research-article

Defining code-injection attacks

Authors:

Jay LigattiAuthors Info & Claims

POPL '12: Proceedings of the 39th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages

Pages 179 - 190

https://doi.org/10.1145/2103656.2103678

Published: 25 January 2012 Publication History

Abstract

This paper shows that existing definitions of code-injection attacks (e.g., SQL-injection attacks) are flawed. The flaws make it possible for attackers to circumvent existing mechanisms, by supplying code-injecting inputs that are not recognized as such. The flaws also make it possible for benign inputs to be treated as attacks. After describing these flaws in conventional definitions of code-injection attacks, this paper proposes a new definition, which is based on whether the symbols input to an application get used as (normal-form) values in the application's output. Because values are already fully evaluated, they cannot be considered "code" when injected. This simple new definition of code-injection attacks avoids the problems of existing definitions, improves our understanding of how and when such attacks occur, and enables us to evaluate the effectiveness of mechanisms for mitigating such attacks.

Supplementary Material

JPG File (popl_3a_2.jpg)

Download
16.85 KB

MP4 File (popl_3a_2.mp4)

Download
209.35 MB

References

[1]

C. Anley. Advanced SQL injection in SQL server applications. White paper, Next Generation Security Software, 2002.

[2]

S. Bandhakavi, P. Bisht, P. Madhusudan, and V. N. Venkatakrishnan. Candid: preventing SQL injection attacks using dynamic candidate evaluations. In Proceedings of the ACM Conference on Computer and Communications Security, pages 12--24, 2007.

Digital Library

[3]

P. Bisht, P. Madhusudan, and V. N. Venkatakrishnan. CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks. ACM Trans. Inf. Syst. Secur., 13 (2): 1--39, Feb. 2010.

Digital Library

[4]

M. Bravenboer, E. Dolstra, and E. Visser. Preventing injection attacks with syntax embeddings. Science of Computer Programming, 75 (7): 473--495, July 2010.

Digital Library

[5]

G. Buehrer, B. W. Weide, and P. A. G. Sivilotti. Using parse tree validation to prevent sql injection attacks. In SEM '05: Proceedings of the 5th international workshop on software engineering and middleware, pages 106--113, 2005.

Digital Library

[6]

J. Clause, W. Li, and A. Orso. Dytan: a generic dynamic taint analysis framework. In Proceedings of the ACM International Symposium on Software Testing and Analysis, pages 196--206, 2007.

Digital Library

[7]

J. Condit, M. Harren, S. McPeak, G. C. Necula, and W. Weimer. Ccured in the real world. SIGPLAN Notices, 38: 232--244, May 2003.

Digital Library

[8]

W. Halfond, A. Orso, and P. Manolios. Wasp: Protecting web applications using positive tainting and syntax-aware evaluation. IEEE Trans. Softw. Eng., 34 (1): 65--81, 2008.

Digital Library

[9]

W. G. Halfond, J. Viegas, and A. Orso. A Classification of SQL-Injection Attacks and Countermeasures. In Proceedings of the IEEE International Symposium on Secure Software Engineering, March 2006.

[10]

R. Hansen and M. Patterson. Stopping Injection Attacks with Computational Theory, July 2005. In Black Hat USA.

[11]

T. Jim, J. G. Morrisett, D. Grossman, M. W. Hicks, J. Cheney, and Y. Wang. Cyclone: A safe dialect of c. In Proceedings of the General Track of the USENIX Annual Technical Conference, pages 275--288, Berkeley, CA, USA, 2002. USENIX Association.

Digital Library

[12]

N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In Proceedings of the IEEE Symposium on Security and Privacy, pages 258--263, 2006.

Digital Library

[13]

A. Kiezun, P. J. Guo, K. Jayaraman, and M. D. Ernst. Automatic creation of SQL injection and cross-site scripting attacks. In Proceedings of the International Conference on Software Engineering, May 2009.

Digital Library

[14]

K. Kline and D. Kline. SQL in a Nutshell, chapter 4. O'Reilly, 2001.

Digital Library

[15]

D. E. Knuth. On the translation of languages from left to right. Information and Control, 8 (6): 607--639, 1965.

[16]

P. J. Landin. The mechanical evaluation of expressions. Computer Journal, 6 (4): 308--320, 1963.

[17]

Z. Luo, T. Rezk, and M. Serrano. Automated code injection prevention for web applications. In Proceedings of the Conference on Theory of Security and Applications, 2011.

Digital Library

[18]

Microsoft. SQL Minimum Grammar, 2011. http://msdn.microsoft.com/en-us/library/ms711725(VS.85).aspx.

[19]

Microsoft. CREATE FUNCTION (Transact-SQL), 2011. http://msdn.microsoft.com/en-us/library/ms186755.aspx.

[20]

CWE/SANS Top 25 Most Dangerous Software Errors. The MITRE Corporation, 2009. Document version 1.4, http://cwe.mitre.org/top25/archive/2009/2009_cwe_sans_top_25.pdf.

[21]

CWE/SANS Top 25 Most Dangerous Software Errors. The MITRE Corporation, 2010. Document version 1.08, http://cwe.mitre.org/top25/archive/2010/2010_cwe_sans_top25.pdf.

[22]

CWE/SANS Top 25 Most Dangerous Software Errors. The MITRE Corporation, 2011. Document version 1.0.2, http://cwe.mitre.org/top25/archive/2011/2011_cwe_sans_top25.pdf.

[23]

G. C. Necula, J. Condit, M. Harren, S. McPeak, and W. Weimer. Ccured: type-safe retrofitting of legacy software. ACM Trans. Program. Lang. Syst., 27: 477--526, May 2005.

Digital Library

[24]

J. Newsome and D. X. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of the Network and Distributed System Security Symposium, Feb. 2005.

[25]

A. Nguyen-tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening web applications using precise tainting. In Proceedings of the IFIP International Information Security Conference, pages 372--382, 2005.

[26]

G. Ollmann. Second order code injection attacks. Technical report, NGS Software, 2004.

[27]

Oracle. How to write injection-proof PL/SQL. An Oracle White Paper, December 2008. URL http://www.oracle.com/technetwork/database/features/plsql/overview/how-%to-write-injection-proof-plsql-1--129572.pdf. Page 11.

[28]

Oracle. CREATE FUNCTION Syntax for User-Defined Functions, 2011. http://dev.mysql.com/doc/refman/5.6/en/create-function-udf.html.

[29]

Oracle. CREATE FUNCTION, 2011. http://download.oracle.com/docs/cd/E11882_01/server.112/e17118/statemen%ts_5011.htm.

[30]

php. phpMyAdmin. http://www.phpmyadmin.net.

[31]

T. Pietraszek and C. V. Berghe. Defending against injection attacks through context-sensitive string evaluation. In Proceedings of Recent Advances in Intrusion Detection (RAID), 2005.

Digital Library

[32]

G. D. Plotkin. Call-by-name, call-by-value and the ł-calculus. Theoretical Computer Science, 1 (2): 125--159, 1975.

[33]

E. J. Schwartz, T. Avgerinos, and D. Brumley. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In Proceedings of the IEEE Symposium on Security and Privacy, May 2010.

Digital Library

[34]

Z. Su and G. Wassermann. The essence of command injection attacks in web applications. In Proceedings of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 372--382, 2006.

Digital Library

[35]

O. Tripp, M. Pistoia, S. J. Fink, M. Sridharan, and O. Weisman. TAJ: effective taint analysis of web applications. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 87--97, 2009.

Digital Library

[36]

S. Tzu. The art of war. The Project Gutenberg eBook. Translated by Lionel Giles. http://www.gutenberg.org/cache/epub/17405/pg17405.txt.

[37]

G. Wassermann and Z. Su. Sound and Precise Analysis of Web Applications for Injection Vulnerabilities. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation, June 2007.

Digital Library

[38]

W. Xu, S. Bhatkar, and R. Sekar. Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks. In Proceedings of the 15th USENIX Security Symposium, 2006.

Digital Library

[39]

Y. Younan, P. Philippaerts, F. Piessens, W. Joosen, S. Lachmund, and T. Walter. Filter-resistant code injection on ARM. In Proceedings of the ACM Conference on Computer and Communications Security, pages 11--20, 2009.

Digital Library

[40]

X. Zhang and Z. Wang. A static analysis tool for detecting web application injection vulnerabilities for ASP program. In International Conference on e-Business and Information System Security (EBISS), pages 1 --5, May 2010.

Cited By

Chadha HGupta SKhanna AKumar N(2023)AI-Based Security Protocols for IoT Applications: A Critical ReviewRecent Advances in Computer Science and Communications10.2174/266625581566622051222201916:5Online publication date: Jul-2023
https://doi.org/10.2174/2666255815666220512222019
Potteiger BZhang ZCheng LKoutsoukos X(2022)A Tutorial on Moving Target Defense Approaches Within Automotive Cyber-Physical SystemsFrontiers in Future Transportation10.3389/ffutr.2021.7925732Online publication date: 7-Feb-2022
https://doi.org/10.3389/ffutr.2021.792573
Haritha PKavitha VManimala G(2022)Protection & Privacy Embedding Blockchain Established Fraud Detection2022 International Conference on Applied Artificial Intelligence and Computing (ICAAIC)10.1109/ICAAIC53929.2022.9792962(1437-1444)Online publication date: 9-May-2022
https://doi.org/10.1109/ICAAIC53929.2022.9792962
Show More Cited By

Index Terms

Defining code-injection attacks
1. Software and its engineering
  1. Software notations and tools
    1. Formal language definitions
      1. Syntax

Recommendations

Code Injection Attacks on HTML5-based Mobile Apps: Characterization, Detection and Mitigation
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

Due to the portability advantage, HTML5-based mobile apps are getting more and more popular.Unfortunately, the web technology used by HTML5-based mobile apps has a dangerous feature, which allows data and code to be mixed together, making code injection ...
Defining code-injection attacks
POPL '12

