More Web Proxy on the site http://driver.im/

research-article

Defining code-injection attacks

Authors:

Jay LigattiAuthors Info & Claims

ACM SIGPLAN Notices, Volume 47, Issue 1

Pages 179 - 190

https://doi.org/10.1145/2103621.2103678

Published: 25 January 2012 Publication History

Abstract

This paper shows that existing definitions of code-injection attacks (e.g., SQL-injection attacks) are flawed. The flaws make it possible for attackers to circumvent existing mechanisms, by supplying code-injecting inputs that are not recognized as such. The flaws also make it possible for benign inputs to be treated as attacks. After describing these flaws in conventional definitions of code-injection attacks, this paper proposes a new definition, which is based on whether the symbols input to an application get used as (normal-form) values in the application's output. Because values are already fully evaluated, they cannot be considered "code" when injected. This simple new definition of code-injection attacks avoids the problems of existing definitions, improves our understanding of how and when such attacks occur, and enables us to evaluate the effectiveness of mechanisms for mitigating such attacks.

Supplementary Material

JPG File (popl_3a_2.jpg)

Download
16.85 KB

MP4 File (popl_3a_2.mp4)

Download
209.35 MB

References

[1]

C. Anley. Advanced SQL injection in SQL server applications. White paper, Next Generation Security Software, 2002.

[2]

S. Bandhakavi, P. Bisht, P. Madhusudan, and V. N. Venkatakrishnan. Candid: preventing SQL injection attacks using dynamic candidate evaluations. In Proceedings of the ACM Conference on Computer and Communications Security, pages 12--24, 2007.

Digital Library

[3]

P. Bisht, P. Madhusudan, and V. N. Venkatakrishnan. CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks. ACM Trans. Inf. Syst. Secur., 13 (2): 1--39, Feb. 2010.

Digital Library

[4]

M. Bravenboer, E. Dolstra, and E. Visser. Preventing injection attacks with syntax embeddings. Science of Computer Programming, 75 (7): 473--495, July 2010.

Digital Library

[5]

G. Buehrer, B. W. Weide, and P. A. G. Sivilotti. Using parse tree validation to prevent sql injection attacks. In SEM '05: Proceedings of the 5th international workshop on software engineering and middleware, pages 106--113, 2005.

Digital Library

[6]

J. Clause, W. Li, and A. Orso. Dytan: a generic dynamic taint analysis framework. In Proceedings of the ACM International Symposium on Software Testing and Analysis, pages 196--206, 2007.

Digital Library

[7]

J. Condit, M. Harren, S. McPeak, G. C. Necula, and W. Weimer. Ccured in the real world. SIGPLAN Notices, 38: 232--244, May 2003.

Digital Library

[8]

W. Halfond, A. Orso, and P. Manolios. Wasp: Protecting web applications using positive tainting and syntax-aware evaluation. IEEE Trans. Softw. Eng., 34 (1): 65--81, 2008.

Digital Library

[9]

W. G. Halfond, J. Viegas, and A. Orso. A Classification of SQL-Injection Attacks and Countermeasures. In Proceedings of the IEEE International Symposium on Secure Software Engineering, March 2006.

[10]

R. Hansen and M. Patterson. Stopping Injection Attacks with Computational Theory, July 2005. In Black Hat USA.

[11]

T. Jim, J. G. Morrisett, D. Grossman, M. W. Hicks, J. Cheney, and Y. Wang. Cyclone: A safe dialect of c. In Proceedings of the General Track of the USENIX Annual Technical Conference, pages 275--288, Berkeley, CA, USA, 2002. USENIX Association.

Digital Library

[12]

N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In Proceedings of the IEEE Symposium on Security and Privacy, pages 258--263, 2006.

Digital Library

[13]

A. Kiezun, P. J. Guo, K. Jayaraman, and M. D. Ernst. Automatic creation of SQL injection and cross-site scripting attacks. In Proceedings of the International Conference on Software Engineering, May 2009.

Digital Library

[14]

K. Kline and D. Kline. SQL in a Nutshell, chapter 4. O'Reilly, 2001.

Digital Library

[15]

D. E. Knuth. On the translation of languages from left to right. Information and Control, 8 (6): 607--639, 1965.

[16]

P. J. Landin. The mechanical evaluation of expressions. Computer Journal, 6 (4): 308--320, 1963.

[17]

Z. Luo, T. Rezk, and M. Serrano. Automated code injection prevention for web applications. In Proceedings of the Conference on Theory of Security and Applications, 2011.

Digital Library

[18]

Microsoft. SQL Minimum Grammar, 2011. http://msdn.microsoft.com/en-us/library/ms711725(VS.85).aspx.

[19]

Microsoft. CREATE FUNCTION (Transact-SQL), 2011. http://msdn.microsoft.com/en-us/library/ms186755.aspx.

[20]

CWE/SANS Top 25 Most Dangerous Software Errors. The MITRE Corporation, 2009. Document version 1.4, http://cwe.mitre.org/top25/archive/2009/2009_cwe_sans_top_25.pdf.

[21]

CWE/SANS Top 25 Most Dangerous Software Errors. The MITRE Corporation, 2010. Document version 1.08, http://cwe.mitre.org/top25/archive/2010/2010_cwe_sans_top25.pdf.

[22]

CWE/SANS Top 25 Most Dangerous Software Errors. The MITRE Corporation, 2011. Document version 1.0.2, http://cwe.mitre.org/top25/archive/2011/2011_cwe_sans_top25.pdf.

[23]

G. C. Necula, J. Condit, M. Harren, S. McPeak, and W. Weimer. Ccured: type-safe retrofitting of legacy software. ACM Trans. Program. Lang. Syst., 27: 477--526, May 2005.

Digital Library

[24]

J. Newsome and D. X. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of the Network and Distributed System Security Symposium, Feb. 2005.

[25]

A. Nguyen-tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening web applications using precise tainting. In Proceedings of the IFIP International Information Security Conference, pages 372--382, 2005.

[26]

G. Ollmann. Second order code injection attacks. Technical report, NGS Software, 2004.

[27]

Oracle. How to write injection-proof PL/SQL. An Oracle White Paper, December 2008. URL http://www.oracle.com/technetwork/database/features/plsql/overview/how-%to-write-injection-proof-plsql-1--129572.pdf. Page 11.

[28]

Oracle. CREATE FUNCTION Syntax for User-Defined Functions, 2011. http://dev.mysql.com/doc/refman/5.6/en/create-function-udf.html.

[29]

Oracle. CREATE FUNCTION, 2011. http://download.oracle.com/docs/cd/E11882_01/server.112/e17118/statemen%ts_5011.htm.

[30]

php. phpMyAdmin. http://www.phpmyadmin.net.

[31]

T. Pietraszek and C. V. Berghe. Defending against injection attacks through context-sensitive string evaluation. In Proceedings of Recent Advances in Intrusion Detection (RAID), 2005.

Digital Library

[32]

G. D. Plotkin. Call-by-name, call-by-value and the ł-calculus. Theoretical Computer Science, 1 (2): 125--159, 1975.

[33]

E. J. Schwartz, T. Avgerinos, and D. Brumley. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In Proceedings of the IEEE Symposium on Security and Privacy, May 2010.

Digital Library

[34]

Z. Su and G. Wassermann. The essence of command injection attacks in web applications. In Proceedings of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 372--382, 2006.

Digital Library

[35]

O. Tripp, M. Pistoia, S. J. Fink, M. Sridharan, and O. Weisman. TAJ: effective taint analysis of web applications. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 87--97, 2009.

Digital Library

[36]

S. Tzu. The art of war. The Project Gutenberg eBook. Translated by Lionel Giles. http://www.gutenberg.org/cache/epub/17405/pg17405.txt.

[37]

G. Wassermann and Z. Su. Sound and Precise Analysis of Web Applications for Injection Vulnerabilities. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation, June 2007.

Digital Library

[38]

W. Xu, S. Bhatkar, and R. Sekar. Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks. In Proceedings of the 15th USENIX Security Symposium, 2006.

Digital Library

[39]

Y. Younan, P. Philippaerts, F. Piessens, W. Joosen, S. Lachmund, and T. Walter. Filter-resistant code injection on ARM. In Proceedings of the ACM Conference on Computer and Communications Security, pages 11--20, 2009.

Digital Library

[40]

X. Zhang and Z. Wang. A static analysis tool for detecting web application injection vulnerabilities for ASP program. In International Conference on e-Business and Information System Security (EBISS), pages 1 --5, May 2010.

Cited By

ERÇİN MYOLAÇAN E(2024)Web Uygulamalarında Enjeksiyon Saldırılarının TespitiDetection of Injection Attacks in Web ApplicationsEskişehir Türk Dünyası Uygulama ve Araştırma Merkezi Bilişim Dergisi10.53608/estudambilisim.1402251Online publication date: 3-Jan-2024
https://doi.org/10.53608/estudambilisim.1402251
Amyan AAbboush MKnieke CRausch A(2024)Automating Fault Test Cases Generation and Execution for Automotive Safety Validation via NLP and HIL SimulationSensors10.3390/s2410314524:10(3145)Online publication date: 15-May-2024
https://doi.org/10.3390/s24103145
Zhang BRen RLiu JJiang MRen JLi J(2024)SQLPsdem: A Proxy-Based Mechanism Towards Detecting, Locating and Preventing Second-Order SQL InjectionsIEEE Transactions on Software Engineering10.1109/TSE.2024.340040450:7(1807-1826)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1109/TSE.2024.3400404
Show More Cited By

Index Terms

Defining code-injection attacks
1. Software and its engineering
  1. Software notations and tools
    1. Formal language definitions
      1. Syntax

