Taint analysis

From WEB3 Vulnerapedia
Jump to navigation Jump to search

Taint analysis is a method used in cybersecurity and software development to track and analyze the flow of data within a system, identifying potential sources of contamination or security vulnerabilities of the program during its operation. If such data gets into code key points, this situation can lead to various vulnerabilities, including SQL injection, cross-site scripting (XSS), path traversal and others. Attackers may use these vulnerabilities to disrupt the correct system operation, obtain confidential data or conduct other unauthorized operations.

Taint sources

The tainted data term refers to some values that an attacker can use for unauthorized and malicious operations when interacting with the system. Depending on how external data is used, an application may be vulnerable to various attacks. For example, an application may be vulnerable to SQL injections if it uses unverified external data to form database queries.

Thus, external data may be potentially tainted. Taint sources are locations where an application gets access to potentially tainted data. For example, a taint source can be an operation of getting the value of an HTTP request parameter:

void ProcessRequest(HttpRequest request)
{
  ....
  string name = request.Form["name"]; // taint source
  // now "name" contains potentially tainted data
  ....
}

Tainted data transmission

An important aspect of conducting taint analysis is determining the routes that tainted data may take in the application. In the example, tainted data is transmitted from a taint source to the name variable. Subsequently, the data can also be transmitted into other variables or act as a function's arguments:

void ProcessRequest(HttpRequest request)
{
  string name = request.Form["name"]; // taint source
  // now "name" contains potentially tainted data

  string sql = $"SELECT * FROM Users WHERE name='{name}'";
  ExecuteReaderCommand(sql); // tainted data passed as an argument
  ....
}

void ExecuteReaderCommand(string sql)
{
  // sql contains potentially tainted data here 
  ....
}

Note one more way that the tainted data can be transmitted. The name variable, which stores potentially tainted data, is used to form a string that is written into the sql variable. As a result, the value of the sql variable can be potentially tainted as well.

Taint sinks

From the taint analysis point of view, an application is vulnerable if tainted data can get into some of the application's key points. They are called taint sinks. Every potential vulnerability has its own sinks. For an SQL injection, a sink may be the transfer point of the query string to the SQL command object:

void ProcessRequest(HttpRequest request)
{
  string name = request.Form["name"]; // <= taint source
  // now "name" contains potentially tainted data

  string sql = $"SELECT * FROM Users WHERE name='{name}'";
  ExecuteReaderCommand(sql); // tainted data passed as an argument
  ....
}

void ExecuteReaderCommand(string sql)
{
  using (var command = new SqlCommand(sql, _connection)) // <= sink
  {
    using (var reader = command.ExecuteReader()) { /*....*/ }
  }
  ....
}

Here the external data from the source (request.Form["name"]) is directly used in forming an SQL query that is passed further to the sink - the SqlCommand constructor. Taint analysis checks whether there is a path that tainted data can follow from the source to the sink.

In fact, taint analysis is a form of static analysis. Thus, static analysis tools can implement it as a separate mechanism or a set of diagnostic rules. For example, if PVS-Studio checks the code above, it issues the following warning: "V5608 Possible SQL injection inside method. Potentially tainted data in the first argument 'sql' is used to create SQL command".

Let's look at another example of an attack - XSS (cross-site scripting). It allows an attacker to inject malicious code into web pages opened by users. The sink in this case can be the Response.Write method call:

protected void Page_Load(object sender, EventArgs e)
{
  ....

  var userName = Request.Params["userName"];  // taint source
  
  string message;
  if (string.IsNullOrWhiteSpace(userName))
  {
    message = "Empty 'userName' parameter";
  }
  else
  {
    message = $"'{userName}' data has been processed.";
  }
  
  Response.Write(message);          // taint sink
}

While performing taint analysis, PVS-Studio discovered that data from Request.Params["userName"] may get to Response.Write - and issued the following warning:

V5610 Possible XSS vulnerability. Potentially tainted data in the 'message' variable might be used to execute a malicious script.

If a malicious script is written into the userName request parameter, then because of the Response.Write call the tainted data is passed onto the page loaded by the user and can be executed later. Here's the vulnerability.

Sources

https://pvs-studio.com/en/blog/terms/6496/

https://dzone.com/articles/what-is-taint-analysis-and-why-should-i-care