This paper shows that existing definitions of code-injection attacks (e.g., SQL-injection attacks) are flawed. The flaws make it possible for attackers to circumvent existing mechanisms, by supplying code-injecting inputs that are not recognized as ...
Is cryptyc able to detect insider attacks?
FAST'11: Proceedings of the 8th international conference on Formal Aspects of Security and Trust

The use of type checking for analyzing security protocols has been recognized for several years. A state-of-the-art type checker based on such an idea is Cryptyc. It has been proven that if an authentication protocol is well-typed in Cryptyc, it ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

POPL '12: Proceedings of the 39th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages

January 2012

602 pages

ISBN:9781450310833

DOI:10.1145/2103656

General Chair:
John Field
Google, USA
,
Program Chair:
Michael Hicks
University of Maryland, College Park, USA

ACM SIGPLAN Notices Volume 47, Issue 1
POPL '12
January 2012
569 pages
ISSN:0362-1340
EISSN:1558-1160
DOI:10.1145/2103621
Issue’s Table of Contents

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGPLAN: ACM Special Interest Group on Programming Languages

In-Cooperation

SIGACT: ACM Special Interest Group on Algorithms and Computation Theory

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 25 January 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

POPL '12

Sponsor:

SIGPLAN

POPL '12: The 39th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages

January 25 - 27, 2012

PA, Philadelphia, USA

Acceptance Rates

Overall Acceptance Rate 824 of 4,130 submissions, 20%

Upcoming Conference

POPL '25

Sponsor:
sigplan

The 52nd Annual ACM SIGPLAN Symposium on Principles of Programming Languages

January 19 - 25, 2025

Denver , CO , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

51
Total Citations
View Citations
1,415
Total Downloads

Downloads (Last 12 months)110
Downloads (Last 6 weeks)6

Reflects downloads up to 24 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Chadha HGupta SKhanna AKumar N(2023)AI-Based Security Protocols for IoT Applications: A Critical ReviewRecent Advances in Computer Science and Communications10.2174/266625581566622051222201916:5Online publication date: Jul-2023
https://doi.org/10.2174/2666255815666220512222019
Potteiger BZhang ZCheng LKoutsoukos X(2022)A Tutorial on Moving Target Defense Approaches Within Automotive Cyber-Physical SystemsFrontiers in Future Transportation10.3389/ffutr.2021.7925732Online publication date: 7-Feb-2022
https://doi.org/10.3389/ffutr.2021.792573
Haritha PKavitha VManimala G(2022)Protection & Privacy Embedding Blockchain Established Fraud Detection2022 International Conference on Applied Artificial Intelligence and Computing (ICAAIC)10.1109/ICAAIC53929.2022.9792962(1437-1444)Online publication date: 9-May-2022
https://doi.org/10.1109/ICAAIC53929.2022.9792962
Bojanova IGalhardo CMoshtari S(2021)Input/Output Check Bugs Taxonomy: Injection Errors in Spotlight2021 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW)10.1109/ISSREW53611.2021.00052(111-120)Online publication date: Oct-2021
https://doi.org/10.1109/ISSREW53611.2021.00052
Jana ABordoloi PMaity D(2020)Input-based Analysis Approach to Prevent SQL Injection Attacks2020 IEEE Region 10 Symposium (TENSYMP)10.1109/TENSYMP50017.2020.9230758(1290-1293)Online publication date: 2020
https://doi.org/10.1109/TENSYMP50017.2020.9230758
Jana AMaity D(2020)Code-based Analysis Approach to Detect and Prevent SQL Injection Attacks2020 11th International Conference on Computing, Communication and Networking Technologies (ICCCNT)10.1109/ICCCNT49239.2020.9225575(1-6)Online publication date: Jul-2020
https://doi.org/10.1109/ICCCNT49239.2020.9225575
Perkins JEikenberry JCoglio ARinard M(2020)Comprehensive Java Metadata Tracking for Attack Detection and Repair2020 50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN48063.2020.00024(39-51)Online publication date: Jun-2020
https://doi.org/10.1109/DSN48063.2020.00024
Lee UPark C(2020)SofTEE: Software-Based Trusted Execution Environment for User ApplicationsIEEE Access10.1109/ACCESS.2020.30067038(121874-121888)Online publication date: 2020
https://doi.org/10.1109/ACCESS.2020.3006703
Medeiros IBeatriz MNeves NCorreia M(2019)SEPTIC: Detecting Injection Attacks and Vulnerabilities Inside the DBMSIEEE Transactions on Reliability10.1109/TR.2019.290000768:3(1168-1188)Online publication date: Sep-2019
https://doi.org/10.1109/TR.2019.2900007
Mitropoulos DLouridas PPolychronakis MKeromytis A(2019)Defending Against Web Application AttacksIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2017.266562016:2(188-203)Online publication date: 1-Mar-2019
https://dl.acm.org/doi/10.1109/TDSC.2017.2665620
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents