Tools for security analysis

145 views
Skip to first unread message

Craig Younkins

unread,
Aug 10, 2010, 11:46:46 AM8/10/10
to python-...@googlegroups.com
I've been thinking a lot about what tools would be useful to have when analyzing Python code for security vulnerabilities.

At some point all computers are basic input/output systems, which is the premise for security tools which identify sources and sinks, and can trace the flow of data from one to the other. Part of the idea of taint mode in Python [1] is to make sure pieces of data go through sanitization functions before getting to the sensitive sink. This is a great way of thinking about avoiding interpreter or SQL injection, and XSS.

But other vulnerabilities are so much more complicated. Taint mode isn't really going to help guard against CSRF, unvalidated redirects, or direct object references. These (and many others) don't really have to do with the sanitization or validation of user input. It seems some of the most difficult to fix security flaws are those that are embedded in the design of the application, where the input is nearly indistinguishable from normal, expected input.

So what tools does Python need? Here are a few of my ideas:
  • Context aware template engine that applies the proper escaping for the context a variable is put in. I would love to see a demo of this where a user can control both the template and the variable data, and it would be impossible to create a XSS vulnerability. Done correctly, I think this could completely eliminate XSS. I think Genshi would be the basis for such an engine because of it's strict parsing, but work hasn't yet begun.
  • Static analysis scanner? Could scan for HTML forms without CSRF tokens and raw SQL with string interpolation [2]. What else could we scan for with the abstract syntax tree? At some point this becomes pretty limited because of how dynamic Python is.
  • Modified interpreter? What could we do with this? Perhaps a taint mode without modifying source code.
  • Better intrusion detection system - If a user logs in from opposite sides of the planet within a few minutes, something's wrong. A user sending 1000 requests/min is not legitimate. 30 bad logins within 10 mins from the same IP or for the same account, you can be pretty sure something is wrong.
What do you think?

Craig Younkins


[1] http://www.pythonsecurity.org/wiki/taintmode/

Juanjo Conti

unread,
Aug 10, 2010, 12:27:34 PM8/10/10
to python-...@googlegroups.com
Hi,

2010/8/10 Craig Younkins <cyou...@gmail.com>

  • Modified interpreter? What could we do with this? Perhaps a taint mode without modifying source code.

This was done here:  D. Kozlov and A. Petukhov. Implementation of Tainted Mode approach to finding security vulnerabilities for Python technology. In Proc. of Young Researchers’ Colloquium on
Software Engineering (SYRCoSE), June 2007.

  • Better intrusion detection system - If a user logs in from opposite sides of the planet within a few minutes, something's wrong. A user sending 1000 requests/min is not legitimate. 30 bad logins within 10 mins from the same IP or for the same account, you can be pretty sure something is wrong.

This sounds really instresting, doyou have any idea of where to start?

--
Juanjo Conti
blog: http://www.juanjoconti.com.ar
Reply all
Reply to author
Forward
0 new messages