Sound and precise analysis of web applications for injection vulnerabilities

Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI)

Volumn , Issue , 2007, Pages 32-41

  Wassermann, Gary ^a   Su, Zhendong ^a  

^a UNIVERSITY OF CALIFORNIA   (United States)

Author keywords

Static analysis; String analysis; Web applications

Indexed keywords

DATABASE QUERIES; STRING ANALYSIS; WEB APPLICATIONS;

COMPUTER CRIME; COMPUTER SIMULATION; DATABASE SYSTEMS; NATURAL LANGUAGE PROCESSING SYSTEMS; STATIC ANALYSIS;

WEB SERVICES;

EID: 35449004893     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1250734.1250739     Document Type: Conference Paper

References (32)

1. S. W. Boyd and A. D. Keromytis. SQLrand: Preventing SQL injection attacks. In International Conference on Applied Cryptography and Network Security (ACNS), LNCS, volume 2, 2004.
2. G. T. Buehrer, B. W. Weide, and P. A. Sivilotti. Using parse tree validation to prevent SQL injection attacks. In Proceedings of the International Workshop on Software Engineering and Middleware (SEM) at Joint FSE and ESEC, Sept. 2005.
3. A. S. Christensen, A. Møller, and M. I. Schwartzbach. Precise analysis of string expressions. In Proceedings of the 10th International Static Analysis Symposium, SAS '03, volume 2694 of LNCS, pages 1-18. Springer-Verlag, June 2003. Available from http://www.brics.dk/JSA/.
4. J. Earley. An efficient content-free parsing algorithm. Communications of the Association for Compution Machinery, 13(2):94-102, 1970.
5. J. S. Foster, T. Terauchi, and A. Aiken. Flow-sensitive type qualifiers. In PLDI '02: Proceedings of the ACM SIGPLAN 2002 Conference on Programming language design and implementation, pages 1-12, New York, NY, USA, 2002. ACM Press.
6. C. Gould, Z. Su, and P. Devanbu. Static checking of dynamically generated queries in database applications. In Proceedings of the 25th International Conference on Software Engineering (ICSE), pages 645-654, May 2004.
7. W. Halfond, A. Orso, and P. Manolios. Using Positive Tainting and Syntax-Aware Evaluation to Counter SQL Injection Attacks. In. Proceedings of the ACM SIGSOFT Symposium on the Foundations of Software Engineering (FSE 2006), Portland, Oregon, November 2006.
8. W. G. Halfond and A. Orso. AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks. In Proceedings of 20th ACM International Conference on Automated Software Engineering (ASE), Nov. 2005.
9. K. J. Higgins. Cross-site scripting: Attackers' new favorite flaw, September 2006. http://www.darkreading.com/document.asp?doc_id=103774&WT. svl-newa1_1.
10. H. Hosoya and B. C. Pierce. Xduce: A typed xml processing language (preliminary report). In Selected papers from the Third International Workshop WebDB 2000 on The World Wide Web and Databases, pages 226-244, London, UK, 2001. Springer-Verlag.
11. Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing web application code by static analysis and runtime protection. In WWW '04: Proceedings of the 13th international conference on World Wide Web, pages 40-52, New York, NY, USA, 2004. ACM Press.
12. N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In 2006 IEEE Symposium on Security and Privacy, Oakland, CA, May 2006.
13. N. Jovanovic, C. Kruegel, and E. Kirda. Precise alias analysis for syntactic detection of web application vulnerabilities. In ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, Ottowa, Canada, June 2006.
14. G. S. Kc, A. D. Keromytis, and V. Prevelakis. Countering code-injection attacks with instruction-set randomization. In Proc. CCS'03, pages 272-280, 2003.
15. C. Kirkegaard and A. Møller. Static analysis for Java Servlets and JSP. In Proceedings of the 13th international Static Analysis Symposium, SAS '06, volume 4134 of LNCS. Springer-Verlag, August 2006. Full version available as BRICS RS-06-10.
16. M. S. Lam, J. Whaley, V. B. Livshits, M. C. Martin, D. Avots, M. Carbin, and C. Unkel. Context-sensitive program analysis as database queries. In Proceedings of the Twenty-fourth ACM SIGACT-SIGMOD-SIGART Symposium on Principles of Database Systems. ACM, June 2005.
17. V. B. Livshits and M. S. Lam. Finding security errors in Java programs with static analysis. In Proceedings of the 14th Usenix Security Symposium, pages 271-286, Aug. 2005.
18. M. Martin, B. Livshits, and M. S. Lam. Finding application errors and security flaws using PQL: a program query language. In OOPSLA '05: Proceedings of the 20th annual ACM SIGPLAN conference on Object oriented programming systems languages and applications, pages 365-383, 2005.
19. D. Melski and T. Reps. Interconvertbility of set constraints and context-free language reachability. In Proceedings of the ACM SIGPLAN Symposium on Partial Evaluation and Semantics-Based Program Manipulation, pages 74-89, 1997.
20. Y. Minamide. Static Approximation of Dynamically Generated Web Pages. In WWW'05: Proceedings of the 14th International Conference on the World Wide Web, pages 432-441, 2005.
21. M. Mohri and M. Nederhof. Regular approximation of context-free grammars through transformation. Robustness in Language and Speech Technology, pages 153-163, 2001.
22. M. Mohri and R. Sproat. An efficient compiler for weighted rewrite rules. In Meeting of the Association for Computational Linguistics, pages 231-238, 1996.
23. A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening web applications using precise tainting. In Twentieth IFIP International Information Security Conference (SEC'05), 2005.
24. T. Pietraszek and C. V. Berghe. Defending against Injection Attacks through Context-Sensitive String Evaluation. In Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection (RAID), Sept. 2005.
25. Z. Su and G. Wassermann. The essence of command injection attacks in web applications. In Proceedings of the 33rd Annual Symposium on Principles of Programming Languages, pages 372-382, Charleston, SC, Jan, 2006. ACM Press New York, NY, USA.
26. M. Sutton. How prevalent are sql injection vulnerabilities?, September 2006. http://portal.spidynamics.com/blogs/msutton/archive/2006/09/26/How- Prevalent-Are-SQL-Injection-Vulnerabilities.3F00_.aspx.
27. N. Tabuchi, E. Sumii, and A. Yonezawa. Regular expression types for strings in a text processing language (extended abstract). In Proceedings of TIP'02 Workshop on Types in Programming, pages 1-18, July 2002.
28. P. Thiemann. Grammar-based analysis of string expressions. In 2005 ACM SIGPLAN International Workshop on Types in Languages Design and Implementation (TLDI), pages 59-70, 2005.
29. L. Wall, T. Christiansen, and R. L. Schwartz. Programming Perl (3rd Edition). O'Reilly, 2000.
30. J. Whaley and M. S. Lam. Cloning-based context-sensitive pointer alias analysis using binary decision diagrams. In PLDI '04: Proceedings of the ACM SIGPLAN 2004 conference on Programming language design and implementation, pages 131-144, New York, NY, USA, 2004. ACM Press.
31. Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting languages. In Proceedings of the 15th USENIX Security Symposium, pages 179-192, July 2006.
32. W. Xu, S. Bhatkar, and R. Sekar. Taint-enhanced policy enforcement: A practical approach to defeat a wide range of attacks. In Proceedings of the 15th USENIX Security Symposium., Aug. 2006.