Recommendations

Code Injection Attacks on HTML5-based Mobile Apps: Characterization, Detection and Mitigation
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

Due to the portability advantage, HTML5-based mobile apps are getting more and more popular.Unfortunately, the web technology used by HTML5-based mobile apps has a dangerous feature, which allows data and code to be mixed together, making code injection ...
Secure and practical defense against code-injection attacks using software dynamic translation
VEE '06: Proceedings of the 2nd international conference on Virtual execution environments

One of the most common forms of security attacks involves exploiting a vulnerability to inject malicious code into an executing application and then cause the injected code to be executed. A theoretically strong approach to defending against any type of ...
Defining code-injection attacks
POPL '12: Proceedings of the 39th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages

This paper shows that existing definitions of code-injection attacks (e.g., SQL-injection attacks) are flawed. The flaws make it possible for attackers to circumvent existing mechanisms, by supplying code-injecting inputs that are not recognized as ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM SIGPLAN Notices

ACM SIGPLAN Notices Volume 47, Issue 1

POPL '12

January 2012

569 pages

ISSN:0362-1340

EISSN:1558-1160

DOI:10.1145/2103621

Issue’s Table of Contents

POPL '12: Proceedings of the 39th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
January 2012
602 pages
ISBN:9781450310833
DOI:10.1145/2103656
General Chair:
John Field
Google, USA
,
Program Chair:
Michael Hicks
University of Maryland, College Park, USA

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 25 January 2012

Published in SIGPLAN Volume 47, Issue 1

Check for updates

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

54
Total Citations
View Citations
1,455
Total Downloads

Downloads (Last 12 months)110
Downloads (Last 6 weeks)16

Reflects downloads up to 01 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

ERÇİN MYOLAÇAN E(2024)Web Uygulamalarında Enjeksiyon Saldırılarının TespitiDetection of Injection Attacks in Web ApplicationsEskişehir Türk Dünyası Uygulama ve Araştırma Merkezi Bilişim Dergisi10.53608/estudambilisim.1402251Online publication date: 3-Jan-2024
https://doi.org/10.53608/estudambilisim.1402251
Amyan AAbboush MKnieke CRausch A(2024)Automating Fault Test Cases Generation and Execution for Automotive Safety Validation via NLP and HIL SimulationSensors10.3390/s2410314524:10(3145)Online publication date: 15-May-2024
https://doi.org/10.3390/s24103145
Zhang BRen RLiu JJiang MRen JLi J(2024)SQLPsdem: A Proxy-Based Mechanism Towards Detecting, Locating and Preventing Second-Order SQL InjectionsIEEE Transactions on Software Engineering10.1109/TSE.2024.340040450:7(1807-1826)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1109/TSE.2024.3400404
Khalifa MKhan MQuasim MKhan MUl Nisha K(2024)Reliable IPS model for eLCMS Service and Files Protection2024 9th South-East Europe Design Automation, Computer Engineering, Computer Networks and Social Media Conference (SEEDA-CECNSM)10.1109/SEEDA-CECNSM63478.2024.00014(25-29)Online publication date: 20-Sep-2024
https://doi.org/10.1109/SEEDA-CECNSM63478.2024.00014
Chenet CSavino ADi Carlo S(2024)A Survey on Hardware-Based Malware Detection ApproachesIEEE Access10.1109/ACCESS.2024.338871612(54115-54128)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3388716
Noman HAbu-Sharkh O(2023)Code Injection Attacks in Wireless-Based Internet of Things (IoT): A Comprehensive Review and Practical ImplementationsSensors10.3390/s2313606723:13(6067)Online publication date: 30-Jun-2023
https://doi.org/10.3390/s23136067
Zhao SYu XLuo JXie G(2023)Speculation-Free Function Table Construction in LLVM IR for Fine-Grained Control Flow IntegrityJournal of Circuits, Systems and Computers10.1142/S021812662350281X32:16Online publication date: 29-May-2023
https://doi.org/10.1142/S021812662350281X
Stanciu ACiocârlie H(2023)Analyzing Code Security: Approaches and Tools for Effective Review and Analysis2023 International Conference on Electrical, Computer and Energy Technologies (ICECET)10.1109/ICECET58911.2023.10389326(1-6)Online publication date: 16-Nov-2023
https://doi.org/10.1109/ICECET58911.2023.10389326
Yaacoub JNoura HSalman OChehab A(2023)Ethical hacking for IoT: Security issues, challenges, solutions and recommendationsInternet of Things and Cyber-Physical Systems10.1016/j.iotcps.2023.04.0023(280-308)Online publication date: 2023
https://doi.org/10.1016/j.iotcps.2023.04.002
Ambika N(2023)Securing the IoT-Based Wireless Sensor Networks in 5G and Beyond5G and Beyond10.1007/978-981-99-3668-7_10(197-215)Online publication date: 30-Aug-2023
https://doi.org/10.1007/978-981-99-3668-7_10
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents