Monday 30 September 2013

Java Tainted Strings

At AppSec EU Steven van der Baan approached me with the great idea of seeing if we could do an open source implementation of Java Tainted Strings.

The idea is to (somehow) add metadata to the java.lang.String object and allow an App (or APIs) to taint a string (i.e. mark it as 'potentially malicious') and to modify that App/API's behaviour based on tainted information (for example "don't execute an SQL statement if its sql command string is tainted")

There is still a lot of thinking that needs to happen on this idea, and we are currently in the 'pre PoC' stage.

Me and Steven are going to try to document our ideas, and here are the first two from him:

It starts with an idea

Where to start

Please let us know of your ideas, or other good resources/thinking on this

For example are a couple interesting documents I quickly found by searching for 'Java tainted strings' on google: