污染源与污点入口点

时间:2015-07-18 12:32:32

标签: fortify

Taint source和Taint入口点有什么区别?我看到两个地方都不同,但听到人们互换使用它们。

有人可以详细解释我。请。

1 个答案:

答案 0 :(得分:0)

根据Fortify_Glossary文件(第29页),Taint Source和Taint Entry Point将是同一件事:

污点

A program point where tainted data must not flow. When the Dataflow Analyzer finds a point where data can flow from source to sink, it reports an issue.

污染源

A program point through which tainted data enters, such as a function that reads data from an untrusted data source.

但是,我们应该知道污点标志可以分为3类:

污点旗帜来源:(污点旗帜类别)

常规(从应用程序外部提供数据)

CONSTANTFILE, DATABASE, FORM, GUI_FORM, NETWORK, SERIALIZED, STREAM, WEB, WEBSERVICE

特定(表示来自应用程序内部的数据)

ARGS, FILE_SYSTEM, ENVIRONMENT, PRIVATE, PROPERTY, REGISTRY, STDIN, SYSTEMINFO

中立:描述数据的属性

NUMBER, EXCEPTIONINFO, VALIDATED_issue category, etc.