Taint mechanism

  • Thread starter Olivier Sarrouy
  • Start date
O

Olivier Sarrouy

Hi everyone,

I would like to ask a few question about the taint mechanism of ruby.

It seems that ruby taint mechanism doesn't care about indirect dataflow
to propagate the taint. For instance, if you got :

myVar1 = ARGV[0] <-- tainted

if myVar1 == "alice"
myVar2 = "Bob"
else
myVar2 = "Eve"
end

myVar2 should be tainted as there is an indirect dataflow from myVar1,
which is tainted, to myVar2. So I think it would be of a great thing to
be able to tackle indirect data flow, in order to be able to "prove"
some security properties on ruby programs.

Is this a choice from ruby core developers or would it be a potential
feature for the next ruby version ?


Thanks to all

Olivier
 
O

Olivier Sarrouy

Hi,

Well, i understand. It may look like it's a shame that you can't assure
no security properties based on that taint mechanism, but i understand
how complex nad costly it is to build a reliable indirect dataflow
analyser.

Nevermind, thanks for your answers and long life to ruby

Olivier
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

ruby-dev summary 26468-26661 37
Mechanism to generate annotated "error codes" 87
Working on mobile css menu with plenty of frustration! 2
Taint - having some real trouble here, taint/perl experts, please help 17
[ANN] Ruby/ActiveLDAP 0.5.1 0
[ANN] JRuby 1.4.0 Released 2
[ANN] JRuby 1.4.0RC3 Released 0
[ANN] rs 0.1.2 0

Members online

Total: 22 (members: 2, guests: 20)
Robots: 431

Forum statistics

Threads
473,768
Messages
2,569,574
Members
45,048
Latest member
verona

Latest Threads

Top