.type 12. // TaintPropagation[TaintLevel.Pure.type, TaintLevel.Sanitised.type] => TaintLevel.Sanitised.type

16. 1. enum TaintLevel: 2. case Pure, Sanitised, Tainted 3. 4.

    type TaintPropagation[P0 <: TaintLevel, P1 <: TaintLevel] <: TaintLevel = (P0, P1) match 5. case (TaintLevel.Tainted.type, _) => TaintLevel.Tainted.type 6. case (_, TaintLevel.Tainted.type) => TaintLevel.Tainted.type 7. case (TaintLevel.Sanitised.type, _) => TaintLevel.Sanitised.type 8. case (_, TaintLevel.Sanitised.type) => TaintLevel.Sanitised.type 9. case (TaintLevel.Pure.type, TaintLevel.Pure.type) => TaintLevel.Pure.type 10. 11. // TaintPropagation[TaintLevel.Tainted.type, TaintLevel.Pure.type] => TaintLevel.Tainted.type 12. // TaintPropagation[TaintLevel.Pure.type, TaintLevel.Sanitised.type] => TaintLevel.Sanitised.type

17. 1. class TaintTracked[P <: TaintLevel, +A] private(computeValue: () => A):

    2. 3. private lazy val value = computeValue() 4. 5. def flatMap[P1 <: TaintLevel, B](f: A => TaintTracked[P1, B]): 6. TaintTracked [TaintPropagation [P, P1], B] { 7. val result = f(value) 8. new TaintTracked(() => result.value) 9. } 10. 11. object TaintTracked: 12. 13. def apply[A](a: => A): TaintTracked [TaintLevel.Tainted.type, A] = new TaintTracked(() => a) 14. 15. def unsafe[A](a: => A): TaintTracked [TaintLevel.Pure.type, A] = new TaintTracked(() => a)

18. 1. class TaintTracked[P <: TaintLevel, +A] private(computeValue: () => A):

    2. 3. private lazy val value = computeValue() 4. 5. def flatMap[P1 <: TaintLevel, B](f: A => TaintTracked[P1, B]): 6. TaintTracked [TaintPropagation [P, P1], B] { 7. val result = f(value) 8. new TaintTracked(() => result.value) 9. } 10. 11. object TaintTracked: 12. 13. def apply[A](a: => A): TaintTracked [TaintLevel.Tainted.type, A] = new TaintTracked(() => a) 14. 15. def unsafe[A](a: => A): TaintTracked [TaintLevel.Pure.type, A] = new TaintTracked(() => a)

19. 1. class TaintTracked[P <: TaintLevel, +A] private(computeValue: () => A):

    2. 3. private lazy val value = computeValue() 4. 5. def flatMap[P1 <: TaintLevel, B](f: A => TaintTracked[P1, B]): 6. TaintTracked [TaintPropagation [P, P1], B] { 7. val result = f(value) 8. new TaintTracked(() => result.value) 9. } 10. 11. object TaintTracked: 12. 13. def apply[A](a: => A): TaintTracked [TaintLevel.Tainted.type, A] = new TaintTracked(() => a) 14. 15. def unsafe[A](a: => A): TaintTracked [TaintLevel.Pure.type, A] = new TaintTracked(() => a)

20. 1. object TaintTracked: 2. type Sanitised[E, A] = Either[E, TaintTracked

    [TaintLevel.Sanitised.type, A]] 3. 4. class TaintTracked[P <: TaintLevel, +A] private(computeValue: () => A): 5. import TaintTracked.Sanitised 6. 7. private lazy val value = computeValue() 8. 9. def sanitise[E, B](s: A => Either[E, B]): Sanitised[E, B] = 10. val result = s(value) 11. result.map(r => new TaintTracked(() => r)) sanitise() introduces an error type (E) and forces taint label to Sanitised

21. 1. object TaintTracked: 2. type Sanitised[E, A] = Either[E, TaintTracked

    [TaintLevel.Sanitised.type, A]] 3. 4. class TaintTracked[P <: TaintLevel, +A] private(computeValue: () => A): 5. import TaintTracked.Sanitised 6. 7. private lazy val value = computeValue() 8. 9. def sanitise[E, B](s: A => Either[E, B]): Sanitised[E, B] = 10. val result = s(value) 11. result.map(r => new TaintTracked(() => r)) sanitise() introduces an error type (E) and forces taint label to Sanitised

22. 1. trait CanOpen[P <: TaintLevel] 2. 3. object CanOpen: 4.

    given CanOpen[TaintLevel.Pure.type] with {} 5. 6. given CanOpen[TaintLevel.Sanitised.type] with {} 7. 8. class TaintTracked[P <: TaintLevel, +A] private(computeValue: () => A): 9. 10. private lazy val value = computeValue() 11. 12. def open(using CanOpen[P]): A = value Compilation error if open() gets called with a Tainted value

23. 1. trait CanOpen[P <: TaintLevel] 2. 3. object CanOpen: 4.

    given CanOpen[TaintLevel.Pure.type] with {} 5. 6. given CanOpen[TaintLevel.Sanitised.type] with {} 7. 8. class TaintTracked[P <: TaintLevel, +A] private(computeValue: () => A): 9. 10. private lazy val value = computeValue() 11. 12. def open(using CanOpen[P]): A = value Compilation error if open() gets called with a Tainted value

24. • Web application to add widgets to a database •

    Users can input name and price for the widget • A vulnerability in the code allows HTML Injection • TaintTracked to verify Tainted values are not stored in the DB

25. The problem with language-based security is that it depends on

    programming languages

26. 1. public interface TaintLevel {} 2. public interface CanOpen {}

    3. public record Tainted() implements TaintLevel {} 4. public record Sanitised() implements TaintLevel, CanOpen {} 5. public record Pure() implements TaintLevel, CanOpen {} 6. 7. public final class TaintTracked<T extends TaintLevel, A> { 8. private final T taintLevel; 9. private final Supplier<A> valueSupplier; 10. 11. public A open() { 12. if (!(taintLevel instanceof CanOpen)) { 13. throw new SecurityException( "Cannot open tainted value" ); 14. } 15. return valueSupplier. get(); 16. } 17. }
27. None

28. Security is a team effort Pick tools or languages your

    team is familiar with whenever possible!

29. Matteo Di Pirro [email protected] VCard Code Security must be designed

    in from the very beginning. Chris Wysopal
30. None