SpoC 007 - Python Tainted Mode

Revision as of 16:16, 27 August 2007 by Pauloc (Talk | contribs)

Jump to: navigation, search

Back to SpoC 007 Selection page

AoC Candidate: Denis

Project coordinator: TBA

Project Progress: 75% Complete, Progress Page


Denis – Python Tainted Mode

Executive Summary

I am graduate student of Moscow State University, department of Computational Mathematics and Cybernetics. My graduate work is dedicated to web-application security. The goal of my graduate work is to combine dynamic code analysis with penetration testing to provide more precise analysis. This work will help to find security vulnerabilities in web-applications. I successfully presented parts of my work at university conferences.

My Project

The goal of my project is to create analog of Perl’s Taint Mode for Python programming language. Taint mode is successfully used in Perl, PHP, and Ruby to find input validation vulnerabilities in web-applications (PHPRevent). Unfortunately there is no implementation of Taint Mode for Python language despite of wide spread of Python-based web-applications. Taint Mode for Python is highly claimed. I plan to modify Python interpreter and add Taint label propagation. Then I’ll add three configuration lists:

  • List of sources. All data emanating from sources must be marked tainted.
  • List of critical functions, that shouldn’t receive tainted data.
  • List of sanitizing functions that untaints data.

Why I should be sponsored for the project

I have strong mathematical & computer science background. I’m familiar with research publications on dynamic analysis and with implementation of taint mode in Perl and PHP (PHPrevent Project). This project is part of my work at university. It will be made under mentoring of my scientific advisor. This work is already practically done that’s why I’m sure I will finish my project in time. I have strong skills in developing projects with Python, Java, C, C++, and Assembler. Then I plan to support, develop and enhance my project and increase its quality with penetration testing.

Back to SpoC 007 Selection page