Page 57 - Cyber Warnings
P. 57
DON’T TRUST ANY INPUT!
PREVENT VULNERABILITIES FROM BECOMING EXPLOITS WITH TAINTED
DATA ANALYSIS
by Bill Graham, Technical Marketing Consultant, GrammaTech
Introduction:
One of the most common attack vectors is user (or other) input into a system. It's very risky to
assume that input is well-formed, yet people still do, and it is still a common attack vector.
Security vulnerabilities remain “merely” defects in the code unless the conditions required to
trigger the error are present, so the key to a successful attack is to create such conditions.
User input (via UI, terminal access, or other input) is a common way to do this. Tracing the data
flow from source to destination (sink) is a key capability of CodeSonar, using its tainted data
analysis
What is Tainted Data?
Any unchecked and un-sanitized input into a device is considered tainted – security best
practices dictate that all input should be untrusted that comes from outside the limits of the
system.
No assumptions can be made about the correctness of this data when designing and
implementing the system. SQL injection attacks, using malformed input on websites, are a good
example of the risk.
This input, unchecked, can cause the arbitrary execution of SQL within the system, causing
data exposure and/or corruption of the database.
Embedded systems are not immune to this kind of problem even if user input or UI isn't
provided.
Sources of tainted data include all kinds of external input into the system, such as:
Environment variables
File contents
File metadata, such as a file’s permissions or datestamps
The network
Network services, such as the results of a DNS query
The system clock
The location where tainted data is used unchecked is referred to as the tainted data sink, which
could be a well-known dangerous operation like strcpy().
Once an input has been properly checked, it is considered cleansed and no longer tainted.
57 Cyber Warnings E-Magazine – September 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
