Taint mechanism

Ruby
1

Hi everyone,

I would like to ask a few question about the taint mechanism of ruby.

It seems that ruby taint mechanism doesn’t care about indirect dataflow
to propagate the taint. For instance, if you got :

myVar1 = ARGV[0] <-- tainted

if myVar1 == “alice”
myVar2 = “Bob”
else
myVar2 = “Eve”
end

myVar2 should be tainted as there is an indirect dataflow from myVar1,
which is tainted, to myVar2. So I think it would be of a great thing to
be able to tackle indirect data flow, in order to be able to “prove”
some security properties on ruby programs.

Is this a choice from ruby core developers or would it be a potential
feature for the next ruby version ?

Thanks to all

Olivier

2

Hi,

In message “Re: Taint mechanism”
on Wed, 2 Jul 2008 19:47:21 +0900, Olivier S.
[email protected] writes:

|It seems that ruby taint mechanism doesn’t care about indirect dataflow
|to propagate the taint. For instance, if you got :
|
|myVar1 = ARGV[0] ← tainted
|
|if myVar1 == “alice”
| myVar2 = “Bob”
|else
| myVar2 = “Eve”
|end
|
|myVar2 should be tainted as there is an indirect dataflow from myVar1,
|which is tainted, to myVar2. So I think it would be of a great thing to
|be able to tackle indirect data flow, in order to be able to “prove”
|some security properties on ruby programs.

We are not going to track indirect data flow in the future. Ruby’s
taint mechanism is a tool to prevent foolish security flaws. We don’t
need costly data flow analysis for the purpose. Simple direct data
flow tracking is enough.

          matz.
3

Yukihiro M. wrote:

We are not going to track indirect data flow in the future. Ruby’s
taint mechanism is a tool to prevent foolish security flaws. We don’t
need costly data flow analysis for the purpose. Simple direct data
flow tracking is enough.

For those considering using tainting/SAFE for security, JRuby’s tainting
is probably not reliable. In general, I believe tainting is a bad
security mechanism, since it requires a thousand little bits of code all
over the place to make sure taint propagates correctly and is checked
when it’s important. JRuby users will probably prefer to lean on Java’s
security model, which is more coarse-grained and defined in terms of
classes of operations rather than individual functions. We don’t plan to
improve taint/SAFE support in JRuby in the future.

  • Charlie
4

Hi,

Well, i understand. It may look like it’s a shame that you can’t assure
no security properties based on that taint mechanism, but i understand
how complex nad costly it is to build a reliable indirect dataflow
analyser.

Nevermind, thanks for your answers and long life to ruby

Olivier