Page 58 - Cyber Warnings
P. 58
Turning a Vulnerability into an Attack with Tainted Data
A vulnerability is a software bug that has the potential to crash a system, expose data, execute
injected code, or open the door to other unwanted outcomes.
Vulnerabilities become serious security threats when there is a path to exploit it from the attack
surface of the device (i.e. a tainted data source).
Below is a straightforward example that illustrates how reading system environment variables
can be risky:
void config(void)
{
char buf[100];
int count;
...
strcpy(buf, getenv(“CONFIG”));
...
}
In this example, input from outside the system is made with getenv() to retrieve the contents of
the environment variable CONFIG. This seems innocuous at first, since the assumption is that
any reasonable environment variable would be less than one hundred characters, right? Wrong.
Creating a malformed input in this case could have disastrous effects -- from crashing the
system to arbitrary code execution due to a buffer overflow in strcpy().
The tainted data source in this case is the getenv() call and the sink is the strcpy() function.
Now, this is a simple example. In more complex cases, the source and sink can be in different
source files with complex inter-procedural dataflow between them.
A dataflow from tainted data source to vulnerability (sink) is a serious security threat and
underlies the need for dataflow analysis as part of a security static analysis tool.
Finding these dataflows manually is very time consuming, so an automated approach is
needed.
Automated Tainted Data Analysis
Tainted data dataflow is discovered via internal representations of the code made during static
analysis.
Advanced tools like CodeSonar create internal models of the code that describe syntax, control-
flow, and dataflow; checkers are created that make use of these representations.
58 Cyber Warnings E-Magazine – September 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
