Article

AutoRand: Automatic Keyword Randomization to Prevent Injection Attacks

Authors:

Jordan Eikenberry,

Alessandro Coglio,

Daniel Willenson,

Stelios Sidiroglou-Douskos,

Martin RinardAuthors Info & Claims

DIMVA 2016: Proceedings of the 13th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment - Volume 9721

Pages 37 - 57

https://doi.org/10.1007/978-3-319-40667-1_3

Published: 07 July 2016 Publication History

Abstract

AutoRand automatically transforms Java applications to use SQL keyword randomization to defend against SQL injection vulnerabilities. AutoRand is completely automatic. Unlike previous approaches it requires no manual modifications to existing code and does not require source it works directly on Java bytecode. It can thus easily be applied to the large numbers of existing potentially insecure applications without developer assistance. Our key technical innovation is augmented strings. Augmented strings allow extra information such as random keys to be embedded within a string. AutoRand transforms string operations so that the extra information is transparent to the program, but is always propagated with each string operation. AutoRand checks each keyword at SQL statements for the random key. Experimental results on large, production Java applications and malicious inputs provided by an independent evaluation team hired by an agency of the United States government showed that AutoRand successfully blocked all SQL injection attacks and preserved transparent execution for benign inputs, all with low overhead.

References

[1]

Common Weakness Enumeration CWE 89: Improper neutralization of special elements used in an SQL command 'SQL injection'. http://cwe.mitre.org

[2]

SANS Institute, MITRE, et al.: CWE/SANS Top 25 Most Dangerous Software Errors, September 2011. http://cwe.mitre.org/top25

[3]

OWASP Foundation: OWASP Top Ten Project, June 2013. https://www.owasp.org/index.php/Top_10_2013-Top_10

[4]

Clarke, J.: SQL Injection Attacks and Defenses, 2nd edn. Syngress, Massachusetts 2012

Digital Library

[5]

Code Curmudgeon: SQL injection hall of shame. http://codecurmudgeon.com/wp/sql-injection-hall-of-shame/. Accessed 24 June 2014

[6]

Kc, G.S., Keromytis, A.D., Prevelakis, V.: Countering code-injection attacks with instruction-set randomization. In: CCS 2003, pp. 272---280 2003

Digital Library

[7]

Boyd, S.W., Keromytis, A.D.: SQLrand: preventing SQL injection attacks. In: Jakobsson, M., Yung, M., Zhou, J. eds. ACNS 2004. LNCS, vol. 3089, pp. 292---302. Springer, Heidelberg 2004

[8]

Halfond, W.G.J., Orso, A., Manolios, P.: Using positive tainting and syntax-aware evaluation to counter SQL injection attacks. In: SIGSOFT 2006/FSE-14 2006

Digital Library

[9]

Bisht, P., Madhusudan, P., Venkatakrishnan, V.N.: Candid: dynamic candidate evaluations for automatic prevention of SQL injection attacks. ACM Trans. Inf. Syst. Secur. 132, 14:1---14:39 2010

Digital Library

[10]

Chin, E., Wagner, D.: Efficient character-level taint tracking for Java. In: Proceedings of the 2009 ACM Workshop on Secure Web Services 2009

Digital Library

[11]

ISO/IEC 9075:2011 - Information technology - Database languages - SQL

[12]

Alkacon Software: OpenCms, May 2012. http://www.opencms.org

[13]

Apache Foundation: Apache Tomcat, January 2012. http://tomcat.apache.org/

[14]

Veracode: SQL injection cheat sheet and tutorial. http://www.veracode.com/security/sql-injection. Accessed 1 August 2014

[15]

OWASP: SQL injection prevention cheat sheet. https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet. Accessed 1 Aug 2014

[16]

Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., Evans, D.: Automatically hardening web applications using precise tainting 2005

[17]

Pietraszek, T., Berghe, C.V.: Defending against injection attacks through context-sensitive string evaluation 2006

[18]

Son, S., McKinley, K.S., Shmatikov, V.: Diglossia: detecting code injection attacks with precision and efficiency. In: CCS 2013, pp. 1181---1192 2013

Digital Library

[19]

Buehrer, G., Weide, B.W., Sivilotti, P.A.G.: Using parse tree validation to prevent SQL injection attacks. In: SEM 2005 2005

Digital Library

[20]

Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. In: POPL 2006, pp. 372---382 2006

Digital Library

[21]

Bandhakavi, S., Bisht, P., Madhusudan, P., Venkatakrishnan, V.N.: Candid: preventing SQL injection attacks using dynamic candidate evaluations. In: CCS 2007 2007

Digital Library

[22]

Halfond, W.G.J., Orso, A.: Amnesia: analysis and monitoring for neutralizing SQL-injection attacks. In: ASE 2005, pp. 174---183 2005

Digital Library

[23]

Halder, R., Cortesi, A.: Obfuscation-based analysis of SQL injection attacks. In: ISCC 2010, pp. 931---938 2010

Digital Library

[24]

Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: a static analysis tool for detecting web application vulnerabilities short paper. In: SP 2006 2006

Digital Library

[25]

Livshits, V.B., Lam, M.S.: Finding security vulnerabilities in Java applications with static analysis. In: SSYM 2005, p. 18 2005

Digital Library

[26]

Fu, X., Lu, X., Peltsverger, B., Chen, S., Qian, K., Tao, L.: A static analysis framework for detecting SQL injection vulnerabilities. In: COMPSAC 2007 2007

Digital Library

Cited By

Wang MJung CAhad AKwon YKim YKim JVigna GShi E(2021)Spinner: Automated Dynamic Command Subsystem PerturbationProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484577(1839-1860)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3484577
Shen JRinard M(2021)Active Learning for Inference and Regeneration of Applications that Access DatabasesACM Transactions on Programming Languages and Systems10.1145/343095242:4(1-119)Online publication date: 22-Jan-2021
https://dl.acm.org/doi/10.1145/3430952
Shen JRinard MMcKinley KFisher K(2019)Using active learning to synthesize models of applications that access databasesProceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation10.1145/3314221.3314591(269-285)Online publication date: 8-Jun-2019
https://dl.acm.org/doi/10.1145/3314221.3314591

Recommendations

D-ward: source-end defense against distributed denial-of-service attacks
Security beyond cybersecurity: side-channel attacks against non-cyber systems and their countermeasures
Abstract
Side-channels are unintended pathways within target systems that leak internal information, exploitable via side-channel attack techniques that extract the target information, compromising the system’s security and privacy. Side-channel attacks ...
Detecting Insider Theft of Trade Secrets

Trusted insiders who misuse their privileges to gather and steal sensitive information represent a potent threat to businesses. Applying access controls to protect sensitive information can reduce the threat but has significant limitations. Even if ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Guide Proceedings

DIMVA 2016: Proceedings of the 13th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment - Volume 9721

July 2016

419 pages

ISBN:9783319406664

Editors:
Juan Caballero
IMDEA Software Institute, Pozuelo de Alarcón, Spain
,
Urko Zurutuza
Mondragon University, Arrasate, Spain
,
Ricardo J. Rodríguez
Universidad de Zaragoza, Zaragoza, Spain

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 07 July 2016

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 14 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Wang MJung CAhad AKwon YKim YKim JVigna GShi E(2021)Spinner: Automated Dynamic Command Subsystem PerturbationProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484577(1839-1860)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3484577
Shen JRinard M(2021)Active Learning for Inference and Regeneration of Applications that Access DatabasesACM Transactions on Programming Languages and Systems10.1145/343095242:4(1-119)Online publication date: 22-Jan-2021
https://dl.acm.org/doi/10.1145/3430952
Shen JRinard MMcKinley KFisher K(2019)Using active learning to synthesize models of applications that access databasesProceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation10.1145/3314221.3314591(269-285)Online publication date: 8-Jun-2019
https://dl.acm.org/doi/10.1145/3314221.3314591

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents