On automated prepared statement generation to remove SQL injection vulnerabilities

Information and Software Technology

Volumn 51, Issue 3, 2009, Pages 589-598

  Thomas, Stephen ^a   Williams, Laurie ^a   Xie, Tao ^a  

^a North Carolina State University   (United States)

Author keywords

Fix automation; Prepared statement; SQL injection

Indexed keywords

COMPUTER CRIME;

CASE STUDIES; CYBER VULNERABILITIES; EMPIRICAL RESULTS; FIX AUTOMATION; LOGICAL STRUCTURES; OPEN SOURCE PROJECTS; PREPARED STATEMENT; REPLACEMENT ALGORITHMS; SQL INJECTION; STATIC STRUCTURES;

AUTOMATION;

EID: 57849137358     PISSN: 09505849     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.infsof.2008.08.002     Document Type: Article

References (26)

1. C. Anley, Advanced SQL Injection in SQL Server Applications, 2002, , accessed January 21, 2007.
2. N. Audsley, I. Bate, S. Crook-Dawkins, Automatic code generation for airborne systems, in: IEEE Aerospace Conference, New York, NY, 2003, pp. 6_2863-6_2873.
3. Barnum S., and McGraw G. Knowledge for software security. Security and Privacy Magazine, IEEE 3 2 (2005) 74-78
4. M. Bordin, T. Vardanega, Real-time Java from an automated code generation perspective, in: International Workshop on Java Technologies for Real-Time and Embedded Systems, Vienna, Austria, 2007, pp. 63-72.
5. R.E. Bryant, S. Jha, T.W. Reps, S.A. Seshia, V. Ganapathy, Automatic discovery of API-level exploits, in: 27th International Conference on Software Engineering (ICSE'05), St. Louis, MO, 2005, pp. 312-321.
6. G. Buehrer, B.W. Weide, P.A.G. Sivilotti, Using parse tree validation to prevent SQL injection attacks, in: 5th International Workshop on Software Engineering and Middleware, Lisbon, Portugal, 2005, pp. 106-113.
7. Y. Cheon, G.T. Leavens, A simple and practical approach to unit testing: the JML and JUnit way, in: 16th European Conference on Object-Oriented Programming, Spain, 2002, p. 29.
8. Florescu D., Hillery C., Kossmann D., Lucas P., Riccardi F., Westmann T., Carey J., and Sundararajan A. The BEA streaming XQuery processor. The VLDB Journal 13 3 (2004) 294-315
9. W.G.J. Halfond, A. Orso, AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks, in: 20th IEEE/ACM International Conference on Automated Software Engineering, Long Beach, CA, USA, 2005, pp. 174-183.
10. W.G.J. Halfond, A. Orso, Combining static analysis and runtime monitoring to counter SQL-injection attacks, in: Third International Workshop on Dynamic Analysis, St. Louis, MO, 2005, pp. 1-7.
11. W.G.J. Halfond, A. Orso, P. Manolios, Using positive tainting and syntax-aware evaluation to counter SQL-injection attacks, in: 14th ACM SIGSOFT International Symposium on Foundations of Software Engineering, Portland, Oregon, 2006, pp. 175-185.
12. Halfond W.G.J., Orso A., and Manolios P. WASP: protecting web applications using positive tainting and syntax-aware evaluation. IEEE Transactions on Software Engineering 34 1 (2008) 65-81
13. W.G.J. Halfond, J. Viegas, A. Orso, A classification of SQL-injection attacks and countermeasures, in: International Symposium on Secure Software Engineering Raleigh, NC, USA, 2006.
14. D. Hovemeyer, W. Pugh, Finding bugs is easy, in: 19th Annual ACM SIGPLAN Conference on Object-Oriented Programming Systems, Languages, and Applications, Vancouver, BC, Canada, 2004, pp. 92-106.
15. M. Howard, D. LeBlanc, Writing Secure Code, second ed., Microsoft Corporation, Redmond, 2003.
16. Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, S.-Y. Kuo, Securing web application code by static analysis and runtime protection, in: 13th International Conference on World Wide Web, New York, NY, 2004, pp. 40-52.
17. G. Keizer, One-at-a-time Hacker Grabs 22,000 IDs from University of Missouri, first ed., Retrieved Issue 1, vol. 1, 2007, , accessed June 30, 2008.
18. J. Kirk, Databases Assaulted by SQL Injection Attacks, first ed., Retrieved Issue 1, Volume 1, 2006, , accessed June 30, 2008.
19. M.S. Lam, J. Whaley, V.B. Livshits, M. Martin, D. Avots, M. Carbin, C. Unkel, Context-sensitive program analysis as database queries, in: Principles of Database Systems (PODS), Baltimore, Maryland, 2005, p. 12.
20. B. Livshits, Defining a set of common benchmarks for web application security, in: Workshop on Defining the State of the Art in Software Security Tools, Baltimore, 2005, p. 1.
21. V.B. Livshits, Findings security errors in Java applications using lightweight static analysis, in: Computer Security Applications Conference, Tucson, AZ, 2004, p. 2.
22. V.B. Livshits, M.S. Lam, Finding security vulnerabilities in Java applications with static analysis, in: 14th Usenix Security Symposium, Baltimore, MD, 2005, pp. 271-286.
23. M. Martin, V.B. Livshits, M.S. Lam, Finding application errors and security flaws using PQL: a program query language, in: 20th ACM Conference on Object-Oriented Programming, Systems, Languages, and Applications, San Diego, CA, 2005, p. 19.
24. A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, D. Evans, Automatically hardening web applications using precise tainting, in: 20th IFIP International Information Security Conference, Chiba, Japan, 2005, p. 12.
25. NIST, National Vulnerability Database, 2007, , accessed January 16, 2007.
26. Z. Su, G. Wassermann, The essence of command injection attacks in web applications, in: 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, Charleston, SC, USA, 2006, pp. 372-382.