Safety levels are used to represent the level of security a variable has within the security analysis.
The set of safety levels is finite and has a partial order by <=. The order is reflexive, transitive and antisymetric.
The levels are not given a number, but a name. This allows for further extension
in the future. Safety levels that are ranked higher are safer.
Name(s) | Explenation |
safe | Safe/Unknown (default value for variables), upper bound |
integer-type, null-type, object-type, array-type, float-type | Specific types |
string-from-list, matched-string | String is matched to a certain value. |
formatted-string, encoded-string | String is formatted in a special way (e.g. dates, hashed) |
escaped-html, escaped-shell, escaped-slashes | String has no un-escaped character sequences |
raw-input | Raw input that is not to be trusted |
unsafe | Lower bound |
--
EricBouwers - 29 Dec 2006