skip to main content
10.1145/1250734.1250739acmconferencesArticle/Chapter ViewAbstractPublication PagespldiConference Proceedingsconference-collections
Article

Sound and precise analysis of web applications for injection vulnerabilities

Published:10 June 2007Publication History

ABSTRACT

Web applications are popular targets of security attacks. One common type of such attacks is SQL injection, where an attacker exploits faulty application code to execute maliciously crafted database queries. Bothstatic and dynamic approaches have been proposed to detect or prevent SQL injections; while dynamic approaches provide protection for deployed software, static approaches can detect potential vulnerabilities before software deployment. Previous static approaches are mostly based on tainted information flow tracking and have at least some of the following limitations: (1) they do not model the precise semantics of input sanitization routines; (2) they require manually written specifications, either for each query or for bug patterns; or (3) they are not fully automated and may require user intervention at various points in the analysis. In this paper, we address these limitations by proposing a precise, sound, and fully automated analysis technique for SQL injection. Our technique avoids the need for specifications by consideringas attacks those queries for which user input changes the intended syntactic structure of the generated query. It checks conformance to this policy byconservatively characterizing the values a string variable may assume with a context free grammar, tracking the nonterminals that represent user-modifiable data, and modeling string operations precisely as language transducers. We have implemented the proposed technique for PHP, the most widely-used web scripting language. Our tool successfully discovered previously unknown and sometimes subtle vulnerabilities in real-world programs, has a low false positive rate, and scales to large programs (with approx. 100K loc).

References

  1. S. W. Boyd and A. D. Keromytis. SQLrand: Preventing SQL injection attacks. In International Conference on Applied Cryptography and Network Security (ACNS), LNCS, volume 2, 2004.Google ScholarGoogle ScholarCross RefCross Ref
  2. G. T. Buehrer, B. W. Weide, and P. A. Sivilotti. Using parse tree validation to prevent SQL injection attacks. In Proceedings of the International Workshop on Software Engineering and Middleware (SEM) at Joint FSE and ESEC, Sept. 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. A. S. Christensen, A. Moller, and M. I. Schwartzbach. Precise analysis of string expressions. In Proceedings of the 10th International Static Analysis Symposium, SAS'03, volume 2694 of LNCS, pages 1--18. Springer-Verlag, June 2003. Available from http://www.brics.dk/JSA/. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. J. Earley. An efficient context-free parsing algorithm. Communications of the Association for Compution Machinery, 13(2):94--102, 1970. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. J. S. Foster, T. Terauchi, and A. Aiken. Flow-sensitive type qualifiers. In PLDI '02: Proceedings of the ACM SIGPLAN 2002 Conference on Programming language design and implementation, pages 1--12, New York, NY, USA, 2002. ACM Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. C. Gould, Z. Su, and P. Devanbu. Static checking of dynamically generated queries in database applications. In Proceedings of the 25th International Conference on Software Engineering (ICSE), pages 645--654, May 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. W. Halfond, A. Orso, and P. Manolios. Using Positive Tainting and Syntax--Aware Evaluation to Counter SQL Injection Attacks. In Proceedings of the ACM SIGSOFT Symposium on the Foundations of Software Engineering (FSE 2006), Portland, Oregon, November 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. W. G. Halfond and A. Orso. AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks. In Proceedings of 20th ACM International Conference on Automated Software Engineering (ASE), Nov. 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. K. J. Higgins. Cross-site scripting: Attackers' new favorite flaw, September 2006. http://www.darkreading.com/document.asp?doc_id=103774&WT.svl=news1_1.Google ScholarGoogle Scholar
  10. H. Hosoya and B. C. Pierce. Xduce: A typed xml processing language (preliminary report). In Selected papers from the Third International Workshop WebDB 2000 on The World Wide Web and Databases, pages 226--244, London, UK, 2001. Springer--Verlag. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Y.-W. Huang, F. Yu, CHang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing web application code by static analysis and runtime protection. In WWW '04: Proceedings of the 13th international conference on World Wide Web, pages 40--52, New York, NY, USA, 2004. ACM Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In 2006 IEEE Symposium on Security and Privacy, Oakland, CA, May 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. N. Jovanovic, C. Kruegel, and E. Kirda. Precise alias analysis for syntactic detection of web application vulnerabilities. In ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, Ottowa, Canada, June 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. G. S. K. c, A. D. Keromytis, and V. Prevelakis. Countering code-injection attacks with instruction-set randomization. In Proc. CCS'03, pages 272--280, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. C. Kirkegaard and A. Moller. Static analysis for Java Servlets and JSP. In Proceedings of the 13th International Static Analysis. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. M. S. Lam, J. Whaley, V. B. Livshits, M. C. Martin, D. Avots, M. Carbin, and C. Unkel. Context-sensitive program analysis as database queries. In Proceedings of the Twenty-fourth ACM SIGACT-SIGMOD-SIGART Symposium on Principles of Database Systems. ACM, June 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. V. B. Livshits and M. S. Lam. Finding security errors in Java programs with static analysis. In Proceedings of the 14th Usenix Security Symposium, pages 271--286, Aug. 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. M. Martin, B. Livshits, and M. S. Lam. Finding application errors and security flaws using PQL: a program query language. In OOPSLA '05: Proceedings of the 20th annual ACM SIGPLAN conference on Object oriented programming systems languages and applications, pages 365--383, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. D. Melski and T. Reps. Interconvertbility of set constraints and context--free language reachability. In Proceedings of the ACM SIGPLAN Symposium on Partial Evaluation and Semantics-Based Program Manipulation, pages 74--89, 1997. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Y. Minamide. Static Approximation of Dynamically Generated Web Pages. In WWW'05: Proceedings of the 14th International Conference on the World Wide Web, pages 432--441, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. M. Mohri and M. Nederhof. Regular approximation of context-free grammars through transformation. Robustness in Language and Speech Technology, pages 153--163, 2001.Google ScholarGoogle ScholarCross RefCross Ref
  22. M. Mohri and R. Sproat. An efficient compiler for weighted rewrite rules. In Meeting of the Association for Computational Linguistics, pages 231--238, 1996. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening web applications using precise tainting. In Twentieth IFIP International Information Security Conference (SEC'05), 2005.Google ScholarGoogle ScholarCross RefCross Ref
  24. T. Pietraszek and C. V. Berghe. Defending against Injection Attacks through Context-Sensitive String Evaluation. In Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection (RAID), Sept. 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Z. Su and G. Wassermann. The essence of command injection attacks in web applications. In Proceedings of the 33rd Annual Symposium on Principles of Programming Languages, pages 372--382, Charleston, SC, Jan. 2006. ACM Press New York, NY, USA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. M. Sutton. How prevalent are sql injection vulnerabilities?, September 2006. http://portal.spidynamics.com/blogs/msutton/archive/2006/09/26/How-Prev% alent-Are-SQL-Injection-Vulnerabilities_3F00_.aspx.Google ScholarGoogle Scholar
  27. N. Tabuchi, E. Sumii, and A. Yonezawa. Regular expression types for strings in a text processing language (extended abstract). In Proceedings of TIP'02 Workshop on Types in Programming, pages 1--18, July 2002.Google ScholarGoogle Scholar
  28. P. Thiemann. Grammar-based analysis of string expressions. In 2005 ACM SIGPLAN International Workshop on Types in Languages Design and Implementation (TLDI), pages 59--70, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. L. Wall, T. Christiansen, and R. L. Schwartz. Programming Perl (3rd Edition). O'Reilly, 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. J. Whaley and M. S. Lam. Cloning-based context-sensitive pointer alias analysis using binary decision diagrams. In PLDI '04: Proceedings of the ACM SIGPLAN 2004 conference on Programming language design and implementation, pages 131--144, New York, NY, USA, 2004. ACM Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting languages. In Proceedings of the 15th USENIX Security Symposium, pages 179--192, July 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. W. Xu, S. Bhatkar, and R. Sekar. Taint-enhanced policy enforcement: A practical approach to defeat a wide range of attacks. In Proceedings of the 15th USENIX Security Symposium, Aug. 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Sound and precise analysis of web applications for injection vulnerabilities

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in
        • Published in

          cover image ACM Conferences
          PLDI '07: Proceedings of the 28th ACM SIGPLAN Conference on Programming Language Design and Implementation
          June 2007
          508 pages
          ISBN:9781595936332
          DOI:10.1145/1250734
          • cover image ACM SIGPLAN Notices
            ACM SIGPLAN Notices  Volume 42, Issue 6
            Proceedings of the 2007 PLDI conference
            June 2007
            491 pages
            ISSN:0362-1340
            EISSN:1558-1160
            DOI:10.1145/1273442
            Issue’s Table of Contents

          Copyright © 2007 ACM

          Publisher

          Association for Computing Machinery

          New York, NY, United States

          Publication History

          • Published: 10 June 2007

          Permissions

          Request permissions about this article.

          Request Permissions

          Check for updates

          Qualifiers

          • Article

          Acceptance Rates

          Overall Acceptance Rate406of2,067submissions,20%

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!