AMNESIA: Analysis and monitoring for NEutralizing SQL-injection attacks

20th IEEE/ACM International Conference on Automated Software Engineering, ASE 2005

Volumn , Issue , 2005, Pages 174-183

  Halfond, William G J ^a   Orso, Alessandro ^a  

^a Georgia Institute of Technology   (United States)

Author keywords

Runtime monitoring; SQL injection; Static analysis

Indexed keywords

CODE INJECTION ATTACKS; FALSE POSITIVE; INPUT STRING; MODEL BASED APPROACH; PROGRAM ANALYSIS; RUNTIME MONITORING; SQL INJECTION; WEB APPLICATION;

COMPUTER CRIME; COMPUTER SOFTWARE; NETWORK COMPONENTS; STATIC ANALYSIS;

WORLD WIDE WEB;

EID: 77952407110     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1101908.1101935     Document Type: Conference Paper

References (26)

1. C. Anley Advanced SQL Injection In SQL Server Applications. Next Generation Security Software Ltd. White Paper, 2002.
2. D. Aucsmith. Creating and maintaining software that resists malicious attack. http://www.gtisc.gatech.edu/aucsmith bio.htm Distinguished Lecture Series. Atlanta, GA. September 2004.
3. S. W. Boyd and A. D. Keromytis. SQLrand: Preventing SQL injection attacks. In Proceedings of the 2nd Applied Cryptography and Network Security (ACNS) Conference, pages 292-302, June 2004.
4. A. Chawla and A. Orso. A generic instrumentation framework for collecting dynamic information. In Online Proceeding of the ISSTA Workshop on Empirical Research in Software Testing (WERST 2004), Boston, MA, USA, July 2004. http://www.sce.carleton. ca/squall/WERST2004.
5. A. S. Christensen, A. Møller, and M. I. Schwartzbach. Precise Analysis of String Expressions. In Proceedings of the 10th International Static Analysis Symposium, SAS 03, volume 2694 of LNCS, pages 1-18. Springer-Verlag, June 2003.
6. W. R. Cook and S. Rai. Safe Query Objects: Statically Typed Objects as Remotely Executable Queries. In Proceedings of the 27th International Conference on Software Engineering (ICSE 2005), 2005.
7. C. Gould, Z. Su, and P. Devanbu. JDBC Checker: A Static Analysis Tool for SQL/JDBC Applications. In Proceedings of the 26th International Conference on Software Engineering (ICSE 2004) - Formal Demos, pages 697-698, 2004.
8. C. Gould, Z. Su, and P. Devanbu. Static Checking of Dynamically Generated Queries in Database Applications. In Proceedings of the 26th International Conference on Software Engineering (ICSE 2004), pages 645-654, 2004.
9. A. R. Group. Java Architecture for Bytecode Analysis (JABA), 2004. http://www.cc.gatech.edu/aristotle/Tools/jaba.html.
10. W. G. Halfond and A. Orso. Combining Static Analysis and Runtime Monitoring to Counter SQL-Injection Attacks. In Proceeding of the Third International ICSE Workshop on Dynamic Analysis (WODA 2005), St. Louis, MO, USA. May 2005.
11. M. Howard and D. LeBlanc. Writing Secure Code. Microsoft Press, Redmond, Washington, 2nd edition, 2003.
12. Y.-W. Huang, S.-K. Huang, T.-P. Lin, and C.-H. Tsai. Web Application Security Assessment by Fault Injection and Behavior Monitoring. In Proceedings of the 11th International World Wide Web Conference (WWW 2003), May 2003.
13. Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D. T. Lee, and S.-Y. Kuo. Securing Web Application Code by Static Analysis and Runtime Protection. In Proceedings of the 12th International World Wide Web Conference (WWW 2004), May 2004.
14. G. S. Kc, A. D. Keromytis, and V. Prevelakis. Countering Code-Injection Attacks with Instruction-Set Randomization. In Proceedings of the ACM Conference on Computer and Communications Security (CCS 2003), pages 272-280, October 2003.
15. V. B. Livshits and M. S. Lam. Finding Security Vulnerabilities in Java Applications with Static Analysis In Usenix Security Symposium, Aug. 2005.
16. O. Maor and A. Shulman. SQL Injection Signatures Evasion. http://www.imperva.com/application defense center/white papers/sql injection signatures evasion.html, April 2004. White paper.
17. M. Martin, V. B. Livshits, and M. S. Lam. Finding application errors using PQL: a program query language. In Proceedings of the ACM Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA), Oct. 2005.
18. R. McClure and I. Krüger. SQL DOM: Compile Time Checking of Dynamic SQL Statements. In Proceedings of the 27th International Conference on Software Engineering (ICSE 2005), pages 88-96, 2005.
19. S. McDonald. SQL Injection: Modes of attack, defense, and why it matters. http://www.governmentsecurity.org/articles/ SQLInjectionModesofAttackDefenceandWhyItMatters.php, April 2004. White paper.
20. Anh Nguyen-Tuong, Salvatore Guarnieri, Doug Greene, Jeff Shirley, David Evans. Automatically Hardening Web Applications Using Precise Tainting Information In Twentieth IFIP International Information Security Conference (SEC 2005), May 2005.
21. OWASPD - Open Web Application Security Project. Top ten most critical web application vulnerabilities. http://www.owasp.org/documentation/topten.html, 2005.
22. T. Pietraszeki and C. V. Berghe. Defending Against Injection Attacks through Context-Sensitive String Evaluation. In Proceedings of Recent Advances in Intrusion Detection (RAID2005), 2005.
23. D. Scott and R. Sharp. Abstracting Application-level Web Security. In Proceedings of the 11th International Conference on the World Wide Web (WWW 2002), pages 396-407, 2002.
24. SecuriTeam. SQL Injection Walkthrough. http://www.securiteam.com/ securityreviews/5DP0N1P76E.html, May 2002. White paper.
25. F. Valeur and D. Mutz and G. Vigna A Learning-Based Approach to the Detection of SQL Attacks In Proceedings of the Conference on Detection of Intrusions and Malware Vulnerability Assessment (DIMVA), July 2005.
26. G. Wassermann and Z. Su. An Analysis Framework for Security in Web Applications. In Proceedings of the FSE Workshop on Specification and Verification of Component-Based Systems (SAVCBS 2004), pages 70-78, 2004.