Subj : Re: Tainting in Rhino
To   : news
From : Brendan Eich
Date : Thu Jul 29 2004 12:39 pm

news wrote:
> Thanks for your prompt replies. First, let me say that I am happy to see
> Brendan still working on JS; I interned at the JavaScript group at Netscape
> back in 1998, when Clay Lewis was its manager...


Hey, were you going by a different first name then?


> Let me give you a bit more background: I work at a research group at
> Stanford doing language security. As part of our research, we came up with a
> runtime tool that allows you, among other things, to
>     1. provide sources and sinks
>     2. automatically instrument the relevant Java code to maintain taint
> throughout the program.


Cool -- have you published anything yet?

Perl-style tainting is ok for set-uid script security, or was (I haven't 
followed Perl closely in a while, although I'm enjoying the Perl 6 
design Revelations etc., eagerly awaiting the Apocrypha).  But it's not 
what web browsers need for cross-site scripting protection.


> Then the JavaSource would be automatically instrumented to obtain something
> like rhino_instr.jar. We have applied this technique to other types of Java
> program to discover various propagation-related properties.


Any quantification of overhead in code space and runtime?


> I thought there
> would be something in the context of Rhino embedding, especially because it
> doesn't lend itself to static analysis, as the exact propagation behavious
> is script-dependent.


Dynamic analysis or checking is definitely required.  I'm interested to 
learn more about your research.

/be

.