[lnkForumImage]
TotalShareware - Download Free Software
Confronta i prezzi di migliaia di prodotti.
Asp Forum
 Home | Login | Register | Search 


 

Forums >

comp.lang.ruby

Re: Taint mechanism

Yukihiro Matsumoto

7/2/2008 2:45:00 PM

Hi,

In message "Re: Taint mechanism"
on Wed, 2 Jul 2008 19:47:21 +0900, Olivier Sarrouy <olivier.sarrouy@rennes.supelec.fr> writes:

|It seems that ruby taint mechanism doesn't care about indirect dataflow
|to propagate the taint. For instance, if you got :
|
|myVar1 = ARGV[0] <-- tainted
|
|if myVar1 == "alice"
| myVar2 = "Bob"
|else
| myVar2 = "Eve"
|end
|
|myVar2 should be tainted as there is an indirect dataflow from myVar1,
|which is tainted, to myVar2. So I think it would be of a great thing to
|be able to tackle indirect data flow, in order to be able to "prove"
|some security properties on ruby programs.

We are not going to track indirect data flow in the future. Ruby's
taint mechanism is a tool to prevent foolish security flaws. We don't
need costly data flow analysis for the purpose. Simple direct data
flow tracking is enough.

matz.
2 Answers

Charles Oliver Nutter

7/3/2008 1:36:00 AM

0

Yukihiro Matsumoto wrote:
> We are not going to track indirect data flow in the future. Ruby's
> taint mechanism is a tool to prevent foolish security flaws. We don't
> need costly data flow analysis for the purpose. Simple direct data
> flow tracking is enough.

For those considering using tainting/SAFE for security, JRuby's tainting
is probably not reliable. In general, I believe tainting is a bad
security mechanism, since it requires a thousand little bits of code all
over the place to make sure taint propagates correctly and is checked
when it's important. JRuby users will probably prefer to lean on Java's
security model, which is more coarse-grained and defined in terms of
classes of operations rather than individual functions. We don't plan to
improve taint/SAFE support in JRuby in the future.

- Charlie

Olivier Sarrouy

7/3/2008 9:55:00 AM

0

Hi,

Well, i understand. It may look like it's a shame that you can't assure
no security properties based on that taint mechanism, but i understand
how complex nad costly it is to build a reliable indirect dataflow
analyser.

Nevermind, thanks for your answers and long life to ruby

Olivier
--
Posted via http://www.ruby-....