Insider and ousider threat-sensitive SQL injection vulnerability analysis in PHP

Proceedings - Working Conference on Reverse Engineering, WCRE

Volumn , Issue , 2006, Pages 147-156

  Merlo, Ettore ^a   Letarte, Dominic ^a   Antoniol, Giuliano ^a  

^a ÉCOLE POLYTECHNIQUE DE MONTRÉAL   (Canada)

Author keywords

[No Author keywords available]

Indexed keywords

DATABASE SYSTEMS; SECURITY OF DATA; STATIC ANALYSIS;

FLOW ANALYSIS EQUATIONS; INTER-PROCEDURAL CONTROL FLOW GRAPH (CFG); PHP APPLICATIONS;

COMPUTER PROGRAMMING LANGUAGES;

EID: 34948906804     PISSN: 10951350     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/WCRE.2006.33     Document Type: Conference Paper

References (43)

1. JavaCC. https://javacc.dev.java.net.
2. National Infrastructure Security Co-ordination Centre. http://www.uniras.gov.uk/niscc/index-en.html.
3. PHP grammar. https://javacc.dev.java.net//files/documents/17/14269/ php.jj.
4. U.S. Department of Energy. http://www.ciac.org/ciac/CIACHome.htm.
5. mySql. http://dev.mysql.com/doc.
6. Php. http://www.php.net/manual.
7. phpBB. http://www.phpbb.com.
8. phpBB archive. http://www.phpbb.com/phpBB/viewtopic.php?t=113826.
9. phpBB security. http://www.securityfocus.com/bid/7932.
10. XPath. http://www.w3.org/TR/xpath.
11. C. Anley. Advanced SQL injection. In Technical report. NGSSoftware Insight Security Research, 2002.
12. D. Atkinson and W. Griswold. The design of whole-program analysis tools. Proc. of the Int. Conf. on Software Engineering, pages 16-27, 1996.
13. S. Bouktif, G. Antoniol, and E. Merlo. A feedback based quality assessment to support open source software evolution: the grass case study. In Proceedings of IEEE International Conference on Software Maintenance. IEEE Computer Society Press, 2006 (to appear).
14. S. W. Boyd and A. D. Keromytis. SQLrand: Preventing SQL injection attacks. In Proc. of the 2nd Applied Cryptography and Network Security (ACNS) Conference, volume 3089, pages 292-304. Lecture Notes in Computer Science, Springer-Verlag, 2004.
15. G. T. Buehrer, B. W. Weide, and P. A. G. Sivilotti. Using parse tree validation to prevent SQL injection attacks. In 5th international workshop on Software engineering and middleware, SIGSOFT: ACM Special Interest Group on Software Engineering, pages 106 - 113. ACM Press, 2005.
16. A. S. Christensen, A. Moller, and M. I. Schwartzbach. Precise analysis of string expressions. In Proc. of the 10th International Static Analysis Symposium, SAS, pages 1-18. Springer-Verlag, June 2003.
17. W. R. Cook and S. Rai. Safe query objects: Statically typed objects as remotely executable queries. In Proc. of the 27th International Conference on Software Engineering (ICSE). IEEE Computer Society Press, 2005.
18. D. E. Denning. A lattice model of secure information flow. Communications of the ACM, 19(5):236-243, 1976.
19. K. B. Gallagher and J. R. Lyle. Using program slicing for software maintenance. IEEE Transactions on Software Engineering, 17(8):751-761, 1991.
20. C. Gould, Z. Su, and P. Devanbu. JDBC checker: A static analysis tool for SQL/JDBC applications. In Proc. of the 26th International Conference on Software Engineering (ICSE) - Formal Demos, pages 697-698. IEEE Computer Society Press, 2004.
21. W. G. J. Halfond and A. Orso. Combining static analysis and runtime monitoring to counter SQL-injection attacks. In Proc. of the 3rd International ICSE Workshop on Dynamic Analysis (WODA). IEEE Computer Society Press, May 2005.
22. C. Hammer, J. Kririke, and G. Snelting. Information flow control for java based on path conditions in dependence graphs. In International Symposium on Secure Software Engineering (ISSSE), pages 87-96. IEEE Computer Society Press, March 2006.
23. C. Hammer and G. Snelting. An improved slicer for java. In ACM-SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering, pages 17-22. ACM Press, 2004.
