maradydd: (Default)
[personal profile] maradydd
My colleague Dan Kaminsky has released Interpolique, a defensive tool against string injection attacks. Go check it out! There's a slide deck at the page linked, and open-source code you can download.

Interpolique is an intellectual cousin of Dejector, in that both tools focus on making sure that the tree structure of a string with some variables substituted into it cannot vary from the structure that the developer originally intended. It's also related to one of the most unfortunately named security techniques ever, taint checking, in that it marks untrusted input as such. However, while taint checking tracks the spread of untrustworthiness as user input goes on to contaminate other branches of code, Interpolique actually constrains untrustworthy input from modifying safe data, and uses a simple form of static typing to ensure that string literals remain string literals all the way through to their final receiver, rather than potentially being interpolated into a command string in a way that allows them to be interpreted as input. ("Simple" isn't a criticism here, by the way, it's a compliment. They only needed two types, "safe, go ahead and interpret it" and "unsafe, this has to stay a string literal", and there was no reason to make it any more complicated than that.)

[livejournal.com profile] enochsmiles and I have a paper in the pipeline analyzing this technique formally (we can't spill all the beans yet, but let's just say the news is good, and by "good" I mean DECIDABLE), but while we work on that, the rest of y'all can put the code to the test. Have at, and let the rest of us know what you find out!
From:
Anonymous
OpenID
Identity URL: 
User
Account name:
Password:
If you don't have an account you can create one now.
Subject:
HTML doesn't work in the subject.

Message:

If you are unable to use this captcha for any reason, please contact us by email at support@dreamwidth.org


 
Notice: This account is set to log the IP addresses of everyone who comments.
Links will be displayed as unclickable URLs to help prevent spam.

Profile

maradydd: (Default)
maradydd

September 2010

S M T W T F S
   1234
567891011
12131415 161718
19202122232425
26 27282930  

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags