Skip to main content
SpringerLink
Log in

Defending Against Injection Attacks Through Context-Sensitive String Evaluation

  • Conference paper
Recent Advances in Intrusion Detection (RAID 2005)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 3858))

Included in the following conference series:

Abstract

Injection vulnerabilities pose a major threat to application-level security. Some of the more common types are SQL injection, cross-site scripting and shell injection vulnerabilities. Existing methods for defending against injection attacks, that is, attacks exploiting these vulnerabilities, rely heavily on the application developers and are therefore error-prone.

In this paper we introduce CSSE, a method to detect and prevent injection attacks. CSSE works by addressing the root cause why such attacks can succeed, namely the ad-hoc serialization of user-provided input. It provides a platform-enforced separation of channels, using a combination of assignment of metadata to user-provided input, metadata-preserving string operations and context-sensitive string evaluation.

CSSE requires neither application developer interaction nor application source code modifications. Since only changes to the underlying platform are needed, it effectively shifts the burden of implementing countermeasures against injection attacks from the many application developers to the small team of security-savvy platform developers. Our method is effective against most types of injection attacks, and we show that it is also less error-prone than other solutions proposed so far.

We have developed a prototype CSSE implementation for PHP, a platform that is particularly prone to these vulnerabilities. We used our prototype with phpBB, a well-known bulletin-board application, to validate our method. CSSE detected and prevented all the SQL injection attacks we could reproduce and incurred only reasonable run-time overhead.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Anley, C.: Advanced SQL Injectio. In: SQL Server Applications. Technical report, NGSSoftware Insight Security Research (2002)

    Google Scholar 

  2. Anley, C. (more) Advanced SQL Injection. Technical report, NGSSoftware Insight Security Research (2002)

    Google Scholar 

  3. Boyd, S., Keromytis, A.: SQLrand: Preventing SQL injection attacks. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 292–302. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  4. Descartes, A., Bunce, T.: Perl DBI. O’Reilly, Sebastopol (2000)

    Google Scholar 

  5. Kiczales, G., Lamping, J., Menhdhekar, A., Maeda, C., Lopes, C., Loingtier, J.M., Irwin, J.: Aspect-Oriented Programming. In: Aksit, M., Matsuoka, S. (eds.) ECOOP 1997. LNCS, vol. 1241, pp. 220–242. Springer, Heidelberg (1997)

    Chapter  Google Scholar 

  6. Larson, E., Austin, T.: High coverage detection of input-related security faults. In: Proceedings of the 12th USENIX Security Symposium, Washington DC, USENIX, pp. 121–136 (2003)

    Google Scholar 

  7. Lim, J.: ADOdb Database Abstraction Library for PHP (and Python) (2000–2004), Web page at http://adodb.sourceforge.net

  8. Maor, O., Shulman, A.: SQL Injection Signatures Evasion. Technical report, Imperva Application Defense Center (2004)

    Google Scholar 

  9. Meijer, E., Schulte, W., Bierman, G.: Unifying tables, objects and documents. In: Workshop on Declarative Programming in the Context of OO Languages (DP-COOL 2003), Uppsala, Sweeden, pp. 145–166 (2003)

    Google Scholar 

  10. MITRE: Common Vulnerabilites and Exposures (1999–2004), Web page at http://cve.mitre.org

  11. NIST: ICAT Metabase (2000–2004), Web page at http://icat.nist.gov/

  12. Ollmann, G.: HTML Code Injection and Cross-site Scripting. Technical report, Gunter Ollmann (2002)

    Google Scholar 

  13. Ollmann, G.: Second-order Code Injection Attacks. Technical report, NGSSoftware Insight Security Research (2004)

    Google Scholar 

  14. PHP Group, T.: PHP Hypertext Preprocessor (2001–2004), Web page at http://www.php.net

  15. phpBB Group, T.: phpBB.com (2001–2004), Web page at http://www.phpbb.com

  16. SecurityFocus: BugTraq (1998–2004), Web page at http://www.securityfocus.com/bid

  17. Shankar, U., Talwar, K., Foster, J.S., Wagner, D.: Detecting format string vulnerabilities with type qualifiers. In: Proceedings of the 10th USENIX Security Symposium, Washington DC, USENIX, pp. 257–272 (2001)

    Google Scholar 

  18. Stamey, J.W., Saunders, B.T., Cameron, M.: Aspect Oriented PHP (AOPHP) (2004–2005), Web page at http://www.aophp.net

  19. Valgrind Developers: Valgrind (2000–2005), Web page at http://valgrind.org

  20. Wall, L., Christiansen, T., Orwant, J.: Programming Perl. O’Reilly, Sebastopol (2000)

    MATH  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. IBM Zurich Research Laboratory, Säumerstrasse 4, CH-8803, Rüschlikon, Switzerland

    Tadeusz Pietraszek & Chris Vanden Berghe

  2. Katholieke Universiteit Leuven, Celestijnenlaan 200A, B-3001, Leuven, Belgium

    Chris Vanden Berghe

Authors
  1. Tadeusz Pietraszek
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Chris Vanden Berghe
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. SRI International, 333 Ravenswood Ave., 94025, Menlo Park, CA, USA

    Alfonso Valdes

  2. IBM Research Laboratory, Säumerstr. 4, 8803, Rüschlikon, Switzerland

    Diego Zamboni

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Pietraszek, T., Berghe, C.V. (2006). Defending Against Injection Attacks Through Context-Sensitive String Evaluation. In: Valdes, A., Zamboni, D. (eds) Recent Advances in Intrusion Detection. RAID 2005. Lecture Notes in Computer Science, vol 3858. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11663812_7

Download citation

  • DOI: https://doi.org/10.1007/11663812_7

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-31778-4

  • Online ISBN: 978-3-540-31779-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation