[Haskell-beginners] Type checking to prevent data injection attacks?

Peter Hall peter.hall at memorphic.com
Fri Dec 21 22:01:37 CET 2012


Yep, search for the standard examples of Phantom Types.

Peter


On 21 December 2012 20:49, Mike Meyer <mwm at mired.org> wrote:

> While thinking about my next blog posting, I realized that it was a
> technique similar to what Perl does with the concept of "tainted"
> strings.
>
> If you're not familiar with it  (and I'm probably getting the details
> wrong, not having written any perl in decades), a string that comes
> from an external source is considered "tainted". String constants in
> the program source are not. There's a builtin that can be used to say
> that declares a tainted string as not being tainted (presumably, the
> programmer has examined it somehow to determine this). Any string
> operations that return strings return tainted strings if any of the
> strings involved were tainted. Finally, functions that are subject to
> data injection attacks don't work on tainted strings.
>
> It seems like the Haskell type system ought to be able to support
> this. I can see a couple of approaches that might work (a "tainted"
> monad for use on the different string types or an Either-ish datatype)
> that might work, but don't have the chops to decide which approach
> might be better - or maybe that the answer is that it depends on the
> goal.
>
> I did some googling for this, but didn't turn up anything that seemed
> promising. Lots of stuff on type checking untrusted values, but no
> flagging strings as untrusted. Which leaves the questions...
>
> Is this actually a sane idea?
>
> Is there already a Haskell package that does this? Possibly part of a
> web framework?
>
> A package for another language, or a paper discussing doing this?
>
> Thoughts on other approaches than the two I mentioned?
>
> Thoughts on the best way do to do this?
>
>     Thanks,
>     <mike
>
> _______________________________________________
> Beginners mailing list
> Beginners at haskell.org
> http://www.haskell.org/mailman/listinfo/beginners
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.haskell.org/pipermail/beginners/attachments/20121221/ccf1ee8f/attachment.htm>


More information about the Beginners mailing list