Taint Tracking for CodeSonar C# Warning Classes

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

CodeSonar^® 9.2p0

CONFIDENTIAL

CodeSecure Inc

Taint Tracking for CodeSonar C# Warning Classes

CodeSonar finds potential injection attacks through a taint analysis that tracks paths of tainted data from source locations to sink locations.

Warning Classes
Basic vs. Advanced Checking

Overview

Many dangerous software errors are due to the injection of untrusted data into sensitive routines, such as database queries, HTML output, or file system access. These attacks are generally known as injection attacks. The unifying aspect of these errors is that user input can flow, unconstrained, into sensitive routines.

CodeSonar finds potential injection attacks through a taint analysis that tracks paths of tainted data from source locations to sink locations.

We use the following terminology.

taint source

A point at which a tainted value can enter a program.

taint sink

A program point which some kind of harm will be caused if a tainted value is used.

taint propagation

A program operation in which taint from an operand is transmitted to the result (or to other operands).

taint sanitizing (or cleansing)

A program operation in which taint is removed from one or more operands.

CodeSonar provides two mechanisms for identifying taint sources, sinks, and sanitizers.

Built-in recognition. CodeSonar automatically recognizes many standard methods as falling into one of these categories. For example:
- System.Web.HttpRequest.get_Context() is automatically recognized as a source of tainted user data.
- The various overloads of System.IO.Directory.CreateDirectory() are automatically recognized as taint sinks for Tainted Path (C#) warnings.
User annotations. To recognize additional methods as taint sources, sinks, or sanitizers, you can annotate them to indicate the kind of taint and which method parameter (or return value) is involved.

Full details of these mechanisms, including lists of automatically recognized methods and details about user annotations, see the following pages.

Warning Classes

Checks for the following CodeSonar C# warning classes make use of this taint analysis.

Tainted Network Address	CSHARP.IO.TAINT.ADDR
Code Injection	CSHARP.IO.INJ.CODE
Command Injection	CSHARP.IO.INJ.COMMAND
Tainted Control	CSHARP.IO.TAINT.CONTROL
DLL Injection	CSHARP.IO.INJ.DLL
DOS Injection	CSHARP.IO.INJ.DENIAL
Tainted Hardware Device Property	CSHARP.IO.TAINT.DEVICE
Tainted Expression Evaluation	CSHARP.IO.TAINT.EVAL
Tainted @Trusted Value	CSHARP.IO.TAINT.TRUSTED
Tainted HTTP Response	CSHARP.IO.TAINT.HTTP
Tainted LDAP Attribute	CSHARP.IO.TAINT.LDAP.ATTR
Tainted LDAP Filter	CSHARP.IO.TAINT.LDAP.FILTER
Tainted Log	CSHARP.IO.TAINT.LOG
Tainted Message	CSHARP.IO.TAINT.MESSAGE
Tainted Path	CSHARP.IO.TAINT.PATH
Reflection Injection	CSHARP.IO.TAINT.REFLECTION
Tainted Regular Expression	CSHARP.IO.TAINT.REGEX
Tainted Resource	CSHARP.IO.TAINT.RESOURCE
Tainted Session	CSHARP.IO.TAINT.SESSION
SQL Injection	CSHARP.IO.INJ.SQL
Tainted Bundle	CSHARP.IO.TAINT.BUNDLE
Tainted URL	CSHARP.IO.TAINT.URL
Tainted XAML	CSHARP.IO.TAINT.XAML
Tainted XML	CSHARP.IO.TAINT.XML
Tainted Xpath	CSHARP.IO.TAINT.XPATH
Cross Site Scripting	CSHARP.IO.INJ.XSS

Basic vs. Advanced Checking

When enabled, checks for the taint-related C# warning classes can be performed at either basic or advanced level.

Basic	This is generally quicker than the advanced setting, but is likely to miss more complex warnings.
Advanced	The advanced-level checker performs a more sophisticated analysis and will generally produce fewer false negatives (that is, miss fewer real problems) than the basic setting. However, it also takes longer and generally produces more false positives

The level of checking is controlled by the setting of configuration parameter CSHARP_ANALYSIS_ADVANCED_INJECTION. Note that this controls the level of checking for all the warning classes listed.

For basic checking, set CSHARP_ANALYSIS_ADVANCED_INJECTION=No in your project configuration file.
For advanced checking, set CSHARP_ANALYSIS_ADVANCED_INJECTION=Yes.

To report problems with this documentation, please visit https://support.codesecure.com/.