CORE GRASP

CORE GRASP is a web application protection software technique designed by A. Futoransky, E. Gutesman, D. Tiscornia and A. Waissbein from CoreLabs. GRASP protects against injection vulnerabilities and enforces privacy in web applications. Roughly sepaking, we use (dynamic) taint analysis at character granularity to detect and block injection and cross-site scripting attacks. There is an implementation protecting PHP that has been made public (open source) at http://grasp.coresecurity.com .

Grasp is implemented for PHP by instrumenting its source code to augment zvals so that each character in the interpreted is assigned a value, tainted or untainted, plus modifying all the functions used to manipulate zvals so that they propagate taint information, and security checks are prepended to output functions (e.g., the API to MySQL to detect SQL-injection attacks).

The first version of Grasp was implemented over PHP 3.xx in 2004 and it included SQL-injection protection for MySQL. We also instrumented subsequent PHP versions and finally made public our software in Black Hat Briefings 2007 (Las Vegas).

On the other hand, in 2005 we showed how to use the Grasp technique to provide some interesting privacy features (attachear paper). Briefly, we provided the means for enforcing privacy requirements, by configuring the Grasp for PHP server, so that the information entering the interpreter received labels according to its origin (e.g., private, for your eyes only, public) and enforce whether information with a given label could flow to a given output (e.g., database/ storage, internet).