|
 ABSTRACT
Web applications typically interact with a back-end database to retrieve persistent data and then present the data to the user as dynamically generated output, such as HTML web pages. However, this interaction is commonly done through a low-level API by dynamically constructing query strings within a general-purpose programming language, such as Java. This low-level interaction is ad hoc because it does not take into account the structure of the output language. Accordingly, user inputs are treated as isolated lexical entities which, if not properly sanitized, can cause the web application to generate unintended output. This is called a command injection attack, which poses a serious threat to web application security. This paper presents the first formal definition of command injection attacks in the context of web applications, and gives a sound and complete algorithm for preventing them based on context-free grammars and compiler parsing techniques. Our key observation is that, for an attack to succeed, the input that gets propagated into the database query or the output document must change the intended syntactic structure of the query or document. Our definition and algorithm are general and apply to many forms of command injection attacks. We validate our approach with SqlCheckS, an implementation for the setting of SQL command injection attacks. We evaluated SqlCheckS on real-world web applications with systematically compiled real-world attack data as input. SqlCheckS produced no false positives or false negatives, incurred low runtime overhead, and applied straightforwardly to web applications written in different languages.
REFERENCES
Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.
| |
1
|
Alfred V. Aho , Ravi Sethi , Jeffrey D. Ullman, Compilers: principles, techniques, and tools, Addison-Wesley Longman Publishing Co., Inc., Boston, MA, 1986
|
| |
2
|
C. Anley. Advanced SQL Injection in SQL Server Applications. An NGSSoftware Insight Security Research (NISR) publication, 2002. http://www.nextgenss.com/papers/advanced_sql_injection.pdf.
|
| |
3
|
G. Bierman, E. Meijer, and W. Schulte. The essence of data access in Cω. In The 19th European Conference on Object-Oriented Programming (ECOOP), 2005. To appear.
|
| |
4
|
S. W. Boyd and A. D. Keromytis. SQLrand: Preventing SQL injection attacks. In International Conference on Applied Cryptography and Network Security (ACNS), LNCS, volume 2, 2004.
|
| |
5
|
|
 |
6
|
|
| |
7
|
|
| |
8
|
|
| |
9
|
R. DeLine and M. Fähndrich. The Fugue protocol checker: Is your software baroque? Technical Report MSR-TR-2004-07, Microsoft Research, Jan. 2004. http://research.microsoft.com/~maf/Papers/tr-2004-07.pdf.
|
| |
10
|
Jeffrey S. Foster , Manuel Fähndrich , Alexander Aiken, A theory of type qualifiers, Proceedings of the ACM SIGPLAN 1999 conference on Programming language design and implementation, p.192-203, May 01-04, 1999, Atlanta, Georgia, United States
|
| |
11
|
|
| |
12
|
|
| |
13
|
|
| |
14
|
|
| |
15
|
Yao-Wen Huang , Fang Yu , Christian Hang , Chung-Hung Tsai , Der-Tsai Lee , Sy-Yen Kuo, Securing web application code by static analysis and runtime protection, Proceedings of the 13th international conference on World Wide Web, May 17-20, 2004, New York, NY, USA
[doi> 10.1145/988672.988679]
|
| |
16
|
|
| |
17
|
Kavado, Inc. InterDo Vers. 3.0, 2003.
|
| |
18
|
|
| |
19
|
A. Klein. Blind XPath Injection. Whitepaper from Watchfire, 2005.
|
| |
20
|
Eugene Kohlbecker , Daniel P. Friedman , Matthias Felleisen , Bruce Duba, Hygienic macro expansion, Proceedings of the 1986 ACM conference on LISP and functional programming, p.151-161, August 1986, Cambridge, Massachusetts, United States
[doi> 10.1145/319838.319859]
|
| |
21
|
Larry Koved , Marco Pistoia , Aaron Kershenbaum, Access rights analysis for Java, Proceedings of the 17th ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications, November 04-08, 2002, Seattle, Washington, USA
|
| |
22
|
Monica S. Lam , John Whaley , V. Benjamin Livshits , Michael C. Martin , Dzintars Avots , Michael Carbin , Christopher Unkel, Context-sensitive program analysis as database queries, Proceedings of the twenty-fourth ACM SIGMOD-SIGACT-SIGART symposium on Principles of database systems, June 13-15, 2005, Baltimore, Maryland
[doi> 10.1145/1065167.1065169]
|
| |
23
|
R. Lemos. Flawed USC admissions site allowed access to applicant data, July 2005. http://www.securityfocus.com/news/11239.
|
| |
24
|
V. B. Livshits and M. S. Lam. Finding security vulnerabilities in Java applications with static analysis. In Usenix Security Symposium, Aug. 2005. To appear.
|
| |
25
|
K. J. L. Mark Grechanik, William R. Cook. Static checking of object-oriented polylingual systems. http://www.cs.utexas.edu/users/wcook/Drafts/FOREL.pdf, Mar. 2005.
