» Safe Strings for Security? jessenoller.com

Safe Strings for Security?

August 17th, 2007 § 7 comments

I just got done reading this article “A bright future: security and modern type systems” which reminded me of the recent Django discussion around AutoEscaping — specifically “Automatic Escaping is Not a â€œNewbie Featureâ€”

Now, I’ve railed for and discussed (much to the dismay of my wife — I’ll talk to anyone about this, infant included) “Duck” typing and why I love it — I think the ability to define your own String/File/etc–like “SAFE” objects is easier, and more attractive in python. Do you really want a compiler to enforce social and domain-specific rules for you?

The dynamic nature of the typing within python (remember -> all objects are strongly typed at runtime) makes the on-the-fly definition and creation of new types/objects which conform to a subjective series of rules (in this case: the definition of domain-specific “malicious” strings) an easy and rapid-to-do task.

With no compiler in the way to enforce the checking of the most banal of errors one could argue that although you may have defined a new Type-Like object (a Bear in a Ducksuit) there are no rules within the compiler or interpreter to enforce that that type is used at runtime or in the rest of the application. This means you must rely on social convention or some other built-in-rules system.

Perhaps you’re smart about it — and when you’re building your application (web or otherwise) you state that Object A accepts a “string-like” object of the SafeString type. When you defined SafeString you added some hook/method for ensuring that yes– in fact, someone was passing you a string-like-SafeString object.

I think that the concept of “$N-Like” is the key to understanding what dynamic typing within a language is.

But I’ve wandered off the track/point — Malicious strings are a bit of a tip of the iceberg when it comes to application design — as of the last few years it’s mainly been the concern of WebApp developers who need to worry about cross-site-scripting and other style attacks where you have a large amount of two-way information.

It makes sense to add “Safe” types into frameworks (Django, RoR, Grails, etc) for web application developers. Heck — it might even make sense to create an “EscapedChar” object in the language (python) itself. But in a language that relies on N-Like semantics it makes much more sense to push that up into the implementation of the framework/webapp itself.

The definition of “malicious” is murky at times — some input that might be blanket escaped could be useful and intended for some applications, so it’s important that the implementation is flexible enough to take that into account (a String-like-Safe-like-MyString object anyone?)

Now I’m rambling, dangit. I’ve got to go back to my String java = new JavaProgrammer(); code.

This (for the django interested) is an interesting read as well.

http://blog.moertel.com/ Tom Moertel

In response to your question, “Do you really want a compiler to enforce social and domain-specific rules for you?” the answer, as far as security assurances are concerned, is yes.

While you can certainly implement a run-time system for detecting potentially unsafe string interactions, what sensible options do you have when you detect one? Remember, what you have just detected is not that an attacker tried to stuff some nasty code into a form; rather, you have detected a programming error: the programmer used a string in one place as if it were, say, untrusted user input and in another as if it were, say, part of a trusted, programmer-supplied template. It’s just that until some user (maybe a bad guy but very possibly a good guy) manged to walk a particular path through your application that exercised both uses of the string, the programming error went undetected.

Now, however, your run-time system has detected it. The problem is, your system detected it in a live-running application, at the site of a potential unsafe string interaction, not at the error’s origin in your code, which could be a long ways distant. That is, this particular string interaction may very well not be the error. The error may have been caused in the distant past by code that has already executed. What’s worse, all the code in between the error’s origin and the present site of detection could have been causing side effects: writing to the database, updating session variables, launching the missiles, etc. How do you safely undo all those effects?

That’s the real problem.

In a compile-time system, when a potentially unsafe string interaction is detected, you have all the time in the world to hunt the problem down to its true source, wherever that may be, and fix it.

In sum, a compile-time system offers you the assurance that none of the checked-for problems can occur at run-time. A run-time system can only guarantee that, if a checked-for problem occurs, it will be caught. By then, however, it may already be too late to avoid the consequences.

