![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Interpolate this!
Jun. 14th, 2010 03:52 pmMy colleague Dan Kaminsky has released Interpolique, a defensive tool against string injection attacks. Go check it out! There's a slide deck at the page linked, and open-source code you can download.
Interpolique is an intellectual cousin of Dejector, in that both tools focus on making sure that the tree structure of a string with some variables substituted into it cannot vary from the structure that the developer originally intended. It's also related to one of the most unfortunately named security techniques ever, taint checking, in that it marks untrusted input as such. However, while taint checking tracks the spread of untrustworthiness as user input goes on to contaminate other branches of code, Interpolique actually constrains untrustworthy input from modifying safe data, and uses a simple form of static typing to ensure that string literals remain string literals all the way through to their final receiver, rather than potentially being interpolated into a command string in a way that allows them to be interpreted as input. ("Simple" isn't a criticism here, by the way, it's a compliment. They only needed two types, "safe, go ahead and interpret it" and "unsafe, this has to stay a string literal", and there was no reason to make it any more complicated than that.)
![[livejournal.com profile]](https://www.dreamwidth.org/img/external/lj-userinfo.gif)
enochsmiles and I have a paper in the pipeline analyzing this technique formally (we can't spill all the beans yet, but let's just say the news is good, and by "good" I mean DECIDABLE), but while we work on that, the rest of y'all can put the code to the test. Have at, and let the rest of us know what you find out!
Interpolique is an intellectual cousin of Dejector, in that both tools focus on making sure that the tree structure of a string with some variables substituted into it cannot vary from the structure that the developer originally intended. It's also related to one of the most unfortunately named security techniques ever, taint checking, in that it marks untrusted input as such. However, while taint checking tracks the spread of untrustworthiness as user input goes on to contaminate other branches of code, Interpolique actually constrains untrustworthy input from modifying safe data, and uses a simple form of static typing to ensure that string literals remain string literals all the way through to their final receiver, rather than potentially being interpolated into a command string in a way that allows them to be interpreted as input. ("Simple" isn't a criticism here, by the way, it's a compliment. They only needed two types, "safe, go ahead and interpret it" and "unsafe, this has to stay a string literal", and there was no reason to make it any more complicated than that.)
enochsmiles and I have a paper in the pipeline analyzing this technique formally (we can't spill all the beans yet, but let's just say the news is good, and by "good" I mean DECIDABLE), but while we work on that, the rest of y'all can put the code to the test. Have at, and let the rest of us know what you find out!
