Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:33248 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 81285 invoked by uid 1010); 18 Nov 2007 13:00:22 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 81254 invoked from network); 18 Nov 2007 13:00:22 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 18 Nov 2007 13:00:22 -0000 Authentication-Results: pb1.pair.com header.from=sesser@hardened-php.net; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=sesser@hardened-php.net; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain hardened-php.net from 81.169.159.221 cause and error) X-PHP-List-Original-Sender: sesser@hardened-php.net X-Host-Fingerprint: 81.169.159.221 hardened-php.net Linux 2.4/2.6 Received: from [81.169.159.221] ([81.169.159.221:33722] helo=mail.hardened-php.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 5E/02-00464-46730474 for ; Sun, 18 Nov 2007 08:00:21 -0500 Received: from [127.0.0.1] (p50876CC9.dip.t-dialin.net [80.135.108.201]) by mail.hardened-php.net (Postfix) with ESMTP id 8F85E1200B1; Sun, 18 Nov 2007 12:14:24 +0100 (CET) Message-ID: <4740375B.5020706@hardened-php.net> Date: Sun, 18 Nov 2007 14:00:11 +0100 User-Agent: Thunderbird 2.0.0.9 (Windows/20071031) MIME-Version: 1.0 To: Nuno Lopes Cc: Stefan Esser , PHP internals References: <47401946.2050406@sektioneins.de> <006101c829d9$5e2f0140$4101a8c0@pc07653> In-Reply-To: <006101c829d9$5e2f0140$4101a8c0@pc07653> X-Enigmail-Version: 0.95.5 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Tainted Mode Decision From: sesser@hardened-php.net (Stefan Esser) > Also I don't know how GRASP works, but it's very difficult (if not > impossible) to provide good analysis.. The difference between GRASP and PHP Taint Mode is that GRASP tracks taintedness on a byte level (it really tracks that e.g. byte 4, 7 and 8-20 of a variable are tainted and the others not) and Venema's implementation only tracks on a per variable level. It is therefore obvious that the GRASP way cannot be made fast and that Venema's implementation will always be faster. The other difference is that Venema's implementation assumes that functions exist that make a variable safe for usage in SQL, HTML, ... When such a function is used the variable is marked as not tainted... In the previous mail I showed examples why this is not secure. GRASP on the other hand hooks the SQL/output functions and parses the SQL query/output and catches tainted bytes in places where they could be dangerous. The only problems here are how slow this is and that the parsers need to be compatible. Stefan Esser