Intent-Based Extensible Real-Time PHP Supervision Framework

IEEE Transactions on Information Forensics and Security

Volumn 11, Issue 10, 2016, Pages 2215-2226

  Prokhorenko, Victor ^a   Choo, Kim Kwang Raymond ^a,b,c   Ashman, Helen ^a  

^a UNIVERSITY OF SOUTH AUSTRALIA   (Australia)

^b UNIVERSITY OF TEXAS AT SAN ANTONIO   (United States)

^c CHINA UNIVERSITY OF GEOSCIENCES   (China)

Author keywords

intent based; PHP; real time supervision; web application security

Indexed keywords

NETWORK SECURITY; WEBSITES; WORLD WIDE WEB; XML;

APPLICATION BEHAVIORS; APPLICATION DEVELOPERS; APPLICATION EXECUTION; INTENT-BASED; INTENTION UNDERSTANDING; PROTECTION TECHNIQUES; REAL-TIME SUPERVISION; WEB APPLICATION SECURITY;

DATA PRIVACY;

EID: 84979928325     PISSN: 15566013     EISSN: None     Source Type: Journal    
DOI: 10.1109/TIFS.2016.2569063     Document Type: Article

References (34)

1. W. G. J. Halfond and A. Orso, "Preventing SQL injection attacks using AMNESIA," in Proc. 28th Int. Conf. Softw. Eng. (ICSE), 2006, pp. 795-798.
2. Y. Minamide, "Static approximation of dynamically generated Web pages," in Proc. 14th Int. Conf. World Wide Web (WWW), 2005, pp. 432-441.
3. S. Chong, K. Vikram, and A. C. Myers, "SIF: Enforcing confidentiality and integrity in Web applications," in Proc. 16th USENIX Secur. Symp. (SS), 2007, Art. no. 1.
4. W. Robertson and G. Vigna, "Static enforcement of Web application integrity through strong typing," in Proc. 18th Conf. USENIX Secur. Symp. (SSYM), 2009, pp. 283-298.
5. M. Martin, B. Livshits, and M. S. Lam, SecuriFly: Runtime Vulnerability Protection for Web Applications. San Diego, CA, USA: Stanford Univ. Press, Oct. 2005.
6. S. S. Huang, D. Zook, and Y. Smaragdakis, "Domain-specific languages and program generation with meta-AspectJ," ACM Trans. Softw. Eng. Methodol., vol. 18, no. 2, 2008, Art. no. 6.
7. Y. Zheng and X. Zhang, "Path sensitive static analysis of Web applications for remote code execution vulnerability detection," in Proc. Int. Conf. Softw. Eng. (ICSE), May 2013, pp. 652-661.
8. F. Yu, M. Alkhalaf, and T. Bultan, "STRANGER: An automata-based string analysis tool for PHP," in Proc. 16th Int. Conf. Tools Algorithms Constr. Anal. Syst. (TACAS), 2010, pp. 154-157.
9. P. Saxena, D. Molnar, and B. Livshits, "SCRIPTGARD: Automatic context-sensitive sanitization for large-scale legacy Web applications," in Proc. 18th ACM Conf. Comput. Commun. Secur. (CCS), 2011, pp. 601-614.
10. B. Livshits and S. Chong, "Towards fully automatic placement of security sanitizers and declassifiers," in Proc. 40th Annu. ACM SIGPLANSIGACT Symp. Principles Program. Lang. (POPL), 2013, pp. 385-398.
11. N. Skrupsky, P. Bisht, T. Hinrichs, V. N. Venkatakrishnan, and L. Zuck, "TamperProof: A server-agnostic defense for parameter tampering attacks on Web applications," in Proc. 3rd ACM Conf. Data Appl. Secur. Privacy (CODASPY), 2013, pp. 129-140.
12. S. Cass. (2015). The 2015 Top Ten Programming Languages, accessed on Jan. 5, 2016. [Online]. Available: http://spectrum. ieee.org/computing/software/the-2015-top-ten-programming-languages
13. N. Jovanovic, C. Kruegel, and E. Kirda, "Pixy: A static analysis tool for detecting Web application vulnerabilities," in Proc. 27th IEEE Symp. Secur. Privacy, Oakland, CA, USA, May 2006, pp. 263-266.
14. V. Prokhorenko, K.-K. R. Choo, and H. Ashman, "Web application protection techniques: A taxonomy," J. Netw. Comput. Appl., vol. 60, pp. 95-112, Jan. 2016.
