Sunday 22 December 2013

Trying to add an 'EVIL bit' to java.lang.String (aka Java Taint Flag) and 'the first one has been set'

Following from the idea documented at the Java Tainted Strings post, Steven van der Baan is continuing his research, and at the last AppSec USA he had a break-though: we set the first 'Java EVIL bit' :)

This is a major development and if you are interested in this type of research, please join in the efforts (Steven is the one that has done most of the research so far, since I've haven't had the time to join in).

The idea is to (somehow) add metadata to the java.lang.String object and allow an App (or APIs) to taint a string (i.e. mark it as 'potentially malicious') and to modify that App/API's behaviour based on tainted information (for example "don't execute an SQL statement if its sql command string is tainted")

Here are the links to the current (as of Dec 2013) posts from Steven starting with the oldest one first (these should give you a good idea of the path he is following):
  1. Where to start 
  2. Up the ante 
  3. A new approach 
  4. The EVIL bit has been set 
  5. Migration to an easier environment
  6. Next Steps 
One important twist on this idea (which I'm not sure is very clear on Steven's post) is that this technique is currently designed to be used DURING TEST (i.e. not on live production websites). The idea is to 'patch' the JVM before the unit tests are executed and use the EVIL bit to detect vulnerabilities in applications (without touching the code under test)