|
| |
26
|
Michael Martin , Benjamin Livshits , Monica S. Lam, Finding application errors and security flaws using PQL: a program query language, Proceedings of the 20th annual ACM SIGPLAN conference on Object oriented programming, systems, languages, and applications, October 16-20, 2005, San Diego, CA, USA
|
| |
27
|
|
| |
28
|
S. McPeak. Elsa: An Elkhound-based C++ Parser, May 2005. http://www.cs.berkeley.edu/~smcpeak/elkhound/.
|
| |
29
|
E. Meijer, W. Schulte, and G. Bierman. Unifying tables, objects and documents, 2003.
|
| |
30
|
|
| |
31
|
A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening web applications using precise tainting. In Twentieth IFIP International Information Security Conference (SEC'05), 2005.
|
| |
32
|
T. Pietraszek and C. V. Berghe. Defending against Injection Attacks through Context-Sensitive String Evaluation. In Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection (RAID), Sept. 2005.
|
| |
33
|
Sanctum Inc. Web Application Security Testing-Appscan 3.5. http://www.sanctuminc.com.
|
| |
34
|
Sanctum Inc. AppShield 4.0 Whitepaper., 2002. http://www.sanctuminc.com.
|
| |
35
|
|
| |
36
|
D. Scott and R. Sharp. Specifying and enforcing application-level web security policies. IEEE Transactions on Knowledge and Data Engineering, 15(4):771--783, 2003.
|
| |
37
|
Security Focus. http://www.securityfocus.com.
|
| |
38
|
SPI Dynamics. Web Application Security Assessment. SPI Dynamics Whitepaper, 2003.
|
| |
39
|
|
| |
40
|
|
| |
41
|
G. Wassermann and Z. Su. An Analysis Framework for Security in Web Applications. In Proceedings of the FSE Workshop on Specification and Verification of Component-Based Systems (SAVCBS 2004), pages 70--78, 2004.
|
| |
42
|
|
| |
43
|
|
CITED BY 32
|
|
Gary Wassermann , Dachuan Yu , Ajay Chander , Dinakar Dhurjati , Hiroshi Inamura , Zhendong Su, Dynamic test input generation for web applications, Proceedings of the 2008 international symposium on Software testing and analysis, July 20-24, 2008, Seattle, WA, USA
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Ömer Erdem Demir , Prémkumar Dévanbu , Eric Wohlstadter , Stefan Tai, An aspect-oriented approach to bypassing middleware layers, Proceedings of the 6th international conference on Aspect-oriented software development, March 12-16, 2007, Vancouver, British Columbia, Canada
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Shay Artzi , Adam Kiezun , Julian Dolby , Frank Tip , Danny Dig , Amit Paradkar , Michael D. Ernst, Finding bugs in dynamic web applications, Proceedings of the 2008 international symposium on Software testing and analysis, July 20-24, 2008, Seattle, WA, USA
|
|
|
|
|
|
|
|
|
|
|
|
Monica S. Lam , Michael Martin , Benjamin Livshits , John Whaley, Securing web applications with static and dynamic information flow tracking, Proceedings of the 2008 ACM SIGPLAN symposium on Partial evaluation and semantics-based program manipulation, p.3-12, January 07-08, 2008, San Francisco, California, USA
|
|
|
|
|
|
Sruthi Bandhakavi , Prithvi Bisht , P. Madhusudan , V. N. Venkatakrishnan, CANDID: preventing sql injection attacks using dynamic candidate evaluations, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA
|
|
|
Davide Balzarotti , Marco Cova , Viktoria V. Felmetsger , Giovanni Vigna, Multi-module vulnerability analysis of web-based applications, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA
|
|
|
Haibo Chen , Xi Wu , Liwei Yuan , Binyu Zang , Pen-chung Yew , Frederic T. Chong, From Speculation to Security: Practical and Efficient Information Flow Tracking Using Speculative Hardware, ACM SIGARCH Computer Architecture News, v.36 n.3, p.401-412, June 2008
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
INDEX TERMS
Primary Classification:
D.
Software
D.2
SOFTWARE ENGINEERING
D.2.4
Software/Program Verification
Subjects:
Reliability
Additional Classification:
D.
Software
D.2
SOFTWARE ENGINEERING
D.2.4
Software/Program Verification
Subjects:
Validation
D.3
PROGRAMMING LANGUAGES
D.3.1
Formal Definitions and Theory
Subjects:
Syntax
F.
Theory of Computation
F.4
MATHEMATICAL LOGIC AND FORMAL LANGUAGES
F.4.2
Grammars and Other Rewriting Systems
Subjects:
Parsing;
Grammar types (e.g., context-free, context-sensitive)
General Terms:
Algorithms,
Experimentation,
Languages,
Reliability,
Security,
Verification
Keywords:
command injection attacks,
grammars,
parsing,
runtime verification,
web applications
|
Adobe Acrobat
QuickTime
Windows Media Player
Real Player
Pdf