Page 5 - Cyber Warnings
P. 5
What is Taint Checking?
by Laurel Stewart, Director of Marketing, GrammaTech
Introduction:
Taint checking? This isn't a trap, I promise. It sounds vulgar, but its etymology is perfectly
reasonable, stemming from the notion that data that has been "tainted" by a malicious user (and
could be used to breach your system) is a dangerous vulnerability in code and needs to be
found and eliminated.
Wikipedia actually has a pretty clear definition of taint checking:
"Taint checks highlight specific security risks primarily associated with web sites which
are attacked using techniques such as SQL injection or buffer overflow attack
approaches."
I'm assuming that those in the security auditing world of the 2016 cyber-security landscape have
likely moved past and become immune to the chuckles of this unfortunately-named technical
term. But for the rest of us, I thought I might provide a clear overview, so you can start
addressing this extremely-important concept with confidence in the boardroom. Ready?
Taint Sources and a Program's Attack Surface
So let's go back to that definition from wikipedia. It's not bad, although its focus on websites is a
little misleading, given that most embedded devices are now connected to the internet, so the
security risks are much broader in scope.
When security analysts determine the safety of a given system, they look at a program’s attack
surface, which is defined by the places in the program that are exposed to an attacker. When
we look at tainted data, this is essentially what we’re talking about — sources of taint
correspond closely to the program’s attack surface. Taint sources are locations in the program
where data is being read from a potentially risky source, and include things like environment
variables, data, files, file metadata (such as a file’s permissions or data stamps), the network or
information bus, the system clock, or network services (such as the results of a DNS query).
An attacker can use these unverified channels to trigger security vulnerabilities or cause
programs to crash. Many different types of issues can be triggered by tainted data. In addition to
the few that Wikipedia mentioned above, these issues include command injections, cross-site
scripting, arithmetic overflow, or path traversal. (For a technical deep-dive into a buffer overrun
vulnerability, I highly recommend the whitepaper Protecting Against Tainted Data in Embedded
Apps with Static Analysis, written by our VP of Engineering, Paul Anderson.)
So how does this relate back to static analysis?
5 Cyber Warnings E-Magazine November 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide