Preventing injection attacks with syntax embeddings

GPCE'07 - Proceedings of the Sixth International Conference on Generative Programming and Component Engineering

Volumn , Issue , 2007, Pages 3-12

  Bravenboer, Martin ^a   Dolstra, Eelco ^b   Visser, Eelco ^a  

^a DELFT UNIVERSITY OF TECHNOLOGY   (Netherlands)

^b UTRECHT UNIVERSITY   (Netherlands)

Author keywords

Injection attacks; StringBorg; Syntax embedding

Indexed keywords

COMPUTER PROGRAMMING LANGUAGES; COMPUTER SOFTWARE; QUERY LANGUAGES; XML;

INJECTION ATTACKS; STRINGBORG; SYNTAX EMBEDDING;

EMBEDDED SYSTEMS;

EID: 38849180913     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1289971.1289975     Document Type: Conference Paper

References (30)

1. ISO/IEC 9075:1992: Database Language SQL. July 1992.
2. C. Anley. Advanced SQL injection. http://www.ngssoftware.com/papers/ advanced_sql_injection.pdf, 2002.
3. C. Anley. (more) Advanced SQL injection. http://www.ngssoftware.com/ papers/more_advanced_sql_injection.pdf, 2002.
4. D. Batory, B. Lofaso, and Y. Smaragdakis. JTS: tools for implementing domain-specific languages. In Intl. Conf on Software Reuse (ICSR'98), pages 143-153. IEEE Computer Society, June 1998.
5. G. Bierman, E. Meijer, and W. Schulte. The essence of data access in Cω. In ECOOP 2005 - Object-Oriented Programming, 19th European Conf., volume 3586 of LNCS, pages 287-311. Springer, July 2005.
6. M. Bravenboer, E. Tanter, and E. Visser. Declarative, formal, and extensible syntax definition for AspectJ. In Object-Oriented Programing, Systems, Languages, and Applications (OOPSLA'06), pages 209-228, Portland, Oregon, USA, Oct. 2006. ACM Press.
7. M. Bravenboer, R. Vermaas, J. Vinju, and E. Visser. Generalized type-based disambiguation of meta programs with concrete object syntax. In Generative Progmmming and Component Engineering (GPCE'05), volume 3676 of LNCS, pages 157-172. Springer, Sept. 2005.
8. M. Bravenboer and E. Visser. Concrete syntax for objects. Domain-specific language embedding and assimilation without restrictions. In Object-Oriented Programing, Systems, Languages, and Applications (OOPSLA'04), pages 365-383, Vancouver, Canada, Oct. 2004. ACM Press.
9. G. T. Buehrer, B. W. Weide, and P. A. Sivilotti. Using parse tree validation to prevent SQL injection attacks. In Fifth International Workshop on Software Engineering and Middleware (SEM 2005). ACM Press, Sept. 2005.
10. A. S. Christensen, A. Møller, and M. I. Schwartzbach. Precise analysis of string expressions. In Static Analysis Symposium (SAS '03), volume 2694 of LNCS, pages 1-18. Springer, June 2003.
11. W. R. Cook and S. Rai. Safe Query Objects: Statically typed objects as remotely executable queries. In Intl. Conf on Software Engineering (ICSE 2005), pages 97-106. ACM Press, May 2005.
12. C. Gould, Z. Su, and P. Devanbu. JDBC checker: A static analysis tool for SQL/JDBC applications. In Intl. Conf. on Software Engineering (ICSE 2004), pages 697-698, May 2004.
13. C. Gould, Z. Su, and P. Devanbu. Static checking of dynamically generated queries in database applications. In Intl. Conf. on Software Engineering (ICSE 2004), pages 645-654, May 2004.
14. W. G. Halfond and A. Orso. AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks. In 20th Intl. Conf. on Automated Software Engineering (ASE 2005), pages 174-183, Long Beach, California, USA, Nov. 2005.
15. W. G. Halfond, A. Orso, and P. Manolios. Using positive tainting and syntax-aware evaluation to counter SQL injection attacks. In Foundations of Software Engineering (FSE 14), Nov. 2006.
16. W. G. Halfond, J. Viegas, and A. Orso. A Classification of SQL-Injection Attacks and Countermeasures. In Proc. of the International Symposium on Secure Software Engineering, Mar. 2006.
17. J. E. Hopcroft, R. Motwani, and J. D. Ullman. Introduction to Automata Theory, Languages, and Computation. Addison-Wesley, 2006.
18. Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing web application code by static analysis and runtime protection. In 13th International World Wide Web Conference (WWW2004), pages 40-52. ACM Press, 2004.
19. D. Leijen and E. Meijer. Domain specific embedded compilers. In 2nd. USENIX Conf. on Domain-Specific Languages (DSL). USENIX, Oct. 1999.
20. V. B. Livshits and M. S. Lam. Finding security vulnerabilities in Java applications with static analysis. In 14th USENIX Security Symposium, pages 271-286. USENIX, Aug. 2005.
21. O. Maor and A. Shulman. SQL injection signatures evasion. White paper, http://www.imperva.com/, Apr. 2004.
22. R. A. McClure and I. H. Krüger. SQL DOM: Compile time checking of dynamic SQL statements. In Intl. Conf. on Software Engineering (ICSE 2005), pages 88-96. ACM Press, May 2005.
23. E. Meijer and D. van Velzen. Haskell Server Pages: Functional programming and the battle for the middle tier. In 2000 ACM SIGPLAN Haskell Workshop, volume 41/1 of ENTCS. Elsevier, Aug. 2001.
24. A. Møller. dk.brics.automaton - finite-state automata for Java. http://www.brics.dk/automaton/, 2005.
25. Z. Su and G. Wassermann. The essence of command injection attacks in web applications. In Principles of Programming Languages (POPL'06), pages 372-382, Charleston, South Carolina, USA, Jan. 2006. ACM Press.
26. E. Visser. Syntax Definition for Language Prototyping. PhD thesis, University of Amsterdam, Sept. 1997.
27. E. Visser. Meta-programming with concrete object syntax. In Generative Programming and Component Engineering (GPCE'02), volume 2487 of LNCS, pages 299-315, Pittsburgh, PA, USA, Oct. 2002. Springer-Verlag.
28. E. Visser. Program transformation with Stratego/XT: Rules, strategies, tools, and systems in Stratego/XT 0.9. In C. Lengauer et al., editors, Domain-Specific Program Generation, volume 3016 of LNCS, pages 216-238. Spinger-Verlag, June 2004.
29. Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting languages. In 15th USENIX Security Symposium, pages 179-192. USENIX, Aug. 2006.
30. D. Zook, S. S. Huang, and Y. Smaragdakis. Generating AspectJ programs with Meta-AspectJ. In Generative Programming and Component Engineering: Third Intl. Conf, GPCE 2004, volume 3286 of LNCS, pages 1-19, Vancouver, Canada, October 2004. Springer.