AI helps you reading Science

AI generates interpretation videos

AI extracts and analyses the key points of the paper to generate videos automatically


pub
Go Generating

AI Traceability

AI parses the academic lineage of this thesis


Master Reading Tree
Generate MRT

AI Insight

AI extracts a summary of this paper


Weibo:
In this paper we have proposed a new static analysis algorithm to find SQL command injection vulnerabilities

Sound and precise analysis of web applications for injection vulnerabilities

Proceedings of the 2008 ACM SIGPLAN conference on Programming language design and implementation, no. 6 (2007): 32-41

Cited by: 439|Views160
EI

Abstract

Web applications are popular targets of security attacks. One common type of such attacks is SQL injection, where an attacker exploits faulty application code to execute maliciously crafted database queries. Bothstatic and dynamic approaches have been proposed to detect or prevent SQL injections; while dynamic approaches provide protectio...More

Code:

Data:

0
Introduction
  • Web applications enable much of today’s online business including banking, shopping, university admissions, and various governmental activities.
  • Vulnerabilities that allow an attacker to compromise a web application’s control of its data pose a significant threat.
  • In 2006, 14% of the CVEs were SQLCIVs, making SQL injection the second most frequently reported security threat [9].
  • Some web security analysts speculate that because web applications are highly accessible and databases often hold valuable information, the percentage of SQL injection attacks being executed is significantly higher than the percentage of reported vulnerabilities would suggest [26]
Highlights
  • Web applications enable much of today’s online business including banking, shopping, university admissions, and various governmental activities
  • It is grammar-based; we model string values as context free grammars (CFGs) and string operations as language transducers following Minamide [20]
  • We evaluated our tool on five real-world PHP web applications in order to test its scalability and its false positive rate, and to see what kinds of errors it would find and what would cause false positives
  • In this paper we have proposed a new static analysis algorithm to find SQL command injection vulnerabilities
  • By using a general definition of SQL command injection vulnerabilities based on the context of untrusted substrings, we avoid the need for manually written policies
Results
  • The authors evaluated the tool on five real-world PHP web applications in order to test its scalability and its false positive rate, and to see what kinds of errors it would find and what would cause false positives.
  • Unp msg(gp allfields); exit; } if (!preg match('/^[\d]+/', newsposterid)) { unp msg(gp invalidrequest); exit; } submitnews = DB->query("INSERT INTOunp news" ."(`date, `subject, `news, `posterid,".
  • "'newsposterid','newsposter')"); size of each of these web applications in terms of the number of files and the number of lines of PHP code.
  • The authors ran the analysis on a machine with a 3GHz processor and 8GB of RAM running Linux – Fedora Core 5.
Conclusion
  • In this paper the authors have proposed a new static analysis algorithm to find SQLCIVs. In this paper the authors have proposed a new static analysis algorithm to find SQLCIVs
  • It characterizes the sets of possible database queries that a web application may generate using context free grammars, and tracks information flow from untrusted sources into those grammars.
  • The authors' implementation worked well under evaluation
  • It was precise, detected unknown vulnerabilities in realworld web applications with few false positives, demonstrating the effectiveness of the approach.
  • The authors are interested in integrating the analysis into a broader business logic analysis of web applications [15] in order to track session variables as they flow from one page to another and provide more precise and informative warnings
Tables
  • Table1: Evaluation results
Download tables as Excel
Related work
  • In this section we survey closely related work.

    6.1 Static String Analysis

    The study of static string analysis grew out of the study of text processing programs. An early work to use formal languages (viz. regular languages) to represent string values is XDuce [10], a language designed for XML transformations. Tabuchi et al designed regular expression types for strings in a functional language with a type system that could handle certain programming constructs with greater precision than had been done before [27].

