SQLrand: Preventing SQL injection attacks

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

Volumn 3089, Issue , 2004, Pages 292-302

  Boyd, Stephen W ^a   Keromytis, Angeles D ^a  

^a Columbia University ^*  (United States)

Author keywords

[No Author keywords available]

Indexed keywords

COMPUTATIONAL LINGUISTICS; COMPUTER CRIME; DATABASE SYSTEMS; QUERY LANGUAGES; QUERY PROCESSING;

EXISTING SYSTEMS; INPUT VALIDATION; INSTRUCTION-SET RANDOMIZATION; ITS STANDARDS; MYSQL DATABASE; PROTECTION MECHANISMS; SQL INJECTION ATTACKS; TARGET DATABASE;

NETWORK SECURITY;

EID: 35048851186     PISSN: 03029743     EISSN: 16113349     Source Type: Book Series    
DOI: 10.1007/978-3-540-24852-1_21     Document Type: Article

References (37)

1. CERT Vulnerability Note VU#282403. http://www.kb.cert.org/vuls/id/282403, September 2002.
2. A. Acharya and M. Raje. Mapbox: Using parameterized behavior classes to confine applications. In Proceedings of the 9th USENIX Security Symposium, pages 1-17, August 2000.
3. Aleph One. Smashing the stack for fun and profit. Phrack, 7(49), 1996.
4. A. Alexandrov, P. Kmiec, and K. Schauser. Consh: A confined execution environment for internet computations, December 1998.
5. C. Anley. Advanced SQL Injection In SQL Server Applications. http://www.nextgenss.com/papers/advanced_sql_injection.pdf, 2002.
6. V. Anupam and A. Mayer. Security of Web Browser Scripting Languages: Vulnerabilities, Attacks, and Remedies. In Proceedings of the 7th USENIX Security Symposium, pages 187-200, January 1998.
7. R. Balzer and N. Goldman. Mediating connectors: A non-bypassable process wrapping technology. In Proceeding of the 19th IEEE International Conference on Distributed Computing Systems, June 1999.
8. E. G. Barrantes, D. H. Ackley, S. Forrest, T. S. Palmer, D. Stefanovic, and D. D. Zovi. Randomized Instruction Set Emulation to Disrupt Binary Code Injection Attacks. In Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS), pages 281-289, October 2003.
9. A. Berman, V. Bourassa, and E. Selberg. TRON: Process-Specific File Protection for the UNIX Operating System. In Proceedings of the USENIX Technical Conference, January 1995.
10. S. Bhatkar, D. C. DuVarney, and R. Sekar. Address Obfuscation: an Efficient Approach to Combat a Broad Range of Memory Error Exploits. In Proceedings of the 12th USENIX Security Symposium, pages 105-120, August 2003.
11. C. Cowan, S. Beattie, J. Johansen, and P. Wagle. PointGuard: Protecting Pointers From Buffer Overflow Vulnerabilities. In Proceedings of the 12th USENIX Security Symposium, pages 91-104, August 2003.
12. C. Cowan, S. Beattie, C. Pu, P. Wagle, and V. Gligor. SubDomain: Parsimonious Security for Server Appliances. In Proceedings of the 14th USENIX System Administration Conference (LISA 2000), March 2000.
13. C. Cowan, H. Hinton, C. Pu, and J. Walpole. The Cracker Patch Choice: An Analysis of Post Hoc Security Techniques. In Proceedings of the National Information Systems Security Conference (NISSC), October 2000.
14. C. Cowan, C. Pu, D. Maier, H. Hinton, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proceedings of the 7th USENIX Security Symposium, Jan. 1998.
15. N. Dor, M. Rodeh, and M. Sagiv. CSSV: Towards a realistic tool for statically detecting all buffer overflows in C. In Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI), June 2003.
16. S. Forrest, A. Somayaji, and D. Ackley. Building Diverse Computer Systems. In HotOS-VI, 1997.
17. J. Foster, M. Faḧndrich, and A. Aiken. A theory of type qualifiers. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), May 1999.
18. T. Fraser, L. Badger, and M. Feldman. Hardening COTS Software with Generic Software Wrappers. In Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, May 1999.
19. T. Garfinkel. Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools. In Proceedings of the Symposium on Network and Distributed Systems Security (SNDSS), pages 163-176, February 2003.
20. D. P. Ghormley, D. Petrou, S. H. Rodrigues, and T. E. Anderson. SLIC: An Extensibility System for Commodity Operating Systems. In Proceedings of the 1998 USENIX Annual Technical Conference, pages 39-52, June 1998.
21. I. Goldberg, D. Wagner, R. Thomas, and E. A. Brewer. A Secure Environment for Untrusted Helper Applications. In Procedings of the 1996 USENIX Annual Technical Conference, 1996.
22. G. S. Kc, A. D. Keromytis, and V. Prevelakis. Countering Code-Injection Attacks With Instruction-Set Randomization. In Proceedings of the ACM Computer and Communications Security (CCS) Conference, pages 272-280, October 2003.
23. D. Larochelle and D. Evans. Statically Detecting Likely Buffer Overflow Vulnerabilities. In Proceedings of the 10th USENIX Security Symposium, pages 177-190, August 2001.
24. E. Larson and T. Austin. High Coverage Detection of Input-Related Security Faults. In Proceedings of the 12th USENIX Security Symposium, pages 121-136, August 2003.
25. K. Lhee and S. J. Chapin. Type-assisted dynamic buffer overflow detection. In Proceedings of the 11th USENIX Security Symposium, pages 81-90, August 2002.
26. C. Linn and S. Debray. Obfuscation of Executable Code to Improve Resistance to Static Disassembly. In Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS), pages 290-299, October 2003.
27. D. Litchfield. Web Application Disassembly wth ODBC Error Messages, http://www.nextgenss.com/papers/webappdis.doc.
28. P. Loscocco and S. Smalley. Integrating Flexible Support for Security Policies into the Linux Operating System. In Proceedings of the USENIX Annual Technical Conference, Freenix Track, pages 29-40, June 2001.
29. M. Conover and w00w00 Security Team. w00w00 on heap overflows. http://www.w00w00.org/files/articles/heaptut.txt, January 1999.
30. T. Mitchem, R. Lu, and R. O'Brien. Using Kernel Hypervisors to Secure Applications. In Proceedings of the Annual Computer Security Applications Conference, December 1997.
31. D. S. Peterson, M. Bishop, and R. Pandey. A Flexible Containment Mechanism for Executing Untrusted Code. In Proceedings of the 11th USENIX Security Symposium, pages 207-225, August 2002.
32. V. Prevelakis and D. Spinellis. Sandboxing Applications. In Proceedings of the USENIX Technical Annual Conference, Freenix Track, pages 119-126, June 2001.
33. N. Provos. Improving Host Security with System Call Policies. In Proceedings of the 12th USENIX Security Symposium, pages 257-272, August 2003.
34. U. Shankar, K. Talwar, J. S. Foster, and D. Wagner. Detecting Format String Vulnerabilities with Type Qualifiers. In Proceedings of the 10th USENIX Security Symposium, pages 201-216, August 2001.
35. D. Wagner, J. S. Foster, E. A. Brewer, and A. Aiken. A First Step towards Automated Detection of Buffer Overrun Vulnerabilities. In Proceedings of the ISOC Symposium on Network and Distributed System Security (SNDSS), pages 3-17, February 2000.
36. K. M. Walker, D. F. Stem, L. Badger, K. A. Oosendorp, M. J. Petkac, and D. L. Sherman. Confining root programs with domain and type enforcement. In Proceedings of the USENIX Security Symposium, pages 21-36, July 1996.
37. R. N. M. Watson. TrustedBSD: Adding Trusted Operating System Features to FreeBSD. In Proceedings of the USENIX Annual Technical Conference, Freenix Track, pages 15-28, June 2001.