Detecting tainted code

[Jarod24]

I was just thinking about how Blizzard might be detecting tainted code and then i came up with this simple approach that addon developers could do this sort of thing in their own code.

I'm probably re-inventing the wheel here since this must have been thought of before.
I have not found any need to use something like this in my own addons, was just dabbling with some code.

Code:

--Declaration of the original function
function foo()
	print("This is my orignial un-tainted function");
end
local foo_address = tostring(foo); --Remember locally the address of the original function.

--This will create a new function, overwriting the orignal
function bar() 
	print("Original: "..foo_address);
	
	foo = function() print("This is a tainted function") end;
	print("New: "..tostring(foo));
end

Has anyone had the need for this sort of taint-detection in their addon?

The crux is that the "foo_address" is done right after the original function's declaration and that it's local; thereby not modifiable by external code.

[SDPhantom]

I haven't really had any need for this sort of thing. The usual approach of keeping everything as a local that doesn't need to be global works fine as nobody can modify it without going into your code and changing it themselves. At that point, any taint detection is a moot point.

[Farmbuyer]

Originally Posted by Jarod24 The crux is that the "foo_address" is done right after the original function's declaration and that it's local; thereby not modifiable by external code.

And...? What's the point of foo_address? You can't do anything with machine addresses inside a script.

More generally, what would you do when taint is detected?

- Print an error and refuse to call the function? That's what happens by default already.
- Avoid the "new" function pointer and call the original? Why not do that to begin with?

[SDPhantom]

Originally Posted by Farmbuyer And...? What's the point of foo_address? You can't do anything with machine addresses inside a script.

Pointer addresses can always be used to visually compare and see if any two pointers refer to the same address (functionally, no different than FuncA==FuncB). This is the same as any other by-reference value type.

Originally Posted by Farmbuyer More generally, what would you do when taint is detected? - Print an error and refuse to call the function? That's what happens by default already.

This only happens with the protected Blizzard functions, not ones defined by addons.



Note the OP posted this as prototype code, not necessarily meant for actual use, but to explain a process in place by Blizzard. The actual code in place is in C code that checks the current execution taint instead of if the function pointer stored has changed. This is why hooksecurefunc() works, as the hook function points to secure C code rather than a Lua function. The execution taint updates status every table index (including global environment) and function call.

[Farmbuyer]

Originally Posted by SDPhantom Pointer addresses can always be used to visually compare and see if any two pointers refer to the same address (functionally, no different than FuncA==FuncB). This is the same as any other by-reference value type.

Exactly. There's no point in storing it as a string. Just compare the function references.

Note the OP posted this as prototype code, not necessarily meant for actual use, but to explain a process in place by Blizzard. The actual code in place is in C code that checks the current execution taint instead of if the function pointer stored has changed.

Yes, I know. I've glanced through stock Lua 5 source and think I know how their taint tracker could be implemented. That doesn't answer my question: what would you do next if you detect a change? What's the practical point of this?

[SDPhantom]

Originally Posted by Farmbuyer That doesn't answer my question: what would you do next if you detect a change?

That's still up to whoever decides to use this method. It's more of "proof of concept" rather than functional code.

Originally Posted by Farmbuyer What's the practical point of this?

There isn't one that I can see. This has been hinted at already.