Abstract
This paper shows that existing definitions of code-injection attacks (e.g., SQL-injection attacks) are flawed. The flaws make it possible for attackers to circumvent existing mechanisms, by supplying code-injecting inputs that are not recognized as such. The flaws also make it possible for benign inputs to be treated as attacks. After describing these flaws in conventional definitions of code-injection attacks, this paper proposes a new definition, which is based on whether the symbols input to an application get used as (normal-form) values in the application's output. Because values are already fully evaluated, they cannot be considered "code" when injected. This simple new definition of code-injection attacks avoids the problems of existing definitions, improves our understanding of how and when such attacks occur, and enables us to evaluate the effectiveness of mechanisms for mitigating such attacks.
Supplemental Material
- C. Anley. Advanced SQL injection in SQL server applications. White paper, Next Generation Security Software, 2002.Google Scholar
- S. Bandhakavi, P. Bisht, P. Madhusudan, and V. N. Venkatakrishnan. Candid: preventing SQL injection attacks using dynamic candidate evaluations. In Proceedings of the ACM Conference on Computer and Communications Security, pages 12--24, 2007. Google ScholarDigital Library
- P. Bisht, P. Madhusudan, and V. N. Venkatakrishnan. CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks. ACM Trans. Inf. Syst. Secur., 13 (2): 1--39, Feb. 2010. Google ScholarDigital Library
- M. Bravenboer, E. Dolstra, and E. Visser. Preventing injection attacks with syntax embeddings. Science of Computer Programming, 75 (7): 473--495, July 2010. Google ScholarDigital Library
- G. Buehrer, B. W. Weide, and P. A. G. Sivilotti. Using parse tree validation to prevent sql injection attacks. In SEM '05: Proceedings of the 5th international workshop on software engineering and middleware, pages 106--113, 2005. Google ScholarDigital Library
- J. Clause, W. Li, and A. Orso. Dytan: a generic dynamic taint analysis framework. In Proceedings of the ACM International Symposium on Software Testing and Analysis, pages 196--206, 2007. Google ScholarDigital Library
- J. Condit, M. Harren, S. McPeak, G. C. Necula, and W. Weimer. Ccured in the real world. SIGPLAN Notices, 38: 232--244, May 2003. Google ScholarDigital Library
- W. Halfond, A. Orso, and P. Manolios. Wasp: Protecting web applications using positive tainting and syntax-aware evaluation. IEEE Trans. Softw. Eng., 34 (1): 65--81, 2008. Google ScholarDigital Library
- W. G. Halfond, J. Viegas, and A. Orso. A Classification of SQL-Injection Attacks and Countermeasures. In Proceedings of the IEEE International Symposium on Secure Software Engineering, March 2006.Google Scholar
- R. Hansen and M. Patterson. Stopping Injection Attacks with Computational Theory, July 2005. In Black Hat USA.Google Scholar
- T. Jim, J. G. Morrisett, D. Grossman, M. W. Hicks, J. Cheney, and Y. Wang. Cyclone: A safe dialect of c. In Proceedings of the General Track of the USENIX Annual Technical Conference, pages 275--288, Berkeley, CA, USA, 2002. USENIX Association. Google ScholarDigital Library
- N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In Proceedings of the IEEE Symposium on Security and Privacy, pages 258--263, 2006. Google ScholarDigital Library
- A. Kiezun, P. J. Guo, K. Jayaraman, and M. D. Ernst. Automatic creation of SQL injection and cross-site scripting attacks. In Proceedings of the International Conference on Software Engineering, May 2009. Google ScholarDigital Library
- K. Kline and D. Kline. SQL in a Nutshell, chapter 4. O'Reilly, 2001. Google ScholarDigital Library
- D. E. Knuth. On the translation of languages from left to right. Information and Control, 8 (6): 607--639, 1965.Google ScholarCross Ref
- P. J. Landin. The mechanical evaluation of expressions. Computer Journal, 6 (4): 308--320, 1963.Google ScholarCross Ref
- Z. Luo, T. Rezk, and M. Serrano. Automated code injection prevention for web applications. In Proceedings of the Conference on Theory of Security and Applications, 2011. Google ScholarDigital Library
- Microsoft. SQL Minimum Grammar, 2011. http://msdn.microsoft.com/en-us/library/ms711725(VS.85).aspx.Google Scholar
- Microsoft. CREATE FUNCTION (Transact-SQL), 2011. http://msdn.microsoft.com/en-us/library/ms186755.aspx.Google Scholar
- CWE/SANS Top 25 Most Dangerous Software Errors. The MITRE Corporation, 2009. Document version 1.4, http://cwe.mitre.org/top25/archive/2009/2009_cwe_sans_top_25.pdf.Google Scholar
- CWE/SANS Top 25 Most Dangerous Software Errors. The MITRE Corporation, 2010. Document version 1.08, http://cwe.mitre.org/top25/archive/2010/2010_cwe_sans_top25.pdf.Google Scholar
