AppSec USA 2017 has ended
Back To Schedule
Thursday, September 21 • 3:30pm - 4:15pm
Black-Box Approximate Taint Tracking by Utilizing Data Partitioning

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.

The information security industry has a long history of challenges when it comes to ensuring the safety of user input data. User input must be escaped when using a template to build a string. Whether in HTML, SQL, or shell commands it is best practice to escape data from untrusted sources. Most of the time this is done by having the developer think through all possible code paths the string could have taken. This requires heroic effort and is still error-prone. Far more reliable is using a type or metadata system to tag the data and track it through the system, but this requires the designer of the system to consistently use the tagged string types, or have some additional runtime support to provide a tracking mechanism. Further, such techniques (explored extensively in academic research) have invariably encountered severe performance impacts, making them unpractical for runtime protection.


We propose a black-box taint tracking system in which we observe only the user inputs (http parameters) and system outputs (commands and SQL queries). By parsing the input and the output commands we can determine if an input data partition straddles an output data partition. This would indicate that the input data partition had injected information from the data portion of the input to the command portion of the output. Since we look only at the input and output of the application code, code complexity is arbitrary. Previously, if a system was not designed from the beginning to have taint tracking, introducing taint tracking was cost prohibitive. “Approximate taint tracking” allows after-the-fact introduction of these protections in a way that is cost-effective, and performant.

avatar for Boris Chen

Boris Chen

VP of Engineering, tCell.io, Inc.
Boris is co-founder and VP of Engineering at tCell, a security startup based in San Francisco. tCell's solution is the next generation of runtime attack monitoring and protection for web applications, covering the OWASP Top 10 and more. Boris's interest lies in the intersection of... Read More →

Thursday September 21, 2017 3:30pm - 4:15pm EDT
Coronado L