ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Using positive tainting and syntax-aware evaluation to counter SQL injection attacks
Full text PdfPdf (691 KB)
Source Foundations of Software Engineering archive
Proceedings of the 14th ACM SIGSOFT international symposium on Foundations of software engineering table of contents
Portland, Oregon, USA
SESSION: Safety and security table of contents
Pages: 175 - 185  
Year of Publication: 2006
ISBN:1-59593-468-5
Authors
William G. J. Halfond  Georgia Institute of Technology
Alessandro Orso  Georgia Institute of Technology
Panagiotis Manolios  Georgia Institute of Technology
Sponsors
SIGSOFT: ACM Special Interest Group on Software Engineering
ACM: Association for Computing Machinery
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 37,   Downloads (12 Months): 310,   Citation Count: 11
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1181775.1181797
What is a DOI?

ABSTRACT

SQL injection attacks pose a serious threat to the security of Web applications because they can give attackers unrestricted access to databases that contain sensitive information. In this paper, we propose a new, highly automated approach for protecting existing Web applications against SQL injection. Our approach has both conceptual and practical advantages over most existing techniques. From the conceptual standpoint, the approach is based on the novel idea of positive tainting and the concept of syntax-aware evaluation. From the practical standpoint, our technique is at the same time precise and efficient and has minimal deployment requirements. The paper also describes wasp, a tool that implements our technique, and a set of studies performed to evaluate our approach. In the studies, we used our tool to protect several Web applications and then subjected them to a large and varied set of attacks and legitimate accesses. The evaluation was a complete success: wasp successfully and efficiently stopped all of the attacks without generating any false positives.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
C. Anley. Advanced SQL Injection In SQL Server Applications. White paper, Next Generation Security Software Ltd., 2002.
 
2
S. W. Boyd and A. D. Keromytis. SQLrand: Preventing SQL Injection Attacks. In Proc. of the 2nd Applied Cryptography and Network Security Conf. (ACNS '04), pages 292--302, Jun. 2004.
3
Gregory Buehrer , Bruce W. Weide , Paolo A. G. Sivilotti, Using parse tree validation to prevent SQL injection attacks, Proceedings of the 5th international workshop on Software engineering and middleware, September 05-06, 2005, Lisbon, Portugal  [doi>10.1145/1108473.1108496]
4
William R. Cook , Siddhartha Rai, Safe query objects: statically typed objects as remotely executable queries, Proceedings of the 27th international conference on Software engineering, p.97-106, May 15-21, 2005, St. Louis, MO, USA  [doi>10.1145/1062455.1062488]
 
5
T. O. Foundation. Top ten most critical web application vulnerabilities, 2005. http://www.owasp.org/documentation/topten.html.
 
6
Carl Gould , Zhendong Su , Premkumar Devanbu, JDBC Checker: A Static Analysis Tool for SQL/JDBC Applications, Proceedings of the 26th International Conference on Software Engineering, p.697-698, May 23-28, 2004
 
7
Carl Gould , Zhendong Su , Premkumar Devanbu, Static Checking of Dynamically Generated Queries in Database Applications, Proceedings of the 26th International Conference on Software Engineering, p.645-654, May 23-28, 2004
 
8
Vivek Haldar , Deepak Chandra , Michael Franz, Dynamic Taint Propagation for Java, Proceedings of the 21st Annual Computer Security Applications Conference, p.303-311, December 05-09, 2005  [doi>10.1109/CSAC.2005.21]
9
William G. J. Halfond , Alessandro Orso, AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks, Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering, November 07-11, 2005, Long Beach, CA, USA  [doi>10.1145/1101908.1101935]
 
10
W. G. Halfond, J. Viegas, and A. Orso. A Classification of SQL-Injection Attacks and Countermeasures. In Proc. of the Intl. Symposium on Secure Software Engineering, Mar. 2006.
 
11
Michael Howard , David E. Leblanc, Writing Secure Code, Microsoft Press, Redmond, WA, 2002
12
Yao-Wen Huang , Shih-Kun Huang , Tsung-Po Lin , Chung-Hung Tsai, Web application security assessment by fault injection and behavior monitoring, Proceedings of the 12th international conference on World Wide Web, May 20-24, 2003, Budapest, Hungary  [doi>10.1145/775152.775174]
13
Yao-Wen Huang , Fang Yu , Christian Hang , Chung-Hung Tsai , Der-Tsai Lee , Sy-Yen Kuo, Securing web application code by static analysis and runtime protection, Proceedings of the 13th international conference on World Wide Web, May 17-20, 2004, New York, NY, USA  [doi>10.1145/988672.988679]
 
14
Nenad Jovanovic , Christopher Kruegel , Engin Kirda, Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper), Proceedings of the 2006 IEEE Symposium on Security and Privacy (S&P'06), p.258-263, May 21-24, 2006  [doi>10.1109/SP.2006.29]
 
15
V. B. Livshits and M. S. Lam. Finding Security Vulnerabilities in Java Applications with Static Analysis. In Proceedings of the 14th Usenix Security Symposium, Aug. 2005.
 
