One of the most important tasks a security administrator can perform is to ensure that all Web code on a system performs proper parameter checking to minimize the potential of catastrophic buffer-overflow vulnerabilities. In many development environments, this is a tedious process that places a heavy burden on the shoulders of already-overworked programmers. If your Web site contains a large base of existing code that has not been safety-checked,...
the security screening task might seem insurmountable. This same problem may arise when you wish to import someone else's code (such as that downloaded from a Web site) into your Web applications.
If those applications are written in Perl, there's a great way to ferret out these vulnerabilities -- the use of Perl's taint mode. When used in taint mode, the Perl interpreter assumes that all user input is "tainted" or potentially malicious and places restrictions on the actions that the script may perform on that input. The Perl interpreter may be invoked in taint mode using the following string:
(Note: the command above is used by Perl 5 on a Unix system. If you're using a different version of Perl or a different operating system, consult your documentation for the proper syntax.)
Perl handles tainted data using a special set of rules that limit the actions that may be performed on tainted data. For example, tainted data may not be used in a call to system(), eval(), exec(), open() or a number of other privileged functions. When the interpreter encounters an action that uses tainted data in a manner it considers unsafe, it simply halts execution with an error. It's then your responsibility to troubleshoot the code and determine what change(s) are necessary to make the code safe.
The most common fix to many taint mode errors is to untaint the user input using regular expressions that contain parentheses. (If you're not familiar with regular expressions, Steve Ramsay's Guide to Regular Expressions might come in handy.) Once you've performed this type of transformation, Perl assumes that you've checked for any malicious code and considers the user input safe. It's extremely important to recognize that this is a major assumption on Perl's part. If your regular expression does not adequately clear the vulnerability, the application may execute despite the fact that it is unsafe.
It's important that you don't view taint mode as a panacea for your application security needs. While it's true that taint mode will help prevent buffer-overflow vulnerabilities, it can not detect all possible forms of malicious code (SQL injections are a notable example). However, the use of this security technology can make great strides toward improving the coding practices of your internal developers and provide you with a sense of comfort when importing external code.
If you'd like to read more about taint mode and its operational details, you may wish to take a look at the CGI/Perl Taint Mode FAQ.
About the author
Mike Chapple, CISSP, currently serves as Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. He previously worked as an information security researcher for the U.S. National Security Agency. His publishing credits include the TICSA Training Guide from Que Publishing, the CISSP Study Guide from Sybex and the upcoming SANS GSEC Prep Guide from John Wiley. He's also the About.com Guide to Databases.
For more information, visit these resources: