Next Steps

I’m not the most regular poster, but Dinis Cruz encouraged me to use it more for mental notes to myself (can’t find the exact blog posting, but will give the link when I remember it). So that’s what I’m going to do from now on.

At the moment I’m ‘automating’ my Evil bit system. I’ve created an XML file which will be used to generate the altered classes. It’s easier to use the following contrust:

<securt>
    <sources>
        <!--source class="java.lang.StringBuilder" method="toString"/ -->
        <source class="java.io.BufferedReader" method="readLine" arguments="boolean" />
        <source class="java.io.RandomAccessFile">
            <method name="readUTF"/>
            <method name="readLine"/>
        </source>
    </sources>
    <sinks>
        <sink class="java.io.PrintStream" method="print" arguments="java.lang.String" vulnerable="1"/>
        <sink class="java.io.DataOutput">
            <method name="write" arguments="int" vulnerable="1"/>
        </sink>
    </sinks>
</securt>

I’ve also decided to use a static class for the tainting and testing, this will allow for simple adjustments in the future, but as I have to use the altered String class it did give me some challenges in defining the whole build process.

    private static void createTaintUtil(String destPath) throws NotFoundException, CannotCompileException, IOException {

        ClassPool cp = ClassPool.getDefault();

        // Just a shortcut to copy the Superclass to the new destination
        CtClass atu = cp.get("org.owasp.securt.AbstractTaintUtil");
        atu.writeFile(destPath);

        CtClass cc = cp.makeClass("org.owasp.securt.TaintUtil", atu);

        cc.addMethod(CtNewMethod.make("public static void setTaint(String tainted, boolean taint) {if(tainted != null){tainted.setTaint(taint);}}", cc));
        cc.addMethod(CtNewMethod.make("public static void checkTaint(String tainted) {if(tainted.isTainted())markTaint();}", cc));

        cc.writeFile(destPath);
    }

So what are my next steps? My ideas for going forward are as follows:
– taint the java.sql.Statement Interface (or at least have the implementation of the interface tainted from the bootclasspath)
– have a PoC for tainting J2EE classes
– perhaps have more fine grained tests of taints like Gravizapa (don’t know yet if I should pursue that or not)

That’s it for now. Happy holidays and a merry new year to whomever reads this šŸ˜‰

3 thoughts on “Next Steps

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s