An Efficient Black-box Technique for Defeating Web Application Attacks∗

Proceedings of the Symposium on Network and Distributed System Security, NDSS 2009

Volumn , Issue , 2009, Pages

  Sekar, R ^a  

^a STONY BROOK UNIVERSITY   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

C (PROGRAMMING LANGUAGE); NETWORK SECURITY;

BLACK BOXES; COMMAND INJECTIONS; CROSS SITE SCRIPTING; IT SUPPORTS; NUMBER OF FACTORS; PERFORMANCE; REMOTE EXPLOITS; SOURCE CODE INSTRUMENTATION; SQL INJECTION; WEB APPLICATION ATTACKS;

NETWORK LAYERS;

EID: 80053015448     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (28)

1. Sandeep Bhatkar, Abhishek Chaturvedi, and R. Sekar. Dataflow anomaly detection. In IEEE Symposium on Security and Privacy, May 2006.
2. Prithvi Bisht and V.N. Venkatakrishnan. Xss-guard: Precise dynamic detection of cross-site scripting attacks. In International Conference on Detection of Intrusions & Malware, and Vulnerability Assessment, 2008.
3. BreachSecurity. Modsecurity: Open source web application firewall. On the web at http://www.modsecurity.org/.
4. Gregory Buehrer, Bruce W. Weide, and Paolo A. G. Sivilotti. Using parse tree validation to prevent sql injection attacks. In SEM’05: Proceedings of the 5th international workshop on Software engineering and middleware, pages 106–113, New York, NY, USA, 2005. ACM.
5. S. Chen, J. Xu, N. Nakka, Z. Kalbarczyk, and R. K. Iyer. Defeating memory corruption attacks via pointer taintedness detection. In IEEE International Conference on Dependable Systems and Networks (DSN), 2005.
6. National Center for Biotechnology Information (NCBI). Basic Local Alignment Search Tool (BLAST). On the web at http://www.ncbi.nlm.nih.gov/blast/Blast.cgi.
7. Dan Gusfield. Algorithms on strings, trees, and sequences: computer science and computational biology. Cambridge University Press, 1997.
8. William Halfond. SQL injection application testbed. On the web at http://www.cc.gatech.edu/ whalfond/testbed.html.
9. William Halfond and Alessandro Orso. AMNESIA: Analysis and monitoring for neutralizing sql-injection. In IEEE/ACM International Conference on Automated Software Engineering (ASE), 2005.
10. William G. J. Halfond, Alessandro Orso, and Panagiotis Manolios. Using positive tainting and syntax-aware evaluation to counter sql injection attacks. In SIGSOFT FSE, 2006.
11. Trevor Jim, Nikhil Swamy, and Michael Hicks. Beep: Browser-enforced embedded policies. In WWW, 2007.
12. Jaeyeon Jung, Anmol Sheth, Ben Greenstein, David Wetherall, Gabriel Maganis, and Tadayoshi Kohno. Privacy oracle: a system for finding application leaks with black box differential testing. In CCS, 2008.
13. Lap Chung Lam and Tzi cker Chiueh. A general dynamic information flow tracking framework for security applications. In Annual Computer Security Applications Conference (AC-SAC), 2006.
14. V. I. Levenshtein. Binary codes capable of correcting deletions, insertions, and reversals. Soviet Physics Doklady, 10(707), 1966.
15. Microsoft. IE 8 XSS Filter Architecture/ Implementation, 2008. On the web at http://blogs.technet.com/swi/archive/2008/08/19/ie-8-xss-filter-architecture-implementation.aspx.
16. James Newsome and Dawn Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Network and Distributed System Security Symposium (NDSS), 2005.
17. Anh Nguyen-Tuong, Salvatore Guarnieri, Doug Greene, Jeff Shirley, and David Evans. Automatically hardening web applications using precise tainting. In 20th IFIP International Information Security Conference, 2005.
18. University of Virginia. Fasta. On the web at http://fasta.bioch.virginia.edu/.
19. OWASP. Http response splitting. On the web at www.owasp.org/index.php/HTTP Response Splitting.
20. OWASP. Owasp webgoat project. On the web at http://www.owasp.org/index.php/Category: OWASP WebGoat Project.
21. Tadeusa Pietraszek and Chris Vanden Berghe. Defending against injection attacks through context-sensitive string evaluation. In Recent Advances in Intrusion Detection (RAID), 2005.
22. Feng Qin, Cheng Wang, Zhenmin Li, Ho seop Kim, Yuanyuan Zhou, and Youfeng Wu. LIFT: A low-overhead practical information flow tracking system for detecting general security attacks. In IEEE/ACM International Symposium on Microarchitecture, December 2006.
23. Prateek Saxena, R. Sekar, and Varun Puranik. Efficient fine-grained binary instrumentation with applications to taint-tracking. In IEEE/ACM Conference on Code Generation and Optimization (CGO), April 2008.
24. R. Sekar, V. Venkatakrishnan, S. Basu, S. Bhatkar, and D. C. DuVarney. Model-carrying code: A practical approach for safe execution of untrusted applications. In ACM Symposium on Operating System Principles, Bolton Landing, New York, October 2003.
25. P. Madhusudan Sruthi Bandhakavi, Prithvi Bisht and V.N. Venkatakrishnan. Candid: Preventing sql injection attacks using dynamic candidate evaluations. In CCS, 2007.
26. Zhendong Su and Gary Wassermann. The essence of command injection attacks in web applications. In POPL’06: Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages, pages 372–382, New York, NY, USA, 2006. ACM.
27. G. Edward Suh, Jae W. Lee, David Zhang, and Srinivas Devadas. Secure program execution via dynamic information flow tracking. In International Conference on Architectural Support for Programming Languages and Operating Systems, pages 85–96, Boston, MA, USA, 2004.
28. Wei Xu, Sandeep Bhatkar, and R. Sekar. Taint-enhanced policy enforcement: A practical approach to defeat a wide range of attacks. In USENIX Security Symposium, August 2006.