|Join hundreds of other Developers and InfoSec professionals for Training, Sessions and Community at our first conference of 2019|
[AppSec Tel Aviv, May 26-30th]
SpoC 007 - Python Tainted Mode
AoC Candidate: Zalivin Denis
Project coordinator: Dinis Silva
Project Progress: 100% Complete, Progress Page
Denis – Python Tainted Mode
I am graduate student of Moscow State University, department of Computational Mathematics and Cybernetics. My graduate work is dedicated to web-application security. The goal of my graduate work is to combine dynamic code analysis with penetration testing to provide more precise analysis. This work will help to find security vulnerabilities in web-applications. I successfully presented parts of my work at university conferences.
The goal of my project is to create analog of Perl’s Taint Mode for Python programming language. Taint mode is successfully used in Perl, PHP, and Ruby to find input validation vulnerabilities in web-applications (PHPRevent). Unfortunately there is no implementation of Taint Mode for Python language despite of wide spread of Python-based web-applications. Taint Mode for Python is highly claimed. I plan to modify Python interpreter and add Taint label propagation. Then I’ll add three configuration lists:
- List of sources. All data emanating from sources must be marked tainted.
- List of critical functions, that shouldn’t receive tainted data.
- List of sanitizing functions that untaints data.
Why I should be sponsored for the project
I have strong mathematical & computer science background. I’m familiar with research publications on dynamic analysis and with implementation of taint mode in Perl and PHP (PHPrevent Project). This project is part of my work at university. It will be made under mentoring of my scientific advisor. This work is already practically done that’s why I’m sure I will finish my project in time. I have strong skills in developing projects with Python, Java, C, C++, and Assembler. Then I plan to support, develop and enhance my project and increase its quality with penetration testing.