Re: [Haskell-beginners] Type checking to prevent data injection attacks?

Yep, search for the standard examples of Phantom Types. Peter On 21 December 2012 20:49, Mike Meyer wrote:

While thinking about my next blog posting, I realized that it was a technique similar to what Perl does with the concept of "tainted" strings.

If you're not familiar with it (and I'm probably getting the details wrong, not having written any perl in decades), a string that comes from an external source is considered "tainted". String constants in the program source are not. There's a builtin that can be used to say that declares a tainted string as not being tainted (presumably, the programmer has examined it somehow to determine this). Any string operations that return strings return tainted strings if any of the strings involved were tainted. Finally, functions that are subject to data injection attacks don't work on tainted strings.

It seems like the Haskell type system ought to be able to support this. I can see a couple of approaches that might work (a "tainted" monad for use on the different string types or an Either-ish datatype) that might work, but don't have the chops to decide which approach might be better - or maybe that the answer is that it depends on the goal.

I did some googling for this, but didn't turn up anything that seemed promising. Lots of stuff on type checking untrusted values, but no flagging strings as untrusted. Which leaves the questions...

Is this actually a sane idea?

Is there already a Haskell package that does this? Possibly part of a web framework?

A package for another language, or a paper discussing doing this?

Thoughts on other approaches than the two I mentioned?

Thoughts on the best way do to do this?

Thanks,

_______________________________________________ Beginners mailing list Beginners@haskell.org http://www.haskell.org/mailman/listinfo/beginners