- CWE/SANS Top 25 Most Dangerous Software Errors. The MITRE Corporation, 2011. Document version 1.0.2, http://cwe.mitre.org/top25/archive/2011/2011_cwe_sans_top25.pdf.Google Scholar
- G. C. Necula, J. Condit, M. Harren, S. McPeak, and W. Weimer. Ccured: type-safe retrofitting of legacy software. ACM Trans. Program. Lang. Syst., 27: 477--526, May 2005. Google ScholarDigital Library
- J. Newsome and D. X. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of the Network and Distributed System Security Symposium, Feb. 2005.Google Scholar
- A. Nguyen-tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening web applications using precise tainting. In Proceedings of the IFIP International Information Security Conference, pages 372--382, 2005.Google Scholar
- G. Ollmann. Second order code injection attacks. Technical report, NGS Software, 2004.Google Scholar
- Oracle. How to write injection-proof PL/SQL. An Oracle White Paper, December 2008. URL http://www.oracle.com/technetwork/database/features/plsql/overview/how-%to-write-injection-proof-plsql-1--129572.pdf. Page 11.Google Scholar
- Oracle. CREATE FUNCTION Syntax for User-Defined Functions, 2011. http://dev.mysql.com/doc/refman/5.6/en/create-function-udf.html.Google Scholar
- Oracle. CREATE FUNCTION, 2011. http://download.oracle.com/docs/cd/E11882_01/server.112/e17118/statemen%ts_5011.htm.Google Scholar
- php. phpMyAdmin. http://www.phpmyadmin.net.Google Scholar
- T. Pietraszek and C. V. Berghe. Defending against injection attacks through context-sensitive string evaluation. In Proceedings of Recent Advances in Intrusion Detection (RAID), 2005. Google ScholarDigital Library
- G. D. Plotkin. Call-by-name, call-by-value and the ł-calculus. Theoretical Computer Science, 1 (2): 125--159, 1975.Google ScholarCross Ref
- E. J. Schwartz, T. Avgerinos, and D. Brumley. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In Proceedings of the IEEE Symposium on Security and Privacy, May 2010. Google ScholarDigital Library
- Z. Su and G. Wassermann. The essence of command injection attacks in web applications. In Proceedings of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 372--382, 2006. Google ScholarDigital Library
- O. Tripp, M. Pistoia, S. J. Fink, M. Sridharan, and O. Weisman. TAJ: effective taint analysis of web applications. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 87--97, 2009. Google ScholarDigital Library
- S. Tzu. The art of war. The Project Gutenberg eBook. Translated by Lionel Giles. http://www.gutenberg.org/cache/epub/17405/pg17405.txt.Google Scholar
- G. Wassermann and Z. Su. Sound and Precise Analysis of Web Applications for Injection Vulnerabilities. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation, June 2007. Google ScholarDigital Library
- W. Xu, S. Bhatkar, and R. Sekar. Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks. In Proceedings of the 15th USENIX Security Symposium, 2006. Google ScholarDigital Library
- Y. Younan, P. Philippaerts, F. Piessens, W. Joosen, S. Lachmund, and T. Walter. Filter-resistant code injection on ARM. In Proceedings of the ACM Conference on Computer and Communications Security, pages 11--20, 2009. Google ScholarDigital Library
- X. Zhang and Z. Wang. A static analysis tool for detecting web application injection vulnerabilities for ASP program. In International Conference on e-Business and Information System Security (EBISS), pages 1 --5, May 2010.Google ScholarCross Ref
Index Terms
- Defining code-injection attacks
Recommendations
Code Injection Attacks on HTML5-based Mobile Apps: Characterization, Detection and Mitigation
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications SecurityDue to the portability advantage, HTML5-based mobile apps are getting more and more popular.Unfortunately, the web technology used by HTML5-based mobile apps has a dangerous feature, which allows data and code to be mixed together, making code injection ...
Defining code-injection attacks
POPL '12: Proceedings of the 39th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languagesThis paper shows that existing definitions of code-injection attacks (e.g., SQL-injection attacks) are flawed. The flaws make it possible for attackers to circumvent existing mechanisms, by supplying code-injecting inputs that are not recognized as ...
Is cryptyc able to detect insider attacks?
FAST'11: Proceedings of the 8th international conference on Formal Aspects of Security and TrustThe use of type checking for analyzing security protocols has been recognized for several years. A state-of-the-art type checker based on such an idea is Cryptyc. It has been proven that if an authentication protocol is well-typed in Cryptyc, it ...
Comments