CANDID: Preventing SQL injection attacks using dynamic candidate evaluations

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2007, Pages 12-24

  Bandhakavi, Sruthi ^a   Bisht, Prithvi ^b   Madhusudan, P ^a   Venkatakrishnan, V N ^b  

^a UNIVERSITY OF ILLINOIS AT URBANA CHAMPAIGN   (United States)

^b UNIVERSITY OF ILLINOIS AT CHICAGO   (United States)

Author keywords

Dynamic monitoring; Retrofitting code; SQL injection attacks; Symbolic evalua tion

Indexed keywords

DIAGNOSTIC FEATURES; DYNAMIC MONITORING; LOW LEVEL; QUERY STRUCTURES; SQL INJECTION; SQL QUERY; USER INPUT; WEB APPLICATION;

COMPUTER CRIME; DYNAMICS; JAVA PROGRAMMING LANGUAGE; MINING; RETROFITTING; WORLD WIDE WEB;

NETWORK SECURITY;

EID: 49949109144     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1315245.1315249     Document Type: Conference Paper

References (30)

1. Online SQL syntax checker. http://www.wangz.net/gsqlparser/sqlpp/ sqlformat.htm.
2. SUTTON, M. How prevalent Are SQL Injection vulnerabilities? Internet Bulletin, Oct. 2006.
3. ALUR, R., CERNÝ, P., MADHUSUDAN, P., AND NAM, W. Synthesis of interface specifications for JAVA classes. In POPL (2005), pp. 98-109.
4. AMMONS, G., BODÍK, R., AND LARUS, J. R. Mining specifications. In POPL (2002), pp. 4-16.
5. ANLEY, C. Advanced SQL injection in SQL server applications, White paper, Next Generation Security Software Ltd. Tech. rep., 2002.
6. APACHE. The JMeter project. http://jakarta.apache.org/jmeter/.
7. BIBA, K. J. Integrity considerations for secure computer systems. Tech. Rep. ESD-TR-76-372, USAF Electronic Systems Division, Bedford, MA, Apr. 1977.
8. BOYD, S. W., AND KEROMYTIS, A. D. Sqlrand: Preventing SQL injection attacks. In ACNS (2004), pp. 292-302.
9. BUEHRER, G., WEIDE, B. W., AND SIVILOTTI, P. A. G. Using parse tree validation to prevent SQL injection attacks. In SEM (2005).
10. COOK, W. R., AND RAI, S. Safe query objects: statically typed objects as remotely executable queries. In ICSE (2005), pp. 97-106.
11. EMMI, M., MAJUMDAR, R., AND SEN, K. Dynamic test input generation for database applications. In International Symposium on Software Testing and Analysis (ISSTA'07) (2007), ACM.
12. HALFOND, W., AND ORSO, A. AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks. In ASE (2005), pp. 174-183.
13. HALFOND, W., ORSO, A., AND MANOLIOS, P. Using Positive Tainting and Syntax-Aware Evaluation to Counter SQL Injection Attacks. In FSE (2006), pp. 175-185.
14. HALFOND, W. G., VIEGAS, J., AND ORSO, A. A Classification of SQL-Injection Attacks and Countermeasures. In SSSE (2006).
15. Secureworks press release. Internet news report, July 2006. http://www.secureworks.com/press/20060718-sql.html.
16. LIVSHITS, V. B., AND LAM, M. S. Finding security vulnerabilities in Java applications with static analysis. In USENIX Security Symposium (2005).
17. MCCLURE, R. A., AND KRÜGER, I. H. SQL DOM: compile time checking of dynamic SQL statements. In ICSE (2005), pp. 88-96.
18. MITRE. Common vulnerabilities and exposures list. http://cve.mitre.org/.
19. NGUYEN-TUONG, A., GUARNIERI, S., GREENE, D., SHIRLEY, J., AND EVANS, D. Automatically hardening web applications using precise tainting. In SEC (2005), pp. 295-308.
20. O. MAOR AND A. SHULMAN. SQL injection signatures evasion. White paper, Imperva. Tech. rep., 2002.
21. PIETRASZEK, T., AND BERGHE, C. V. Defending against injection attacks through context-sensitive string evaluation. In RAID (2005).
22. SABELFELD, A., AND MYERS, A. C. Language-based information-flow security. IEEE JSA, (2003).
23. Soot: a java optimization framework. http://www.sable.mcgill.ca/soot/.
24. SU, Z., AND WASSERMANN, G. The essence of command injection attacks in web applications. In POPL (2006), pp. 372-382.
25. Dark reading security analysis. Internet, September 2006. http://www.darkreading.com/document.asp? doc-id=103774&WT.svl=news1-3.
26. VALEUR, F., MUTZ, D., AND VIGNA, G. A learning-based approach to the detection of SQL attacks. In DIMVA (2005), pp. 123-140. (Pubitemid 41423153)
27. Top five vulnerabilities. IT management security report. http://www.computerweekly.com/Articles/2004/04/16/201840/Top+five+threats.htm.
28. WEIMER, W., AND NECULA, G. C. Mining temporal specifications for error detection. In TACAS (2005), pp. 461-476.
29. XIE, Y., AND AIKEN, A. Static detection of security vulnerabilities in scripting languages. In USENIX Security Symposium (2006).
30. XU, W., BHATKAR, S., AND SEKAR, R. Taint-enhanced policy enforcement: A practical approach to defeat a wide range of attacks. In 15th USENIX Security Symposium (2006).