7July_01_2008 Practical Dynamic Taint Analysis notes
Practical Dynamic Taint Analysis for Countering Input Validation Attacks on Web Applications
a runtime information
ow tracking technique to detect input validation attacks in web applications.
contributions :
 ractical runtime technique which can accurately detect input validation errors
 second line of defense to account for programmer's negligence
 automatic technique can also address the unknown input validation vulnerabilities.
 We present an information tracking technique that is much more comprehensive than previous
similar approaches.
can be applied to various scripting languages that are used in web application
versatile policy enforcement results available at the time of policy enforcement.

 We have implemented a prototype tool, and evaluated our technique on two scripting languages
and a number of web applications. The results show that our technique has accurate attack
detection and reasonable performance overheads thankful to our optimization techniques.

how?
By studying these attacks, we have made the following important observation: if special characters
(e.g. SQL keywords) are found in those parts of security sensitive operation arguments (e.g. SQL
queries) that are directly copied from untrusted input, then it is a very strong indicator of an attack.

 Identify untrusted input and security-sensitive operations.
 Use information tracking to identify, at a one level of granularity, how arguments to sensi-
tive operations are derived from untrusted user inputs.
 Express and enforce security policies that can use the content of sensitive arguments, together
with information 
          A simple example of such a policy is: "only those characters in the query
string that weren't derived from untrusted input can be special characters."

approach precise "taintedness" tracking on program memory at runtime.
-stored value is copied from untrusted data.
-Annotations: the untrusted input data from untrusted sources
put in add'l code to track tainted input.