Article

SMask: preventing injection attacks in web applications by approximating automatic data/code separation

Authors:

Christian BeyerleinAuthors Info & Claims

SAC '07: Proceedings of the 2007 ACM symposium on Applied computing

Pages 284 - 291

https://doi.org/10.1145/1244002.1244071

Published: 11 March 2007 Publication History

Abstract

Web applications employ a heterogeneous set of programming languages: the language that was used to write the application's logic and several supporting languages. Supporting languages are e.g., server-side languages for data management like SQL and client-side interface languages such as HTML and JavaScript. These languages are handled as string values by the application's logic. Therefore, no syntactic means exists to differentiate between executable code and generic data. This circumstance is the root of most code injection vulnerabilities: Attackers succeed in providing malicious data that is executed by the application as code. In this paper we introduce SMask, a novel approach towards approximating data/code separation. By using string masking to persistently mark legitimate code in string values, SMask is able to identify code that was injected during the processing of an http request. SMask works transparently to the application and is implementable either by integration in the application server or by source-to-source translation using code instrumentation.

References

[1]

Maksymilian Arciemowicz. Bypass xss filter in phpnuke 7.9. mailing list BugTraq, <http://www.securityfocus.com/archive/1/419496/30/0/threaded>, December 2005.

[2]

Blwood. Multiple xss vulnerabilities in tikiwiki 1.9.x. mailing list BugTraq, <http://www.securityfocus.com/archive/1/435127/30/120/threaded>, May 2006.

[3]

Stephen W. Boyd and Angelos D. Keromytis. Sqlrand: Preventing sql injection attacks. In Proceedings of the 2nd Applied Cryptography and Network Security (ACNS) Conference, 2004.

[4]

Yao-Wen Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, Der-Tsai Lee, and Sy-Yen Kuo. Securing web application code by static analysis and runtime protection. In Proceedings of the 13th conference on World Wide Web, pages 40--52. ACM Press, 2004.

Digital Library

[5]

Ian Jacobs, Arnaud Le Hors, and David Raggett. Html 4.01 specification. W3C recommendation, November 1999.

[6]

Nenad Jovanovic, Christopher Kruegel, and Engin Kirda. Pixy: A static analysis tool for detecting web application vulnerabilities. In 2006 IEEE Symposium on Security and Privacy, May 2006.

Digital Library

[7]

Amit Klein. Cross site scripting explained. White Paper, Sanctum Security Group, <http://crypto.stanford.edu/cs155/CSS.pdf>, June 2002.

[8]

LarryWall, Tom Christiansen, and Jon Orwant. Programming Perl. O'Reilly, 3rd edition, July 2000.

[9]

V. Benjamin Livshits and Monica S. Lam. Finding security vulnerabilities in java applications using static analysis. In Proceedings of the 14th USENIX Security Symposium, August 2005.

Digital Library

[10]

A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening web applications using precise tainting. In 20th IFIP International Information Security Conference, 2005.

[11]

Tadeusz Pietraszek and Chris Vanden Berghe. Defending against injection attacks through context-sensitive string evaluation. In Recent Advances in Intrusion Detection (RAID2005), 2005.

Digital Library

[12]

Alex Pigrelax. Xss in nested tag in phpbb 2.0.16. mailing list BugTraq, <http://www.securityfocus.com/archive/1/404300>, July 2005.

[13]

H. G Rice. Classes of recursively enumerable sets and their decision problems. Trans. Amer. Math. Soc., 74:358--366, 1953.

[14]

Ivan Ristic. Apache Security. O'Reilly, March 2005.

Digital Library

[15]

RSnake. Xss (cross site scripting) cheat sheet - esp: for filter evasion. Website, <http://ha.ckers.org/xss.html>, last visit 18/08/06.

[16]

George Schlossnagle. Advanced PHP Programming. Sams, February 2004.

Digital Library

[17]

D. Scott and R. Sharp. Abstracting application-level web security. In Proceedings of 11th ACM International World Wide Web Conference, pages 396 - 407. ACM Press New York, NY, USA, 2002.

Digital Library

[18]

Zhendong Su and Gary Wassermann. The essence of command injection attacks in web applications. In Proceedings of POPL'06, January 2006

Digital Library

[19]

Wei Xu, Sandeep Bhatkar, and R. Sekar. Taint-enhanced policy enforcement: A practical approach to defeat a wide range of attacks. In 15th USENIX Security Symposium, August 2006.

Digital Library

Cited By

Kalantari FZaeifi MBao TWang RShoshitaishvili YDoupé A(2022)Context-Auditor: Context-sensitive Content Injection MitigationProceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3545948.3545992(431-445)Online publication date: 26-Oct-2022
https://dl.acm.org/doi/10.1145/3545948.3545992
Mitropoulos DLouridas PPolychronakis MKeromytis A(2019)Defending Against Web Application AttacksIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2017.266562016:2(188-203)Online publication date: 1-Mar-2019
https://dl.acm.org/doi/10.1109/TDSC.2017.2665620
Sharma ASingh ASharma NKaushik IBhushan B(2019)Security Countermeasures in Web Based Application2019 2nd International Conference on Intelligent Computing, Instrumentation and Control Technologies (ICICICT)10.1109/ICICICT46008.2019.8993141(1236-1241)Online publication date: Jul-2019
https://doi.org/10.1109/ICICICT46008.2019.8993141
Show More Cited By

