This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "SpoC 007 - Python Tainted Mode - Progress Page"
From OWASP
| Line 1: | Line 1: | ||
== Objectives for OWASP Spring of Code 2007 == | == Objectives for OWASP Spring of Code 2007 == | ||
| + | |||
| + | [http://zigzag.lvk.cs.msu.su/~petand/Py_TM/TaintedMode.pdf Python Tainted Mode Documentation, version 1.0.0] | ||
| + | |||
| + | |||
| + | '''As for Python Tainted Mode delivery:''' | ||
| + | |||
| + | [http://zigzag.lvk.cs.msu.su/~petand/Py_TM/Python-2.4.4.zip Python Tainted Mode with applied patch] | ||
| + | |||
| + | Python Tainted Mode patch only files: | ||
| + | http://zigzag.lvk.cs.msu.su/~petand/Py_TM/Python-patch-2.4.4.zip | ||
| + | Python Tainted Mode documentation: | ||
| + | http://zigzag.lvk.cs.msu.su/~petand/Py_TM/TaintedMode.pdf | ||
| + | |||
=== Accomplished objectives at 1st of November 2007 === | === Accomplished objectives at 1st of November 2007 === | ||
| Line 13: | Line 26: | ||
* '''[100%]''' Perform review of most popular Python frameworks in order to complete configuration profiles that contain signature of input, filter and critical callable objects for each framework. | * '''[100%]''' Perform review of most popular Python frameworks in order to complete configuration profiles that contain signature of input, filter and critical callable objects for each framework. | ||
* '''[100%]''' Perform testing and state proposals for future work. | * '''[100%]''' Perform testing and state proposals for future work. | ||
| − | |||
| − | |||
Revision as of 17:48, 5 November 2007
Objectives for OWASP Spring of Code 2007
Python Tainted Mode Documentation, version 1.0.0
As for Python Tainted Mode delivery:
Python Tainted Mode with applied patch
Python Tainted Mode patch only files: http://zigzag.lvk.cs.msu.su/~petand/Py_TM/Python-patch-2.4.4.zip Python Tainted Mode documentation: http://zigzag.lvk.cs.msu.su/~petand/Py_TM/TaintedMode.pdf
Accomplished objectives at 1st of November 2007
- [100%] Formalize Tainted Mode paradigm.
- [100%] Add 'tainted' flag field to str and unicode Python types that tracks data taintedness.
- [100%] Provide propagation of 'tainted' flag throughout strings interaction (concatenation, substring, etc.).
- [100%] Add support for logging of Python programms traces. For debug and analysys purposes only.
- [100%] Add support for analysys of callable objects invocation. Callable object is classified as input, filter, critical or other.
- [100%] Add support for analysys of retrieving data from object fields. For example, data from mod_python's mp_request.headers_in["Accept"] should be treated as tainted.
- [100%] Add support for exceptions raising after tainted data is passed into critical callable objects. This would be "Classical Tainted Mode".
- [100%] Add support for logging of tainted arguments passed into critical callable objects. This would be "Tainted Mode with Logging".
- [100%] Perform review of most popular Python frameworks in order to complete configuration profiles that contain signature of input, filter and critical callable objects for each framework.
- [100%] Perform testing and state proposals for future work.
