Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:33260
Return-Path: <sesser@hardened-php.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 79513 invoked by uid 1010); 18 Nov 2007 21:40:15 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 79498 invoked from network); 18 Nov 2007 21:40:15 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 18 Nov 2007 21:40:15 -0000
Authentication-Results: pb1.pair.com smtp.mail=sesser@hardened-php.net; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=sesser@hardened-php.net; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain hardened-php.net from 81.169.159.221 cause and error)
X-PHP-List-Original-Sender: sesser@hardened-php.net
X-Host-Fingerprint: 81.169.159.221 hardened-php.net Linux 2.4/2.6
Received: from [81.169.159.221] ([81.169.159.221:52549] helo=mail.hardened-php.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 0B/26-21972-D31B0474 for <internals@lists.php.net>; Sun, 18 Nov 2007 16:40:14 -0500
Received: from [127.0.0.1] (p50876CC9.dip.t-dialin.net [80.135.108.201])
	by mail.hardened-php.net (Postfix) with ESMTP id 6E04C1200B1;
	Sun, 18 Nov 2007 20:54:17 +0100 (CET)
Message-ID: <4740B136.2080207@hardened-php.net>
Date: Sun, 18 Nov 2007 22:40:06 +0100
User-Agent: Thunderbird 2.0.0.9 (Windows/20071031)
MIME-Version: 1.0
To: Dan Scott <denials@gmail.com>
Cc: Stefan Esser <stefan.esser@sektioneins.de>,
	PHP internals <internals@lists.php.net>
References: <47401946.2050406@sektioneins.de> <fbb0d11d0711181217q4832c62ev7966ac9e98b900b9@mail.gmail.com>
In-Reply-To: <fbb0d11d0711181217q4832c62ev7966ac9e98b900b9@mail.gmail.com>
X-Enigmail-Version: 0.95.5
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Tainted Mode Decision
From: sesser@hardened-php.net (Stefan Esser)

Hi Dan,
> I believe the primary use case for taint mode would be to use it in
> development: taint mode is a mode which can be turned on to give you
> an idea of where your application may have exposed some
> vulnerabilities; let you fix those identified vulnerabilities; then
> turn off for production purposes. The speed of the implementation, if
> this is indeed the intention for taint mode, would therefore be
> irrelevant.
The problem here is that both approaches fail to be completely secure
even when your test environment
has 100% code coverage. And I am speaking of real 100% ... Currently
there is no tool that can
ensure that. All PHP CC tools I know of so far will for example not
handle the ternary operator correctly.

The reason why both taint mode implementations fail are simple. Take the
following statement.

$sql['id'] = mysql_real_escape_string($_GET['id']);
$query = "SELECT * FROM table WHERE id=".$sql['id'];

Wietse's taint mode will consider this statement safe and never cry.
GRASP on the other hand will see that there is user supplied data in the
SQL query, but will ignore it
because it is a number. It will only react if $sql['id'] contains a
string. Atleast the very first version did
this.

This means currently both approaches would tell the developer that they
are safe, while they are in fact not.

Stefan Esser