15. M. Alkhalaf, A. Aydin, and T. Bultan, "Semantic differential repair for input validation and sanitization," in Proc. Int. Symp. Softw. Test. Anal. (ISSTA), New York, NY, USA, 2014, pp. 225-236.
16. G. Buja, K. B. A. Jalil, F. B. H. M. Ali, and T. F. A. Rahman, "Detection model for SQL injection attack: An approach for preventing a Web application from the SQL injection attack," in Proc. IEEE Symp. Comput. Appl. Ind. Electron. (ISCAIE), Apr. 2014, pp. 60-64.
17. BAXTEP, accessed on Jan. 5, 2016. [Online]. Available: https://code. google.com/archive/p/baxtep
18. K. Sharma and N. Kumar, "SWART: Secure Web application response tool," in Proc. Int. Conf. Control Comput. Commun. Mater. (ICCCCM), Aug. 2013, pp. 1-7.
19. S. W. Boyd and A. D. Keromytis, "SQLrand: Preventing SQL injection attacks," in Proc. 2nd Appl. Cryptogr. Netw. Secur. Conf. (ACNS), 2004, pp. 292-302.
20. M. Wang, H. Yin, A. V. Bhaskar, P. Su, and D. Feng, "Binary code continent: Finer-grained control flow integrity for stripped binaries," in Proc. 31st Annu. Comput. Secur. Appl. Conf. (ACSAC), 2015. pp. 331-340.
21. M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti, "Control-flow integrity," in Proc. 12th ACM Conf. Comput. Commun. Secur., 2005, pp. 340-353.
22. Forbes. (2013). Wordpress Under Attack: How to Avoid The Coming Botnet, accessed on Jun. 20, 2016. [Online]. Available: http://www.forbes. com/sites/anthonykosner/2013/04/13/wordpress-under-attack-how-toavoid-the-coming-botnet/
23. Wired. (2008). Massive Attack: Half a Million Microsoft-Powered Sites Hit With SQL Injection, accessed on Jun. 20, 2016. [Online]. Available: http://www.wired.com/2008/04/massive-att-ack- half-a-million-microsoft-powered-sites-hit-with-sql-injection/
24. Ars Technica. (2015). Just-Released WordPress 0day Makes it Easy to Hijack Millions of Web-Sites, accessed on Jun. 20, 2016. [Online]. Available: http://arstechnica.com/security/2015/04/justreleased-wordpress-0day-makes-it-easy-to-hijack-millions-of-websites/
25. Wired. (2012). Black Hat is Over, But SQL Injection Attacks Persist, accessed on Jun. 20, 2016. [Online]. Available: http://www. wired.com/2012/08/black-hat-sql-injection/
26. X. Li and Y. Xue, "A survey on server-side approaches to securing Web applications," ACM Comput. Surv., vol. 46, no. 4, 2014, Art. no. 54.
27. ZoneMinder, accessed on Jan. 5, 2016. [Online]. Available: http://zoneminder.com
28. PHP-CFG, accessed on Jan. 5, 2016. [Online]. Available: https://github.com/ircmaxell/php-cfg
29. A. Liu, Y. Yuan, D. Wijesekera, and A. Stavrou, "SQLProb: A proxybased architecture towards preventing SQL injection attacks," in Proc. ACM Symp. Appl. Comput. (SAC), 2009, pp. 2054-2061.
30. Y. Nadji, P. Saxena, and D. Song, "Document structure integrity: A robust basis for cross-site scripting defense," in Proc. NDSS, 2009, p. 20.
31. D. Mutz, F. Valeur, G. Vigna, and C. Kruegel, "Anomalous system call detection," ACM Trans. Inf. Syst. Secur., vol. 9, no. 1, pp. 61-93, 2006.
32. A. Doupé, W. Cui, M. H. Jakubowski, M. Peinado, C. Kruegel, and G. Vigna, "deDacota: Toward preventing server-side XSS via automatic code and data separation," in Proc. ACM SIGSAC Conf. Comput. Commun. Secur. (CCS), 2013, pp. 1205-1216.
33. C. Kruegel and G. Vigna, "Anomaly detection of Web-based attacks," in Proc. 10th ACM Conf. Comput. Commun. Secur. (CCS), 2003, pp. 251-261.
34. V. Prokhorenko, K.-K. R. Choo, and H. Ashman, "Context-oriented Web application protection model," Appl. Math. Comput., vol. 285, pp. 59-78, Jul. 2016.