ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Preventing SQL injection attacks using AMNESIA
Full text PdfPdf (201 KB)
Source International Conference on Software Engineering archive
Proceedings of the 28th international conference on Software engineering table of contents
Shanghai, China
DEMONSTRATION SESSION: Research demonstrations: data base and business process table of contents
Pages: 795 - 798  
Year of Publication: 2006
ISBN:1-59593-375-1
Authors
William G. J. Halfond  Georgia Institute of Technology
Alessandro Orso  Georgia Institute of Technology
Sponsors
ACM: Association for Computing Machinery
SIGSOFT: ACM Special Interest Group on Software Engineering
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 31,   Downloads (12 Months): 243,   Citation Count: 1
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1134285.1134416
What is a DOI?

ABSTRACT

AMNESIA is a tool that detects and prevents SQL injection attacks by combining static analysis and runtime monitoring. Empirical evaluation has shown that AMNESIA is both effective and efficient against SQL injection.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
S. W. Boyd and A. D. Keromytis. SQLrand: Preventing SQL injection attacks. In Proc. of the 2nd Applied Cryptography and Network Security Conf. (ACNS 2004), pages 292--302, Jun. 2004.
2
Gregory Buehrer , Bruce W. Weide , Paolo A. G. Sivilotti, Using parse tree validation to prevent SQL injection attacks, Proceedings of the 5th international workshop on Software engineering and middleware, September 05-06, 2005, Lisbon, Portugal  [doi>10.1145/1108473.1108496]
 
3
A. S. Christensen, A. Møller, and M. I. Schwartzbach. Precise analysis of string expressions. In Proc. 10th Intern. Static Analysis Symposium (SAS 2003), pages 1--18, Jun. 2003.
4
William R. Cook , Siddhartha Rai, Safe query objects: statically typed objects as remotely executable queries, Proceedings of the 27th international conference on Software engineering, p.97-106, May 15-21, 2005, St. Louis, MO, USA  [doi>10.1145/1062455.1062488]
 
5
Carl Gould , Zhendong Su , Premkumar Devanbu, Static Checking of Dynamically Generated Queries in Database Applications, Proceedings of the 26th International Conference on Software Engineering, p.645-654, May 23-28, 2004
 
6
Vivek Haldar , Deepak Chandra , Michael Franz, Dynamic Taint Propagation for Java, Proceedings of the 21st Annual Computer Security Applications Conference, p.303-311, December 05-09, 2005  [doi>10.1109/CSAC.2005.21]
7
William G. J. Halfond , Alessandro Orso, AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks, Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering, November 07-11, 2005, Long Beach, CA, USA  [doi>10.1145/1101908.1101935]
8
William G. J. Halfond , Alessandro Orso, Combining static analysis and runtime monitoring to counter SQL-injection attacks, Proceedings of the third international workshop on Dynamic analysis, p.1-7, May 17-17, 2005, St. Louis, Missouri
 
9
W. G. Halfond, J. Viegas, and A. Orso. A Classification of SQL-Injection Attacks and Countermeasures. In Proc. of the Intern. Symposium on Secure Software Engineering (ISSSE 2006), Mar. 2006.
 
10
Michael Howard , David E. Leblanc, Writing Secure Code, Microsoft Press, Redmond, WA, 2002
11
Yao-Wen Huang , Shih-Kun Huang , Tsung-Po Lin , Chung-Hung Tsai, Web application security assessment by fault injection and behavior monitoring, Proceedings of the 12th international conference on World Wide Web, May 20-24, 2003, Budapest, Hungary  [doi>10.1145/775152.775174]
12
Yao-Wen Huang , Fang Yu , Christian Hang , Chung-Hung Tsai , Der-Tsai Lee , Sy-Yen Kuo, Securing web application code by static analysis and runtime protection, Proceedings of the 13th international conference on World Wide Web, May 17-20, 2004, New York, NY, USA  [doi>10.1145/988672.988679]
 
13
V. B. Livshits and M. S. Lam. Finding Security Vulnerabilities in Java Applications with Static Analysis. In Usenix Security Symposium, Aug. 2005.
14
Michael Martin , Benjamin Livshits , Monica S. Lam, Finding application errors and security flaws using PQL: a program query language, Proceedings of the 20th annual ACM SIGPLAN conference on Object oriented programming, systems, languages, and applications, October 16-20, 2005, San Diego, CA, USA
15
Russell A. McClure , Ingolf H. Krüger, SQL DOM: compile time checking of dynamic SQL statements, Proceedings of the 27th international conference on Software engineering, p.88-96, May 15-21, 2005, St. Louis, MO, USA  [doi>10.1145/1062455.1062487]
 
16
A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically Hardening Web Applications Using Precise Tainting Information. In Twentieth IFIP Intern. Information Security Conf. (SEC 2005), May 2005.
 
17
T. Pietraszek and C. V. Berghe. Defending Against Injection Attacks through Context-Sensitive String Evaluation. In Proc. of Recent Advances in Intrusion Detection (RAID 2005), Sep. 2005.
18
David Scott , Richard Sharp, Abstracting application-level web security, Proceedings of the 11th international conference on World Wide Web, May 07-11, 2002, Honolulu, Hawaii, USA  [doi>10.1145/511446.511498]
19
Arjan Seesing , Alessandro Orso, InsECTJ: a generic instrumentation framework for collecting dynamic information within Eclipse, Proceedings of the 2005 OOPSLA workshop on Eclipse technology eXchange, p.45-49, October 16-17, 2005, San Diego, California  [doi>10.1145/1117696.1117706]
20
Zhendong Su , Gary Wassermann, The essence of command injection attacks in web applications, Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages, p.372-382, January 11-13, 2006, Charleston, South Carolina, USA
 
21
F. Valeur, D. Mutz, and G. Vigna. A Learning-Based Approach to the Detection of SQL Attacks. In Proc. of the Conf. on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA 2005), Jul. 2005.
 
22
G. Wassermann and Z. Su. An Analysis Framework for Security in Web Applications. In Proc. of the FSE Workshop on Specification and Verification of Component-Based Systems (SAVCBS 2004), pages 70--78, Oct. 2004.

CITED BY
 
Matthew M. North , Max M. North , Sarah M. North, Security from the bottom-up: compliance regulations and the trend toward design-oriented web applications, Journal of Computing Sciences in Colleges, v.24 n.4, April 2009

INDEX TERMS

Primary Classification:
  D. Software
  D.2 SOFTWARE ENGINEERING
      D.2.5 Testing and Debugging


General Terms:
Security, Verification


Keywords:
SQL injection, runtime monitoring, static analysis

Collaborative Colleagues:
William G. J. Halfond: colleagues
Alessandro Orso: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player