    Christensen et al introduced the study of static string analysis for imperative (and real-world) languages by showing the usefulness of string analysis for analyzing reflective code in Java programs and checking for errors in dynamically generated SQL queries [3]. They designed an analysis for Java that has FSAs as its target language representation; they chose FSAs because FSAs are closed under the standard language operations. They also applied techniques from computational linguistics to generate good FSA approximations of CFGs [21]. Their analysis, however, does not track the sourced of data, and because it must determinize the FSAs between each operation, it is less efficient than other string analyses and not practical for finding SQLCIVs. Gould et al used this analysis to type check dynamically generated queries, but made approximations that would cause them to miss SQLCIVs [6].
Funding
  • ∗ This research was supported in part by NSF NeTS-NBD Grant No 0520320, NSF CAREER Grant No 0546844, NSF CyberTrust Grant No 0627749, and a generous gift from Intel
Reference
  • S. W. Boyd and A. D. Keromytis. SQLrand: Preventing SQL injection attacks. In International Conference on Applied Cryptography and Network Security (ACNS), LNCS, volume 2, 2004.
    Google ScholarLocate open access versionFindings
  • G. T. Buehrer, B. W. Weide, and P. A. Sivilotti. Using parse tree validation to prevent SQL injection attacks. In Proceedings of the International Workshop on Software Engineering and Middleware (SEM) at Joint FSE and ESEC, Sept. 2005.
    Google ScholarLocate open access versionFindings
  • A. S. Christensen, A. Møller, and M. I. Schwartzbach. Precise analysis of string expressions. In Proceedings of the 10th International Static Analysis Symposium, SAS ’03, volume 2694 of LNCS, pages 1–18. Springer-Verlag, June 200Available from http://www.brics.dk/JSA/.
    Locate open access versionFindings
  • J. Earley. An efficient context-free parsing algorithm. Communications of the Association for Compution Machinery, 13(2):94–102, 1970.
    Google ScholarLocate open access versionFindings
  • J. S. Foster, T. Terauchi, and A. Aiken. Flow-sensitive type qualifiers. In PLDI ’02: Proceedings of the ACM SIGPLAN 2002 Conference on Programming language design and implementation, pages 1–12, New York, NY, USA, 2002. ACM Press.
    Google ScholarLocate open access versionFindings
  • C. Gould, Z. Su, and P. Devanbu. Static checking of dynamically generated queries in database applications. In Proceedings of the 25th International Conference on Software Engineering (ICSE), pages 645–654, May 2004.
    Google ScholarLocate open access versionFindings
  • W. Halfond, A. Orso, and P. Manolios. Using Positive Tainting and SyntaxAware Evaluation to Counter SQL Injection Attacks. In Proceedings of the ACM SIGSOFT Symposium on the Foundations of Software Engineering (FSE 2006), Portland, Oregon, November 2006.
    Google ScholarLocate open access versionFindings
  • W. G. Halfond and A. Orso. AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks. In Proceedings of 20th ACM International Conference on Automated Software Engineering (ASE), Nov. 2005.
    Google ScholarLocate open access versionFindings
  • K. J. Higgins. Cross-site scripting: Attackers’ new favorite flaw, September 2006. http://www.darkreading.com/document.asp?doc_id=103774&WT.svl=news1_1.
    Findings
  • H. Hosoya and B. C. Pierce. Xduce: A typed xml processing language (preliminary report). In Selected papers from the Third International Workshop WebDB 2000 on The World Wide Web and Databases, pages 226–244, London, UK, 2001. Springer-Verlag.
    Google ScholarFindings
  • Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing web application code by static analysis and runtime protection. In WWW ’04: Proceedings of the 13th international conference on World Wide Web, pages 40–52, New York, NY, USA, 2004. ACM Press.
    Google ScholarLocate open access versionFindings
  • N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In 2006 IEEE Symposium on Security and Privacy, Oakland, CA, May 2006.
    Google ScholarLocate open access versionFindings
  • N. Jovanovic, C. Kruegel, and E. Kirda. Precise alias analysis for syntactic detection of web application vulnerabilities. In ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, Ottowa, Canada, June 2006.
    Google ScholarLocate open access versionFindings
  • G. S. Kc, A. D. Keromytis, and V. Prevelakis. Countering code-injection attacks with instruction-set randomization. In Proc. CCS’03, pages 272–280, 2003.
    Google ScholarLocate open access versionFindings
