WASP: Protecting web applications using positive tainting and syntax-aware evaluation

IEEE Transactions on Software Engineering

Volumn 34, Issue 1, 2008, Pages 65-81

  Halfond, William G J ^a   Orso, Alessandro ^a   Manolios, Panagiotis ^b  

^a Georgia Institute of Technology   (United States)

^b Northeastern University   (United States)

Author keywords

Dynamic tainting; Runtime monitoring; Security; SQL injection

Indexed keywords

COMPUTER PROGRAMMING LANGUAGES; DATABASE SYSTEMS; INTERNET; SECURITY OF DATA; SYNTACTICS;

DYNAMIC TAINTING; RUNTIME MONITORING; STRUCTURED QUERY LANGUAGE (SQL); SYNTAX-AWARE EVALUATION; WEB APPLICATIONS;

SOFTWARE ENGINEERING;

EID: 40449091840     PISSN: 00985589     EISSN: None     Source Type: Journal    
DOI: 10.1109/TSE.2007.70748     Document Type: Article

References (31)

1. C. Anley, "Advanced SQL Injection In SQL Server Applications," white paper, Next Generation Security Software, 2002.
2. S.W. Boyd and A.D. Keromytis, "SQLrand: Preventing SQL Injection Attacks," Proc. Second Int'l Conf. Applied Cryptography and Network Security, pp. 292-302, June 2004.
3. G.T. Buehrer, B.W. Weide, and P.A.G. Sivilotti, "Using Parse Tree Validation to Prevent SQL Injection Attacks," Proc. Fifth Int'l Workshop Software Eng. and Middleware, pp. 106-113, Sept. 2005.
4. J. Clause, W. Li, and A. Orso, "Dytan: A Generic Dynamic Taint Analysis Framework," Proc. Int'l Symp. Software Testing and Analysis, pp. 196-206, July 2007.
5. W.R. Cook and S. Rai, "Safe Query Objects: Statically Typed Objects as Remotely Executable Queries," Proc. 27th Int'l Conf. Software Eng. pp. 97-106, May 2005.
6. "Top Ten Most Critical Web Application Vulnerabilities," OWASP Foundation, http://www.owasp.org/documentation/topten.html, 2005.
7. C. Gould, Z. Su, and P. Devanbu, "JDBC Checker: A Static Analysis Tool for SQL/JDBC Applications," Proc. 26th Int'l Conf. Software Eng., formal demos, pp. 697-698, May 2004.
8. C. Gould, Z. Su, and P. Devanbu, "Static Checking of Dynamically Generated Queries in Database Applications," Proc. 26th Int'l Conf. Software Eng., pp. 645-654, May 2004.
9. V. Haldar, D. Chandra, and M. Franz, "Dynamic Taint Propagation for Java," Proc. 21st Ann. Computer Security Applications Conf., pp. 303-311, Dec. 2005.
10. W. Halfond, A. Orso, and P. Manolios, "Using Positive Tainting and Syntax-Aware Evaluation to Counter SQL Injection Attacks," Proc. ACM SIGSOFT Symp. Foundations of Software Eng., pp. 175-185, Nov. 2006.
11. W.G. Halfond and A. Orso, "AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks," Proc. 20th IEEE and ACM Int'l Conf. Automated Software Eng., pp. 174-183, Nov. 2005.
12. W.G. Halfond, J. Viegas, and A. Orso, "A Classification of SQL-Injection Attacks and Countermeasures," Proc. IEEE Int'l Symp. Secure Software Eng., Mar. 2006.
13. M. Howard and D. LeBlanc, Writing Secure Code, second ed. Microsoft Press, 2003.
14. Y. Huang, S. Huang, T. Lin, and C. Tsai, "Web Application Security Assessment by Fault Injection and Behavior Monitoring," Proc. 12th Int'l Conf. World Wide Web, pp. 148-159, May 2003.
15. Y. Huang, F. Yu, C. Hang, C.H. Tsai, D.T. Lee, and S.Y. Kuo, "Securing Web Application Code by Static Analysis and Runtime Protection," Proc. 13th Int'l Conf. World Wide Web, pp. 40-52, May 2004.
16. N. Jovanovic, C. Kruegel, and E. Kirda, "Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities," Proc. IEEE Symp. Security and Privacy, May 2006.
17. N. Jovanovic, C. Kruegel, and E. Kirda, "Precise Alias Analysis for Static Detection of Web Application Vulnerabilities," Proc. Workshop Programming Languages and Analysis for Security, pp. 27-36, June 2006.
18. V.B. Livshits and M.S. Lam, "Finding Security Vulnerabilities in Java Applications with Static Analysis," Proc. 14th Usenix Security Symp. Aug. 2005.
19. O. Maor and A. Shulman, "SQL Injection Signatures Evasion," white paper, Imperva, http://www.imperva.com/application-defense_center/ white_papers/sql_injection_signatures_evasion.html, Apr. 2004.
20. M. Martin, B. Livshits, and M.S. Lam, "Finding Application Errors and Security Flaws Using PQL: A Program Query Language," Proc. 20th Ann. ACM SIGPLAN Conf. Object Oriented Programming Systems Languages and Applications, pp. 365-383, Oct. 2005.
21. R. McClure and 1. Kr6ger, "SQL DOM: Compile Time Checking of Dynamic SQL Statements," Proc. 27th Int'l Conf. Software Eng., pp. 88-96, May 2005.
22. J. Newsome and D. Song, "Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software," Proc. 12th Ann. Network and Distributed System Security Symp., Feb. 2005.
23. A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans, "Automatically Hardening Web Applications Using Precise Tainting Information," Proc. 20th IFIP Int'l Information Security Conf., May 2005.
24. T. Pietraszek and C.V. Berghe, "Defending against Injection Attacks through Context-Sensitive String Evaluation," Proc. Eighth Int'l Symp. Recent Advances in Intrusion Detection, Sept. 2005.
25. J. Saltzer and M. Schroeder, "The Protection of Information in Computer Systems," Proc. Fourth ACM Symp. Operating System Principles, Oct. 1973.
26. D. Scott and R. Sharp, "Abstracting Application-Level Web Security," Proc. 11th Int'l Conf. World Wide Web, pp. 396-407, May 2002.
27. Z. Su and G. Wassermann, "The Essence of Command Injection Attacks in Web Applications.," Proc. 33rd Ann. Symp. Principles of Programming Languages, pp. 372-382, Jan. 2006.
28. F. Valeur, D. Mutz, and G. Vigna, "A Learning-Based Approach to the Detection of SQL Attacks," Proc. Conf. Detection of Intrusions and Malware and Vulnerability Assessment, July 2005.
29. G. Wassermann and Z. Su, "An Analysis Framework for Security in Web Applications," Proc. FSE Workshop Specification and Verification of Component-Based Systems, pp. 70-78, Oct. 2004.
30. Y. Xie and A. Aiken, "Static Detection of Security Vulnerabilities in Scripting Languages," Proc. 15th Usenix Security Symp., Aug. 2006.
31. W. Xu, S. Bhatkar, and R. Sekar, "Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks," Proc. 15th Usenix Security Symp., Aug. 2006.