Taint-enhanced policy enforcement: A practical approach to defeat a wide range of attacks

15th USENIX Security Symposium

Volumn , Issue , 2006, Pages 121-136

  Xu, Wei ^a   Bhatkar, Sandeep ^a   Sekar, R ^a  

^a Stony Brook University   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

INTRUSION DETECTION; NETWORK SECURITY;

ACCESS CONTROL POLICIES; CROSS SITE SCRIPTING; INTRUSION DETECTION SYSTEMS; NEW APPROACHES; POLICY ENFORCEMENT; SECURITY POLICY; SQL INJECTION; USER AUTHENTICATION;

AUTHENTICATION;

EID: 85038810709     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (34)

1. D. E. Bell and L. J. LaPadula. Secure computer systems: Mathematical foundations. Technical Report MTR-2547, Vol. 1, MITRE Corp., Bedford, MA, 1973.
2. S. Bhatkar, D. C. DuVarney, and R. Sekar. Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In USENIX Security Symposium, August 2003.
3. T. Bowen, D. Chee, M. Segal, R. Sekar, T. Shanbhag, and P. Uppuluri. Building survivable systems: An integrated approach based on intrusion detection and damage containment. In DIS-CEX, 2000.
4. S. W. Boyd and A. D. Keromytis. SQLrand: Preventing SQL injection attacks. In International Conference on Applied Cryptography and Network Security (ACNS), pages 292–302, 2004.
5. S. Chen, J. Xu, N. Nakka, Z. Kalbarczyk, and R. K. Iyer. Defeating memory corruption attacks via pointer taintedness detection. In IEEE International Conference on Dependable Systems and Networks (DSN), 2005.
6. C. Cowan, M. Barringer, S. Beattie, and G. Kroah-Hartman. FormatGuard: Automatic protection from printf format string vulnerabilities. In USENIX Security Symposium, 2001.
7. C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton. Automatic detection and prevention of buffer-overflow attacks. In USENIX Security Symposium, 1998.
8. D. E. Denning and P. J. Denning. Certification of programs for secure information flow. Communications of the ACM, 20(7):504–513, July 1977.
9. H. Etoh and K. Yoda. Protecting from stack-smashing attacks. http://www.trl.ibm.com/projects/security/ssp/main.html, June 2000.
10. J. S. Fenton. Memoryless subsystems. Computing Journal, 17(2):143–147, May 1974.
11. J. Goguen and J. Meseguer. Security policies and security models. In IEEE Symposium on Security and Privacy, 1982.
12. W. Halfond and A. Orso. AMNESIA: Analysis and monitoring for neutralizing SQL-injection. In IEEE/ACM International Conference on Automated Software Engineering (ASE), 2005.
13. N. Hardy. The confused deputy: (or why capabilities might have been invented). ACM SIGOPS Operating Systems Review, 22(4):36–38, October 1988.
14. Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D. Lee, and S.-Y. Kuo. Securing web application code by static analysis and runtime protection. In International World Wide Web Conference, 2004.
15. R. Johnson and D. Wagner. Finding user/kernel pointer bugs with type inference. In USENIX Security Symposium, 2004.
16. G. S. Kc, A. D. Keromytis, and V. Prevelakis. Countering code-injection attacks with instruction-set randomization. In ACM Conference on Computer and Communication Security (CCS), 2003.
17. V. B. Livshits and M. S. Lam. Finding security vulnerabilities in Java applications with static analysis. In USENIX Security Symposium, 2005.
18. J. McLean. A general theory of composition for trace sets closed under selective interleaving functions. In IEEE Symposium on Security and Privacy, pages 79–93, May 1994.
19. S. McPeak, G. C. Necula, S. P. Rahul, and W. Weimer. CIL: Intermediate language and tools for C program analysis and transformation. In Conference on Compiler Construction, 2002.
20. A. C. Myers. JFlow: Practical mostly-static information flow control. In ACM Symposium on Principles of Programming Languages (POPL), pages 228–241, Jan. 1999.
21. N. Nethercote and J. Seward. Valgrind: A program supervision framework. In Workshop on Runtime Verification (RV), Boulder, Colorado, USA, July 2003.
22. J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Network and Distributed System Security Symposium (NDSS), 2005.
23. A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening web applications using precise tainting. In 20th IFIP International Information Security Conference, 2005.
24. T. Pietraszek and C. V. Berghe. Defending against injection attacks through context-sensitive string evaluation. In Recent Advances in Intrusion Detection (RAID), 2005.
25. A. Sabelfeld and A. C. Myers. Language-based information-flow security. IEEE J. Selected Areas in Communications, 21(1), Jan. 2003.
26. U. Shankar, K. Talwar, J. S. Foster, and D. Wagner. Detecting format string vulnerabilities with type qualifiers. In USENIX Security Symposium, 2001.
27. Z. Su and G. Wassermann. The essence of command injection attacks in web applications. In ACM Symposium on Principles of Programming Languages (POPL), January 2006.
28. G. E. Suh, J. W. Lee, D. Zhang, and S. Devadas. Secure program execution via dynamic information flow tracking. In International Conference on Architectural Support for Programming Languages and Operating Systems, pages 85–96, Boston, MA, USA, 2004.
29. P. Uppuluri and R. Sekar. Experiences with specification based intrusion detection. In proceedings of the Recent Advances in Intrusion Detection conference, October 2001.
30. D. Volpano, G. Smith, and C. Irvine. A sound type system for secure flow analysis. Journal of Computer Security, 4(3):167–187, 1996.
31. L. Wall, T. Christiansen, and R. Schwartz. Programming Perl. O’Reilly, 1996.
32. Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting languages. In USENIX Security Symposium, 2006.
33. W. Xu, S. Bhatkar, and R. Sekar. Practical dynamic taint analysis for countering input validation attacks on web applications. Technical Report SECLAB-05-04, Department of Computer Science, Stony Brook University, May 2005.
34. X. Zhang, A. Edwards, and T. Jaeger. Using CQual for static analysis of authorization hook placement. In USENIX Security Symposium, 2002.