Table of Contents |
---|
...
Introduction
Tainted Flow Analysis
Root cause of many security breaches is trusting unvalidated input:
...
Info |
---|
Good practice says: “filter on input, escape on output”. |
- Canonicalization / Normalization
- Canonicalization is the process of lossless reduction of input to its equivalent simplest known form (for example, replacing .. and . in a pathname to produce canonicalized pathname, Unicode canonical equivalence…).
- Normalization is the process of lossy conversión of input data to the simplest form (e.g. converting a text input into one value from a fixed set, removing accents, removing whitespace, stop words and punctuation chars, lower-/upper-casing…).
- Sanitization
- Ensuring that data conforms to the requirements of the subsystem to which it is passed, including security requirements relatated related to data leakage or sensitive data exposure across trust boundary. This may include removal of unwanted characters, escaping metacharactes, etc.
- Validation
- Ensuring that input falls within expected domain of valid program input: type/numeric range requirements, input invariants…
...
Kiuwan contains a built-in library of sanitizers for every supported programming language and framework. These sanitizers are commonly used directly by programmers or by frameworks. And Kiuwan detects their usage.
...
During the next section, we will use the terms “sanitizers” and “neutralization routines” as synonyms.
Neutralization Routines (a.k.a Sanitizers)
...
Next, for instruction purposes, we will follow these steps using Java as the programming language. Differences with other programming languages will be further detailed.
Specifying
...
custom neutralization routines
Info |
---|
Any custom neutralization routine must be defined in a custom neutralizations file (xml format). |
Name of the file is irrelevant but location it’s is quite important.
Locations and precedence
Neutralization routines can be configured at different scopes
- Single-analysis,
- Application-specific and
- System-wide.
Depending on the location of the xml file, precedence and scope will change.
...
[agent_home_dir] : local installation directory of Kiuwan Local Analyzer (KLA)
- [analysis_base_dir] : root directory of application source code to be analyzed, as specified by “-s” option of KLA CLI (Command Line Interface), or in “Folder to analyze” input box when using KLA GUI (Graphical User Interface)
- [app_name] : name of the app to be analyzed, as specified by “-n” option of KLA CLI (Command Line Interface), or in “Application name” input box when using KLA GUI (Graphical User Interface)
- [technology] : name of the Kiuwan technology, as specified in [agent_home_dir]/conf/LanguageInfo.properties
As a general recommendation, we suggest to name the xml file as [technology]_custom_neutralizations.xml (this will help to clearly identify your custom files from Kiuwan own files).
Therefore, next sections will use java_custom_neutralizations.xml as the name for our custom file.
Examples
...
Reference
Structure of Custom Neutralization File (CNF)
Info |
---|
Any CNF must be an XML file with the following structure:
|
Next sections describe this structure.
Reference to master DTD file
Reference to master DTD must be specified in the 1st line.
...
Tech | DTD specification | DTD location |
---|---|---|
abap | <!DOCTYPE library SYSTEM "abap_library.dtd"> | [agent_home_dir]/libraries/abap |
c / cpp | <!DOCTYPE library SYSTEM "cpp_library.dtd"> | [agent_home_dir]/libraries/c |
csharp | <!DOCTYPE library SYSTEM "library_metadata.dtd"> |
|
java | <!DOCTYPE library SYSTEM "library_metadata.dtd"> |
|
javascript | <!DOCTYPE library SYSTEM "js_library_metadata.dtd"> | [agent_home_dir]/libraries/javascript |
objectivec | <!DOCTYPE library SYSTEM "library_metadata.dtd"> |
|
php | <!DOCTYPE library SYSTEM "php_library.dtd"> | [agent_home_dir]/libraries/php |
python | <!DOCTYPE library SYSTEM "python_library_metadata.dtd"> | [agent_home_dir]/libraries/python |
...
Definition of the Custom “Library” of Neutralization routines
Obviously, you don’t need to create an xml file for every single neutralization routine.
...