Cheers. –Tom
http://www.jessenoller.com jesse

Good points, all of them.

If you’re going to go as far as to shackle a developer into the SafeString type you’ve defined, you also have to block/deny any sort of object polymorphism as well — I can’t see you able to enforce the compile-time rules without blocking the that as well.

It’s food for thought — although when it comes to most applications, it’s user-input or input-generated from an untrusted third party that most people/programmers concern themselves with. For example, it would be interesting to enforce these style rules within an DB ORM (both to and from) and things such as networking/other communications layers. It’s this type of hardening that only really exposes itself at runtime in most instances.

I’m wondering about the scope of safety you’re providing by baking in a new safe type into the language — you’re only protecting a programmer from leveraging an unsafe string during code-compilation time. I think (opinion mind you) that your time would be better spent doing exactly what you pointed out as a flaw in my suggestion: designing ways to cope with these issues/attacks at runtime.

If you treat all data (strings) as untrusted data to begin with — both user and programmer generated alike and build into your system a clean/abstracted way of dealing with and capturing dangerous objects your application would be infinitely more secure without the need to enforce it at compiler-time.
Ants Aasma

I feel you didn’t get the point of the type based approach. I think that cross-stite scripting bugs are not a case of mixing up unsafe and safe strings, its a case of type mismatch, like adding together feet and meters. So if you have a user supplied string and you output it to a html template you need to encode it as an HTML string literal (i.e. escape characters that have special meaning in HTML). You could also have an user supplied html> language fragment (like this commenting systems allows) in which case you want to have a function that interprets the string as html, removes all the dangerous stuff and returns an html fragment. When you have detailed enough type information you have the ability not only to detect type mismatches, but to do type coercion. For the feet and meters example if you add two quantity objects you can do automatic unit conversion when they’re of the same dimension and raise an Exception when, you’re adding a quantity of time to a quantity of distance. For the html example when concatenating html and regular strings it is possible to automatically escape the strings.

I threw together a proof of concept implementation of that a few days ago. It’s currently available at http://dpaste.com/17329/
http://www.jessenoller.com jesse

Thanks — I did get that approach: I was questioning the usefulness of doing this in the compiler. Thank you for the example though
http://blog.moertel.com/ Tom Moertel

jesse, thanks for your response.

You are missing something fundamental to the nature of (modern) static type systems. You wrote that:

[With a compile-type safety system] youâ€™re only protecting a programmer from leveraging an unsafe string during code-compilation time. I think (opinion mind you) that your time would be better spent […] designing ways to cope with these issues/attacks at runtime.

What you are missing is that that compile-time system proves that these issues cannot occur at run time. Once you have that guarantee, you have no need to attempt to cope with the issue anymore, at all, let alone at run time. The issue is gone.

And as far as being “shackled” into the system goes, the only thing you are shacked into is not doing things that would be potentially unsafe if allowed at occur at run-time. In my Haskell-based implementation, for example, it’s no more difficult to write safe-string code than it is to write unsafe everything-is-just-a-string code, but it’s a whole lot safer.

Cheers,
Tom
http://www.jessenoller.com jesse

Thank you — more to think about on my part, I still see you having to address unsafe strings at runtime on non-static strings, at the end of the day, baking more safety into the compiler/interpreter/language is never a bad thing.
http://blog.moertel.com/ Tom Moertel

You pose a good question: Does a static system need run-time help to address non-static strings? Happily, the answer is no.

That’s because even though the values of non-static strings may be unknown until run time, the types of the strings will be known at compile time, and that’s enough for the system to do its work. If the system knows, for example, that some function takes an HTML template and a string representing plain-old text, the system can verify at compile time that the way the function combines the text with the template is safe, even though the system may have no idea what values the template or the text will take until run time.

Cheers! –Tom

What's this?

You are currently reading Safe Strings for Security? at jessenoller.com.

jessenoller.com

Safe Strings for Security?

Related Posts:

What's this?

meta

Categories

Links

Recent Posts