Index Terms

SMask: preventing injection attacks in web applications by approximating automatic data/code separation
1. Software and its engineering
  1. Software notations and tools
    1. Compilers
      1. Interpreters
      2. Preprocessors

Recommendations

Defense Method of Ruby Code Injection Attack Based on Instruction Set Randomization
ICCCM '20: Proceedings of the 8th International Conference on Computer and Communications Management

Code injection attack is a major security threat to applications, especially web applications. This type of attack stems from the attacker's ability to use the vulnerability/backdoor of the application to inject a malicious program into the server and ...
CPM: Masking Code Pointers to Prevent Code Injection Attacks

Code Pointer Masking (CPM) is a novel countermeasure against code injection attacks on native code. By enforcing the correct semantics of code pointers, CPM thwarts attacks that modify code pointers to divert the application’s control flow. It does not ...
Toward the Analysis of Distributed Code Injection in Post-mortem Forensics
Advances in Information and Computer Security
Abstract
Distributed code injection is a new type of malicious code injection technique. It makes existing forensics techniques for injected code detection infeasible by splitting a malicious code into several code snippets, injecting them into multiple ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SAC '07: Proceedings of the 2007 ACM symposium on Applied computing

March 2007

1688 pages

ISBN:1595934804

DOI:10.1145/1244002

Conference Chairs:
Yookun Cho
Seoul National University, Seoul, Korea
,
Roger L. Wainwright
University of Tulsa, Tulsa, Oklahoma
,
Hisham M. Haddad
Kennesaw State University, Kennesaw, Georgia
,
Sung Y. Shin
South Dakota State University, Brookings, South Dakota
,
Program Chair:
Yong Wan Koo
The University of Suwon, Gyeongggi-do, Korea

Copyright © 2007 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGAPP: ACM Special Interest Group on Applied Computing

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 March 2007

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

SAC07

Sponsor:

SIGAPP

SAC07: The 2007 ACM Symposium on Applied Computing

March 11 - 15, 2007

Seoul, Korea

Acceptance Rates

Overall Acceptance Rate 1,650 of 6,669 submissions, 25%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

17
Total Citations
View Citations
724
Total Downloads

Downloads (Last 12 months)5
Downloads (Last 6 weeks)0

Reflects downloads up to 30 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Kalantari FZaeifi MBao TWang RShoshitaishvili YDoupé A(2022)Context-Auditor: Context-sensitive Content Injection MitigationProceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3545948.3545992(431-445)Online publication date: 26-Oct-2022
https://dl.acm.org/doi/10.1145/3545948.3545992
Mitropoulos DLouridas PPolychronakis MKeromytis A(2019)Defending Against Web Application AttacksIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2017.266562016:2(188-203)Online publication date: 1-Mar-2019
https://dl.acm.org/doi/10.1109/TDSC.2017.2665620
Sharma ASingh ASharma NKaushik IBhushan B(2019)Security Countermeasures in Web Based Application2019 2nd International Conference on Intelligent Computing, Instrumentation and Control Technologies (ICICICT)10.1109/ICICICT46008.2019.8993141(1236-1241)Online publication date: Jul-2019
https://doi.org/10.1109/ICICICT46008.2019.8993141
Mitropoulos DSpinellis D(2017)Fatal injection: a survey of modern code injection attack countermeasuresPeerJ Computer Science10.7717/peerj-cs.1363(e136)Online publication date: 27-Nov-2017
https://doi.org/10.7717/peerj-cs.136
Mitropoulos DStroggylos KSpinellis DKeromytis A(2016)How to Train Your BrowserACM Transactions on Privacy and Security10.1145/293937419:1(1-31)Online publication date: 19-Jul-2016
https://dl.acm.org/doi/10.1145/2939374
Doupé ACui WJakubowski MPeinado MKruegel CVigna GSadeghi AGligor VYung M(2013)deDacotaProceedings of the 2013 ACM SIGSAC conference on Computer & communications security10.1145/2508859.2516708(1205-1216)Online publication date: 4-Nov-2013
https://dl.acm.org/doi/10.1145/2508859.2516708
Serme GScholte TOliveira A(2013)Enforcing Input Validation through Aspect Oriented ProgrammingRevised Selected Papers of the 8th International Workshop on Data Privacy Management and Autonomous Spontaneous Security - Volume 824710.1007/978-3-642-54568-9_20(316-332)Online publication date: 12-Sep-2013
https://dl.acm.org/doi/10.1007/978-3-642-54568-9_20
Shahriar HZulkernine M(2012)Mitigating program security vulnerabilitiesACM Computing Surveys10.1145/2187671.218767344:3(1-46)Online publication date: 14-Jun-2012
https://dl.acm.org/doi/10.1145/2187671.2187673
Mitropoulos DKarakoidas VLouridas PSpinellis D(2011)Countering code injection attacks: a unified approachInformation Management & Computer Security10.1108/0968522111115355519:3(177-194)Online publication date: 19-Jul-2011
https://doi.org/10.1108/09685221111153555
Artzi SKiezun ADolby JTip FDig DParadkar AErnst M(2010)Finding Bugs in Web Applications Using Dynamic Test Generation and Explicit-State Model CheckingIEEE Transactions on Software Engineering10.1109/TSE.2010.3136:4(474-494)Online publication date: 1-Jul-2010
https://dl.acm.org/doi/10.1109/TSE.2010.31
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents