SDriver: Location-specific signatures prevent SQL injection attacks

Computers and Security

Volumn 28, Issue 3-4, 2009, Pages 121-129

  Mitropoulos, Dimitris ^a   Spinellis, Diomidis ^a  

^a ATHENS UNIVERSITY OF ECONOMICS AND BUSINESS   (Greece)

Author keywords

Firewall; JDBC driver; SQL injection attack; SQLIA; Web security

Indexed keywords

APPLICATIONS; AUTOMOBILE DRIVERS; COMPUTER SYSTEM FIREWALLS; MANAGEMENT INFORMATION SYSTEMS; NETWORK SECURITY; WORLD WIDE WEB;

FIREWALL; JDBC DRIVER; SQL INJECTION ATTACK; SQLIA; WEB SECURITY;

COMPUTER CRIME;

EID: 63049106185     PISSN: 01674048     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.cose.2008.09.005     Document Type: Article

References (30)

1. Anley C. Advanced SQL injection in SQL server applications (2002), Next Generation Security Software Ltd.
2. Barrantes E, Ackley D, Forrest S, Palmer T, Stefanovic D, Zovi D. Randomized instruction set emulation to disrupt binary code injection attacks. In: CCS 2003: proceedings of the 10th ACM conference on computer and communications security; October 2003. p. 281-9.
3. Beck K., and Gamma E. Test infected: programmers love writing tests. Java Report 3 7 (July 1998) 37-50
4. Boyd S., and Keromytis A. SQLrand: preventing SQL injection attacks. In: Jakobsson M., Yung M., and Zhou J. (Eds). Proceedings of the second applied cryptography and network security (ACNS) conference. Lecture notes in computer science vol. 3089 (2004), Springer-Verlag 292-304
5. Buehrer G., Weide B.W., and Sivilotti P.A. Using parse tree validation to prevent SQL injection attacks. Proceedings of the fifth international workshop on software engineering and middleware (September 2005), ACM Press 106-113
6. CERT. CERT vulnerability note VU282403; 2002. Available online: [accessed January 7, 2007].
7. W.R. Cook, S. Rai. Safe query objects: statically typed objects as remotely executable queries. In: ICSE 2005: 27th international conference on software engineering; 2005. p. 97-106.
8. Elizabeth D., and Denning R. An intrusion detection model. IEEE Transactions on Software Engineering 13 2 (February 1987) 222-232
9. Gould C., Su Z., and Devanbu P. Static checking of dynamically generated queries in database applications. ICSE '04: proceedings of the 26th international conference on software engineering (2004), IEEE Computer Society, Washington, DC, USA 645-654
10. Haldar V., Chandra D., and Franz M. Dynamic taint propagation for Java. ACSAC '05: proceedings of the 21st annual computer security applications conference (2005), IEEE Computer Society, Washington, DC, USA 303-311
11. Halfond W.G., and Orso A. AMNESIA: analysis and monitoring for neutralizing SQL-injection attacks. Proceedings of the 20th IEEE/ACM international conference on automated software engineering (November 2005), ACM Press 174-183
12. Halfond W.G., and Orso A. Preventing SQL injection attacks using AMNESIA. ICSE 2006: proceedings of the 28th international conference on software engineering (May 2006), ACM Press 795-798
13. Halfond W.G.J., and Orso A. Combining static analysis and runtime monitoring to counter SQL-injection attacks. WODA '05: proceedings of the third international workshop on dynamic analysis (2005), ACM Press, New York, NY, USA 1-7
14. William GJ. Halfond, Jeremy Viegas, Alessandro Orso. A classification of SQL-injection attacks and countermeasures. In: Proceedings of the international symposium on secure software engineering; March 2006.
15. Henson V. An analysis of compare-by-hash. Proceedings of HotOS IX: the ninth workshop on hot topics in operating systems (May 2003), USENIX Association, Berkeley, CA 13-18
16. Howard M., and LeBlanc D. Writing secure code. 2nd ed. (2003), Microsoft Press, Redmond, WA
17. Jeffries R., and Melnik G. Guest editors' introduction: TDD-the art of fearless programming. IEEE Software 24 3 (May 2007) 24-30
18. Kc G.S., Keromytis A.D., and Prevelakis V. Countering code-injection attacks with instruction-set randomization. CCS 2003: proceedings of the 10th ACM conference on computer and communications security (October 2003), ACM Press 272-280
19. Knuth D.E. The art of computer programming. Sorting and searching vol. 3 (1973), Addison-Wesley, Reading, MA
20. Lee S.Y., Low W.L., and Wong P.Y. Learning fingerprints for a database intrusion detection system. In: Gollmann D., Karjoth G., and Waidner M. (Eds). ESORICS '02: proceedings of the 7th European symposium on research in computer security. Lecture notes in computer science 2502 (2002), Springer-Verlag, London, UK 264-280
21. Martin M., Livshits B., and Lam M.S. Finding application errors and security flaws using PQL: a program query language. OOPSLA '05: proceedings of the 20th annual ACM SIGPLAN conference on object oriented programming, systems, languages, and applications (2005), ACM Press, New York, NY, USA 365-383
22. Russell A. McClure and Ingolf H. Krüger. SQL DOM: compile time checking of dynamic SQL statements. In: ICSE '05: proceedings of the 27th international conference on software engineering; 2005. p. 88-96.
23. Mitropoulos D., and Spinellis D. Countering SQL injection attacks with a database driver. In: Papatheodorou T.S., Christodoulakis D.N., and Karanikolas N.N. (Eds). Current trends in informatics: 11th panhellenic conference on informatics, PCI 2007 vol. B (May 2007), New Technologies Publications, Athens 105-115
24. Spett K. Blind SQL injection; 2004. Available online: [accessed January 7, 2007].
25. Su Z., and Wassermann G. The essence of command injection attacks in web applications. Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on principles of programming languages POPL '06 (January 2006), ACM Press 372-382
26. Valeur F., Mutz D., and Vigna G. A learning-based approach to the detection of SQL attacks. In: Julisch K., and Kruegel C. (Eds). Intrusion and malware detection and vulnerability assessment: second international conference, DIMVA 2005. Lecture notes in computer science 3548 (July 2005) 123-140
27. Viega J., and McGraw G. Building secure software: how to avoid security problems the right way (2001), Addison-Wesley, Boston, MA
28. Gary Wassermann, Zhendong Su. An analysis framework for security in web applications. In: SAVCBS 2004: proceedings of the FSE workshop on specification and verification of component-based systems; 2004. p. 70-8.
29. Xu W., Bhatkar S., and Sekar R. Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks. Security '06: proceedings of the 15th USENIX security symposium (August 2006), USENIX Association, Berkeley, CA 121-136
30. Younan Y., Joosen W., and Piessens F. A methodology for designing countermeasures against current and future code injection attacks. IWIA 2005: proceedings of the third IEEE international information assurance workshop (March 2005), IEEE Press, College Park, Maryland, USA