Friday, December 12, 2008

PHP Taint Tool: It Ain't a Parser

Luke Welling introduced a tool, he's working on at OmniTI that is designed to assist in sniffing out where the potential for untrusted input is handled.

http://assets.en.oreilly.com/1/event/12/PHP%20Taint%20Tool_%20It%20Ain%27t%20a%20Parser%20Paper.pdf

Essentially, the tool uses the parts of the PHP engine to compile PHP code to opcodes, and then tracks where data comes and goes, and highlights the code that handles data that *could* be tainted--that is, input from the user either by POST or GET parameters. This provides a facility for a developer to identify the lines that they should closely review to ensure that they are not accidentally introducing security holes (like cross-site-scripting opportunities).

Now, it's not-quite-ready for prime-time, but it's getting close, and the folks over at OmniTI intend to release it as open source when they are ready. When this gets released, I'll be really excited, as it looks like it could be really good for hunting down security holes.

I think taint mode combined with the filter extension could change the way PHP applications are being written in a drastic way. Ever since PHP 5, PHP has only become more elegant as a language. This new proposal would actually enforce good practices and place a focus on security. Some PHP developers out there don’t care about security. Fine, they don’t have to use it. But some do, some make efforts to make their applications secure. Having taint mode would help these people catch that one place they forgot to escape a value. While it won’t assure that the application is completely secure, it will at least give a certain confidence level that most of it is safe.

No comments:

Post a Comment