Using positive tainting and syntax-aware evaluation to counter SQL injection attacks

Proceedings of the ACM SIGSOFT Symposium on the Foundations of Software Engineering

Volumn , Issue , 2006, Pages 175-185

  Halfond, William G J ^a   Orso, Alessandro ^a   Manolios, Panagiotis ^a  

^a GEORGIA INSTITUTE OF TECHNOLOGY   (United States)

Author keywords

Dynamic tainting; Runtime monitoring; SQL injection

Indexed keywords

DYNAMIC TAINTING; RUNTIME MONITORING; SQL INJECTION;

QUERY LANGUAGES; SECURITY OF DATA; WORLD WIDE WEB;

COMPUTER CRIME;

EID: 34547379435     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1181775.1181797     Document Type: Conference Paper

References (27)

1. C. Anley. Advanced SQL Injection In SQL Server Applications. White paper, Next Generation Security Software Ltd., 2002.
2. S. W. Boyd and A. D. Keromytis. SQLrand: Preventing SQL Injection. Attacks. In Proc. of the 2nd Applied Cryptography and Network Security Conf. (ACNS '04), pages 292-302, Jun. 2004.
3. G. T. Buehrer, B. W. Weide, and P. A. G. Sivilotti. Using Parse Tree Validation to Prevent SQL Injection Attacks. In Proc. of the 5th Intl. Workshop on Software Engineering and Middleware (SEM '05), pages 106-113, Sep. 2005.
4. W. R. Cook and S. Rai. Safe Query Objects: Statically Typed Objects as Remotely Executable Queries. In Proc. of the 27th Intl. Conference on Software Engineering (ICSE 2005), pages 97-106, May 2005.
5. T. O. Foundation. Top ten most critical web application vulnerabilities, 2005. http://www.owasp.org/documentation/topten.html.
6. C. Gould, Z. Su, and P. Devanbu. JDBC Checker: A Static Analysis Tool for SQL/JDBC Applications. In Proc. of the 26th Intl. Conference on Software Engineering (ICSE 04) - Formal Demos, pages 697-698, May 2004.
7. C. Gould, Z. Su, and P. Devanbu. Static Checking of Dynamically Generated Queries in Database Applications. In Proc. of the 26th Intl. Conference on Software Engineering (ICSE 04), pages 645-654, May 2004.
8. V. Haldar, D. Chandra, and M. Franz. Dynamic Taint Propagation for Java. In Proc. of the 21st Annual Computer Security Applications Conference, pages 303-311, Dec. 2005.
9. W. G. Halfond and A. Orso. AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks. In Proc. of the IEEE and ACM Intl. Conference on Automated Software Engineering (ASE 2005), pages 174-183, Long Beach, CA, USA, Nov. 2005.
10. W. G. Halfond, J. Viegas, and A. Orso. A Classification of SQL-Injection Attacks and Countermeasures. In Proc. of the Intl. Symposium on Secure Software Engineering, Mar. 2006.
11. M. Howard and D. LeBlanc. Writing Secure Code. Microsoft Press, Redmond, Washington, Second Edition, 2003.
12. Y. Huang, S. Huang, T. Lin, and C. Tsai. Web Application Security Assessment by Fault Injection and Behavior Monitoring. In Proc. of the 12th Intl. World Wide. Web Conference (WWW 03), pages 148-159, May 2003.
13. Y. Huang, F. Yu, C. Hang, C. H. Tsai, D. T. Lee, and S. Y. Kuo. Securing Web Application Code by Static Analysis and Runtime Protection. In Proc. of the 13th Intl. World Wide Web Conference (WWW 04), pages 40-52, May 2004.
14. N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities. In 2006 IEEE Symposium on Security and Privacy, May 2006.
15. V. B. Livshits and M. S. Lam. Finding Security Vulnerabilities in Java Applications with Static Analysis. In Proceedings of the 14th Usenix Security Symposium, Aug. 2005.
16. O. Maor and A. Shulman. SQL Injection Signatures Evasion. White paper, Imperva, Apr. 2004. http://www.imperva.com/application.defense_center/ white_papers/sql_injection_signatures_evasion.html.
17. M. Martin, B. Livshits, and M. S. Lam. Finding Application Errors and Security Flaws Using PQL: a Program Query Language. In OOPSLA '05: Proc. of the 20th Annual ACM SIGPLAN Conference on Object Oriented Programming Systems Languages and Applications, pages 365-383, Oct. 2005.
18. R. McClure and I. Krüger. SQL DOM: Compile Time Checking of Dynamic SQL Statements. In Proc. of the 27th Intl. Conference on Software Engineering (ICSE 05), pages 88-96, May 2005.
19. J. Newsome and D. Song. Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In Proc. of the 12th Annual Network and Distributed System Security Symposium (NDSS 05), Feb. 2005.
20. A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically Hardening Web Applications Using Precise Tainting. In Twentieth IFIP Intl. Information Security Conference (SEC 2005), May 2005.
21. T. Pietraszek and C. V. Berghe. Defending Against Injection Attacks through Context-Sensitive String Evaluation. In Proc. of Recent Advances in Intrusion Detection (RAID2005), Sep. 2005.
22. J. Saltzer and M. Schroeder. The Protection of Information in Computer Systems. In Proceedings of the IEEE, Sep 1975.
23. th Intl. Conference on the World Wide. Web (WWW 2002), pages 396-407, May 2002.
24. Z. Su and G. Wassermann. The Essence of Command Injection Attacks in Web Applications. In The 33rd Annual Symposium on Principles of Programming Languages, pages 372-382, Jan. 2006.
25. F. Valeur, D. Mutz, and G. Vigna. A Learning-Based Approach to the Detection of SQL Attacks. In Proc. of the Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA), Vienna, Austria, Jul. 2005.
26. G. Wassermann and Z. Su. An Analysis Framework for Security in Web Applications. In Proc. of the FSE Workshop on Specification and Verification of Component-Based Systems (SAVCBS 2004), pages 70-78, Oct. 2004.
27. Y. Xie and A. Aiken. Static Detection of Security Vulnerabilities in Scripting Languages. In Proceedings of the 15th USENDI Security Symposium, July 2006.