Abstract
This paper shows that existing definitions of code-injection attacks (e.g., SQL-injection attacks) are flawed. The flaws make it possible for attackers to circumvent existing mechanisms, by supplying code-injecting inputs that are not recognized as such. The flaws also make it possible for benign inputs to be treated as attacks. After describing these flaws in conventional definitions of code-injection attacks, this paper proposes a new definition, which is based on whether the symbols input to an application get used as (normal-form) values in the application's output. Because values are already fully evaluated, they cannot be considered "code" when injected. This simple new definition of code-injection attacks avoids the problems of existing definitions, improves our understanding of how and when such attacks occur, and enables us to evaluate the effectiveness of mechanisms for mitigating such attacks.
Supplemental Material
- C. Anley. Advanced SQL injection in SQL server applications. White paper, Next Generation Security Software, 2002.Google Scholar
- S. Bandhakavi, P. Bisht, P. Madhusudan, and V. N. Venkatakrishnan. Candid: preventing SQL injection attacks using dynamic candidate evaluations. In Proceedings of the ACM Conference on Computer and Communications Security, pages 12--24, 2007. Google Scholar
Digital Library
- P. Bisht, P. Madhusudan, and V. N. Venkatakrishnan. CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks. ACM Trans. Inf. Syst. Secur., 13 (2): 1--39, Feb. 2010. Google Scholar
Digital Library
- M. Bravenboer, E. Dolstra, and E. Visser. Preventing injection attacks with syntax embeddings. Science of Computer Programming, 75 (7): 473--495, July 2010. Google Scholar
Digital Library
- G. Buehrer, B. W. Weide, and P. A. G. Sivilotti. Using parse tree validation to prevent sql injection attacks. In SEM '05: Proceedings of the 5th international workshop on software engineering and middleware, pages 106--113, 2005. Google Scholar
Digital Library
- J. Clause, W. Li, and A. Orso. Dytan: a generic dynamic taint analysis framework. In Proceedings of the ACM International Symposium on Software Testing and Analysis, pages 196--206, 2007. Google Scholar
Digital Library
- J. Condit, M. Harren, S. McPeak, G. C. Necula, and W. Weimer. Ccured in the real world. SIGPLAN Notices, 38: 232--244, May 2003. Google Scholar
Digital Library
- W. Halfond, A. Orso, and P. Manolios. Wasp: Protecting web applications using positive tainting and syntax-aware evaluation. IEEE Trans. Softw. Eng., 34 (1): 65--81, 2008. Google Scholar
Digital Library
- W. G. Halfond, J. Viegas, and A. Orso. A Classification of SQL-Injection Attacks and Countermeasures. In Proceedings of the IEEE International Symposium on Secure Software Engineering, March 2006.Google Scholar
- R. Hansen and M. Patterson. Stopping Injection Attacks with Computational Theory, July 2005. In Black Hat USA.Google Scholar
- T. Jim, J. G. Morrisett, D. Grossman, M. W. Hicks, J. Cheney, and Y. Wang. Cyclone: A safe dialect of c. In Proceedings of the General Track of the USENIX Annual Technical Conference, pages 275--288, Berkeley, CA, USA, 2002. USENIX Association. Google Scholar
Digital Library
- N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In Proceedings of the IEEE Symposium on Security and Privacy, pages 258--263, 2006. Google Scholar
Digital Library
- A. Kiezun, P. J. Guo, K. Jayaraman, and M. D. Ernst. Automatic creation of SQL injection and cross-site scripting attacks. In Proceedings of the International Conference on Software Engineering, May 2009. Google Scholar
Digital Library
- K. Kline and D. Kline. SQL in a Nutshell, chapter 4. O'Reilly, 2001. Google Scholar
Digital Library
- D. E. Knuth. On the translation of languages from left to right. Information and Control, 8 (6): 607--639, 1965.Google Scholar
Cross Ref
- P. J. Landin. The mechanical evaluation of expressions. Computer Journal, 6 (4): 308--320, 1963.Google Scholar
Cross Ref
- Z. Luo, T. Rezk, and M. Serrano. Automated code injection prevention for web applications. In Proceedings of the Conference on Theory of Security and Applications, 2011. Google Scholar
Digital Library
- Microsoft. SQL Minimum Grammar, 2011. http://msdn.microsoft.com/en-us/library/ms711725(VS.85).aspx.Google Scholar
- Microsoft. CREATE FUNCTION (Transact-SQL), 2011. http://msdn.microsoft.com/en-us/library/ms186755.aspx.Google Scholar
- CWE/SANS Top 25 Most Dangerous Software Errors. The MITRE Corporation, 2009. Document version 1.4, http://cwe.mitre.org/top25/archive/2009/2009_cwe_sans_top_25.pdf.Google Scholar
- CWE/SANS Top 25 Most Dangerous Software Errors. The MITRE Corporation, 2010. Document version 1.08, http://cwe.mitre.org/top25/archive/2010/2010_cwe_sans_top25.pdf.Google Scholar
- CWE/SANS Top 25 Most Dangerous Software Errors. The MITRE Corporation, 2011. Document version 1.0.2, http://cwe.mitre.org/top25/archive/2011/2011_cwe_sans_top25.pdf.Google Scholar
- G. C. Necula, J. Condit, M. Harren, S. McPeak, and W. Weimer. Ccured: type-safe retrofitting of legacy software. ACM Trans. Program. Lang. Syst., 27: 477--526, May 2005. Google Scholar
Digital Library
- J. Newsome and D. X. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of the Network and Distributed System Security Symposium, Feb. 2005.Google Scholar
- A. Nguyen-tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening web applications using precise tainting. In Proceedings of the IFIP International Information Security Conference, pages 372--382, 2005.Google Scholar
- G. Ollmann. Second order code injection attacks. Technical report, NGS Software, 2004.Google Scholar
- Oracle. How to write injection-proof PL/SQL. An Oracle White Paper, December 2008. URL http://www.oracle.com/technetwork/database/features/plsql/overview/how-%to-write-injection-proof-plsql-1--129572.pdf. Page 11.Google Scholar
- Oracle. CREATE FUNCTION Syntax for User-Defined Functions, 2011. http://dev.mysql.com/doc/refman/5.6/en/create-function-udf.html.Google Scholar
- Oracle. CREATE FUNCTION, 2011. http://download.oracle.com/docs/cd/E11882_01/server.112/e17118/statemen%ts_5011.htm.Google Scholar
- php. phpMyAdmin. http://www.phpmyadmin.net.Google Scholar
- T. Pietraszek and C. V. Berghe. Defending against injection attacks through context-sensitive string evaluation. In Proceedings of Recent Advances in Intrusion Detection (RAID), 2005. Google Scholar
Digital Library
- G. D. Plotkin. Call-by-name, call-by-value and the ł-calculus. Theoretical Computer Science, 1 (2): 125--159, 1975.Google Scholar
Cross Ref
- E. J. Schwartz, T. Avgerinos, and D. Brumley. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In Proceedings of the IEEE Symposium on Security and Privacy, May 2010. Google Scholar
Digital Library
- Z. Su and G. Wassermann. The essence of command injection attacks in web applications. In Proceedings of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 372--382, 2006. Google Scholar
Digital Library
- O. Tripp, M. Pistoia, S. J. Fink, M. Sridharan, and O. Weisman. TAJ: effective taint analysis of web applications. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 87--97, 2009. Google Scholar
Digital Library
- S. Tzu. The art of war. The Project Gutenberg eBook. Translated by Lionel Giles. http://www.gutenberg.org/cache/epub/17405/pg17405.txt.Google Scholar
- G. Wassermann and Z. Su. Sound and Precise Analysis of Web Applications for Injection Vulnerabilities. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation, June 2007. Google Scholar
Digital Library
- W. Xu, S. Bhatkar, and R. Sekar. Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks. In Proceedings of the 15th USENIX Security Symposium, 2006. Google Scholar
Digital Library
- Y. Younan, P. Philippaerts, F. Piessens, W. Joosen, S. Lachmund, and T. Walter. Filter-resistant code injection on ARM. In Proceedings of the ACM Conference on Computer and Communications Security, pages 11--20, 2009. Google Scholar
Digital Library
- X. Zhang and Z. Wang. A static analysis tool for detecting web application injection vulnerabilities for ASP program. In International Conference on e-Business and Information System Security (EBISS), pages 1 --5, May 2010.Google Scholar
Cross Ref
Index Terms
Defining code-injection attacks
Recommendations
Defining code-injection attacks
POPL '12: Proceedings of the 39th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languagesThis paper shows that existing definitions of code-injection attacks (e.g., SQL-injection attacks) are flawed. The flaws make it possible for attackers to circumvent existing mechanisms, by supplying code-injecting inputs that are not recognized as ...
Symbolic security analysis of ruby-on-rails web applications
CCS '10: Proceedings of the 17th ACM conference on Computer and communications securityMany of today's web applications are built on frameworks that include sophisticated defenses against malicious adversaries. However, mistakes in the way developers deploy those defenses could leave applications open to attack. To address this issue, we ...







Comments