16
O. Maor and A. Shulman. SQL Injection Signatures Evasion. White paper, Imperva, Apr. 2004. http://www.imperva.com/application_defense_center/white_papers/sql_injection_signatures_evasion.html.
17
Michael Martin , Benjamin Livshits , Monica S. Lam, Finding application errors and security flaws using PQL: a program query language, Proceedings of the 20th annual ACM SIGPLAN conference on Object oriented programming, systems, languages, and applications, October 16-20, 2005, San Diego, CA, USA
18
Russell A. McClure , Ingolf H. Krüger, SQL DOM: compile time checking of dynamic SQL statements, Proceedings of the 27th international conference on Software engineering, p.88-96, May 15-21, 2005, St. Louis, MO, USA  [doi>10.1145/1062455.1062487]
 
19
J. Newsome and D. Song. Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In Proc. of the 12th Annual Network and Distributed System Security Symposium (NDSS 05), Feb. 2005.
 
20
A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically Hardening Web Applications Using Precise Tainting. In Twentieth IFIP Intl. Information Security Conference (SEC 2005), May 2005.
 
21
T. Pietraszek and C. V. Berghe. Defending Against Injection Attacks through Context-Sensitive String Evaluation. In Proc. of Recent Advances in Intrusion Detection (RAID2005), Sep. 2005.
 
22
J. Saltzer and M. Schroeder. The Protection of Information in Computer Systems. In Proceedings of the IEEE, Sep 1975.
23
David Scott , Richard Sharp, Abstracting application-level web security, Proceedings of the 11th international conference on World Wide Web, May 07-11, 2002, Honolulu, Hawaii, USA  [doi>10.1145/511446.511498]
24
Zhendong Su , Gary Wassermann, The essence of command injection attacks in web applications, Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages, p.372-382, January 11-13, 2006, Charleston, South Carolina, USA
 
25
F. Valeur, D. Mutz, and G. Vigna. A Learning-Based Approach to the Detection of SQL Attacks. In Proc. of the Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA), Vienna, Austria, Jul. 2005.
 
26
G. Wassermann and Z. Su. An Analysis Framework for Security in Web Applications. In Proc. of the FSE Workshop on Specification and Verification of Component-Based Systems (SAVCBS 2004), pages 70--78, Oct. 2004.
 
27
Y. Xie and A. Aiken. Static Detection of Security Vulnerabilities in Scripting Languages. In Proceedings of the 15th USENIX Security Symposium, July 2006.

CITED BY  11
Gary Wassermann , Zhendong Su, Sound and precise analysis of web applications for injection vulnerabilities, ACM SIGPLAN Notices, v.42 n.6, June 2007
Michael Emmi , Rupak Majumdar , Koushik Sen, Dynamic test input generation for database applications, Proceedings of the 2007 international symposium on Software testing and analysis, July 09-12, 2007, London, United Kingdom
James Clause , Wanchun Li , Alessandro Orso, Dytan: a generic dynamic taint analysis framework, Proceedings of the 2007 international symposium on Software testing and analysis, July 09-12, 2007, London, United Kingdom
Prateek Saxena , R Sekar , Varun Puranik, Efficient fine-grained binary instrumentationwith applications to taint-tracking, Proceedings of the sixth annual IEEE/ACM international symposium on Code generation and optimization, April 05-09, 2008, Boston, MA, USA
Bruno Dufour, Blended analysis for improving the quality of framework-intensive applications, Proceedings of the 2008 Foundations of Software Engineering Doctoral Symposium, p.5-8, November 10-10, 2008, Atlanta, Georgia
Martin Bravenboer , Eelco Dolstra , Eelco Visser, Preventing injection attacks with syntax embeddings, Proceedings of the 6th international conference on Generative programming and component engineering, October 01-03, 2007, Salzburg, Austria
Sruthi Bandhakavi , Prithvi Bisht , P. Madhusudan , V. N. Venkatakrishnan, CANDID: preventing sql injection attacks using dynamic candidate evaluations, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA
William G. J. Halfond , Alessandro Orso, Automated identification of parameter mismatches in web applications, Proceedings of the 16th ACM SIGSOFT International Symposium on Foundations of software engineering, November 09-14, 2008, Atlanta, Georgia
Stephen Thomas , Laurie Williams , Tao Xie, On automated prepared statement generation to remove SQL injection vulnerabilities, Information and Software Technology, v.51 n.3, p.589-598, March, 2009
Yin Liu , Ana Milanova, Static analysis for inference of explicit information flow, Proceedings of the 8th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering, November 09-10, 2008, Atlanta, Georgia
Anyi Liu , Yi Yuan , Duminda Wijesekera , Angelos Stavrou, SQLProb: a proxy-based architecture towards preventing SQL injection attacks, Proceedings of the 2009 ACM symposium on Applied Computing, March 08-12, 2009, Honolulu, Hawaii

INDEX TERMS

Primary Classification:
  D. Software
  D.2 SOFTWARE ENGINEERING
      D.2.0 General
          Subjects: Protection mechanisms


General Terms:
Security


Keywords:
SQL injection, dynamic tainting, runtime monitoring

Collaborative Colleagues:
William G. J. Halfond: colleagues
Alessandro Orso: colleagues
Panagiotis Manolios: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player