24. R. C. Holt, A. Winter, and A. Schürr. Gxl: Toward a standard exchange format. Proceedings 7th Working Conference on Reverse Engineering (WCRE 2000), 2000.
25. T. Holz, S. Marechal, and E Raynal. New threats and attacks on the world wide web. IEEE Security and Privacy Magazine, 4(2):72-75, 2006.
26. Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D. T. Lee, and S.-Y. Kuo. Securing web application code by static analysis and runtime protection. In Proc. of the 12th International World Wide Web Conference (WWW), May 2004.
27. M. Keeney, D. Cappelli, E. Kowalski, A. Moore, T. Shimeall, and S. Rogers. Insider threat study: Computer system sabotage in critical infrastructure sectors. Technical report, United States Secret Service and CERT Coordination Center/SEI, May 2005.
28. O. Lhoták and L. Hendren. Scaling Java points-to analysis using Spark. In G. Hedin, editor, Compiler Construction, 12th International Conference, volume 2622 of LNCS, pages 153-169, Warsaw, Poland, April 2003. Springer-Verlag.
29. R. McClure and I. Kruger. SQL DOM: Compile time checking of dynamic SQL statements. In Proc. of the 27th International Conference on Software Engineering (ICSE), pages 88-96. IEEE Computer Society Press, 2005.
30. E. Merlo, G. Antoniol, and P. L. Brunelle. Fast flow analysis to compute fuzzy estimates of risk levels. In European Conference on Software Maintenance and Reengineering (CSMR), pages 351-360. IEEE Computer Society Press, 2003.
31. E. Merlo, D. Letarte, and G. Antoniol. Insider threat resistant SQL-injection prevention in PHP. Technical Report EPM-RT-2006-04, Ecole Polytechnique de Montreal, http://www.polymtl.ca/biblio, April 2006.
32. A. Milanova, A. Rountev, and B. G. Ryder. Parameterized object sensitivity for points-to analysis for java. ACM Transactions on Software Engineering and Methodology, 14(1):1-41, January 2005.
33. A. C. Myers, N. Nystrom, L. Zhebg, and S. Sdanewic. Jif: Java information flow, http://www.cornell.edu/jif
34. R Nielson, H. Nielson, and C. Hankin. Principles of Program Analysis. Springer, 1999.
35. T. Pietraszek and C. V. Berghe. Defending against injection attacks through context-sensitive string evaluation. In Proc. of Recent Advances in Intrusion Detection (RAID), 2005.
36. J. C. Rabek, R. I. Khazan, S. M. Lewandowski, and R. K. Cunningham. Detection of injected, dynamically generated, and obfuscated malicious code. In ACM Workshop on Rapid Malcode (WORM), pages 76-82. ACM Press, 2003.
37. M. R. Randazzo, D. Cappelli, M. Keeney, A. Moore, and E. Kowalski. Insider threat study: Illicit cyber activity in the banking and finance sector. Technical report, United States Secret Service and CERT Coordination Center/SEI, August 2004.
38. T. Reps. Program analysis via graph reachability. Information and Software Technology, 40(11-12):701-726, 1998.
39. S. Sinha, M. J. Harrold, and G. Rothermel. System-dependence-graph-based slicing of programs with arbitrary interprocedural control flow. Proceedings of the 21st International Conference on Software Engineering, pages 432-441, 1999.
40. R Tip. A survey of program slicing techniques. Journal of Programming Languages, 3(3):121-189, 1995.
41. P. Tonella, G. Antoniol, R. Fiutem, and E. Merlo. Flow insensitive c++ pointers and polymorphism analysis and its application to slicing. Proc. of the Int. Conf. on Software Engineering, pages 433-443, 1997.
42. F. Valeur, D. Mutz, and G. Vigna. A learning-based approach to the detection of SQL attacks. In Proc. Detection of Intrusions and Malware Vulnerability Assessment Conference (DIMVA), pages 123-140. IEEE Computer Society press, July 2005.
43. D. Volpano, G. Smith, and C. Irvine. A sound type system for secure flow analysis. Journal of Computer Security, 4(3):167-187, 1996.