  • C. Kirkegaard and A. Møller. Static analysis for Java Servlets and JSP. In Proceedings of the 13th International Static Analysis Symposium, SAS ’06, volume 4134 of LNCS. Springer-Verlag, August 2006. Full version available as BRICS RS-06-10.
    Google ScholarLocate open access versionFindings
  • M. S. Lam, J. Whaley, V. B. Livshits, M. C. Martin, D. Avots, M. Carbin, and C. Unkel. Context-sensitive program analysis as database queries. In Proceedings of the Twenty-fourth ACM SIGACT-SIGMOD-SIGART Symposium on Principles of Database Systems. ACM, June 2005.
    Google ScholarLocate open access versionFindings
  • V. B. Livshits and M. S. Lam. Finding security errors in Java programs with static analysis. In Proceedings of the 14th Usenix Security Symposium, pages 271–286, Aug. 2005.
    Google ScholarLocate open access versionFindings
  • M. Martin, B. Livshits, and M. S. Lam. Finding application errors and security flaws using PQL: a program query language. In OOPSLA ’05: Proceedings of the 20th annual ACM SIGPLAN conference on Object oriented programming systems languages and applications, pages 365–383, 2005.
    Google ScholarLocate open access versionFindings
  • D. Melski and T. Reps. Interconvertbility of set constraints and context-free language reachability. In Proceedings of the ACM SIGPLAN Symposium on Partial Evaluation and Semantics-Based Program Manipulation, pages 74–89, 1997.
    Google ScholarLocate open access versionFindings
  • Y. Minamide. Static Approximation of Dynamically Generated Web Pages. In WWW’05: Proceedings of the 14th International Conference on the World Wide Web, pages 432–441, 2005.
    Google ScholarLocate open access versionFindings
  • M. Mohri and M. Nederhof. Regular approximation of context-free grammars through transformation. Robustness in Language and Speech Technology, pages 153–163, 2001.
    Google ScholarLocate open access versionFindings
  • M. Mohri and R. Sproat. An efficient compiler for weighted rewrite rules. In Meeting of the Association for Computational Linguistics, pages 231–238, 1996.
    Google ScholarLocate open access versionFindings
  • A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening web applications using precise tainting. In Twentieth IFIP International Information Security Conference (SEC’05), 2005.
    Google ScholarLocate open access versionFindings
  • T. Pietraszek and C. V. Berghe. Defending against Injection Attacks through Context-Sensitive String Evaluation. In Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection (RAID), Sept. 2005.
    Google ScholarLocate open access versionFindings
  • Z. Su and G. Wassermann. The essence of command injection attacks in web applications. In Proceedings of the 33rd Annual Symposium on Principles of Programming Languages, pages 372–382, Charleston, SC, Jan. 2006. ACM Press New York, NY, USA.
    Google ScholarLocate open access versionFindings
  • M. Sutton. How prevalent are sql injection vulnerabilities?, September 2006. http://portal.spidynamics.com/blogs/msutton/archive/2006/09/26/How-Prevalent-Are-SQL-Injection-Vulnerabilities_3F00_.aspx.
    Findings
  • N. Tabuchi, E. Sumii, and A. Yonezawa. Regular expression types for strings in a text processing language (extended abstract). In Proceedings of TIP’02 Workshop on Types in Programming, pages 1–18, July 2002.
    Google ScholarLocate open access versionFindings
  • P. Thiemann. Grammar-based analysis of string expressions. In 2005 ACM SIGPLAN International Workshop on Types in Languages Design and Implementation (TLDI), pages 59–70, 2005.
    Google ScholarLocate open access versionFindings
  • L. Wall, T. Christiansen, and R. L. Schwartz. Programming Perl (3rd Edition). O’Reilly, 2000.
    Google ScholarFindings
  • J. Whaley and M. S. Lam. Cloning-based context-sensitive pointer alias analysis using binary decision diagrams. In PLDI ’04: Proceedings of the ACM SIGPLAN 2004 conference on Programming language design and implementation, pages 131–144, New York, NY, USA, 2004. ACM Press.
    Google ScholarLocate open access versionFindings
  • Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting languages. In Proceedings of the 15th USENIX Security Symposium, pages 179–192, July 2006.
    Google ScholarLocate open access versionFindings
  • W. Xu, S. Bhatkar, and R. Sekar. Taint-enhanced policy enforcement: A practical approach to defeat a wide range of attacks. In Proceedings of the 15th USENIX Security Symposium, Aug. 2006.
    Google ScholarLocate open access versionFindings
Your rating :
0

 

Tags
Comments
数据免责声明
页面数据均来自互联网公开来源、合作出版商和通过AI技术自动分析结果,我们不对页面数据的有效性、准确性、正确性、可靠性、完整性和及时性做出任何承诺和保证。若有疑问,可以通过电子邮件方式联系我们:report@aminer.cn
小科