I’m not the most regular poster, but Dinis Cruz encouraged me to use it more for mental notes to myself (can’t find the exact blog posting, but will give the link when I remember it). So that’s what I’m going to do from now on.
At the moment I’m ‘automating’ my Evil bit system. I’ve created an XML file which will be used to generate the altered classes. It’s easier to use the following contrust:
<securt>
<sources>
<!--source class="java.lang.StringBuilder" method="toString"/ -->
<source class="java.io.BufferedReader" method="readLine" arguments="boolean" />
<source class="java.io.RandomAccessFile">
<method name="readUTF"/>
<method name="readLine"/>
</source>
</sources>
<sinks>
<sink class="java.io.PrintStream" method="print" arguments="java.lang.String" vulnerable="1"/>
<sink class="java.io.DataOutput">
<method name="write" arguments="int" vulnerable="1"/>
</sink>
</sinks>
</securt>
I’ve also decided to use a static class for the tainting and testing, this will allow for simple adjustments in the future, but as I have to use the altered String class it did give me some challenges in defining the whole build process.
private static void createTaintUtil(String destPath) throws NotFoundException, CannotCompileException, IOException {
ClassPool cp = ClassPool.getDefault();
// Just a shortcut to copy the Superclass to the new destination
CtClass atu = cp.get("org.owasp.securt.AbstractTaintUtil");
atu.writeFile(destPath);
CtClass cc = cp.makeClass("org.owasp.securt.TaintUtil", atu);
cc.addMethod(CtNewMethod.make("public static void setTaint(String tainted, boolean taint) {if(tainted != null){tainted.setTaint(taint);}}", cc));
cc.addMethod(CtNewMethod.make("public static void checkTaint(String tainted) {if(tainted.isTainted())markTaint();}", cc));
cc.writeFile(destPath);
}
So what are my next steps? My ideas for going forward are as follows:
– taint the java.sql.Statement Interface (or at least have the implementation of the interface tainted from the bootclasspath)
– have a PoC for tainting J2EE classes
– perhaps have more fine grained tests of taints like Gravizapa (don’t know yet if I should pursue that or not)
That’s it for now. Happy holidays and a merry new year to whomever reads this š
Accidental coder 
Yeah man, keep those blogs coming, its a great way to document progress and the ideas that are being experimented (i’ve updated the http://blog.diniscruz.com/2013/12/trying-to-add-evil-bit-to.html post with this latest one)
And the ‘blogging for future self’ thing is really true, I’ve used it many times, and I bet that even now you go back and read some of your older blog posts and go ‘ahh, yeah that was a good idea’ š
Btw, where is the source code of these experiments?
And how are you consuming that XML file?
I know, I still have to publish it to Github. Am planning to do that sometime these holidays.