Skip to main content
SpringerLink
Log in
Book cover

International Conference on Future Data and Security Engineering

FDSE 2019: Future Data and Security Engineering pp 399–410Cite as

A Method to Enhance the Security Capability of Python IDE

  • Conference paper
  • First Online:

  • 1528 Accesses

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 11814))

Abstract

The majority of applications running on the Internet are web applications; however, these applications are vulnerable to arbitrary code execution and database manipulation by Cross-Site Scripting or SQL injection attacks. The fundamental reason of these vulnerabilities is that web applications use a string type for assembling heterogeneous computer languages’ syntax for a particular language. To cope with these vulnerabilities, we propose a language-based scheme, in which the programming language itself provides security capabilities by a method of the syntax embedded in Python. Furthermore, the proposed solution supports backward compatibility and higher portability to other languages as well as Python. To improve the debugging difficulty caused by a language-based scheme, we propose a trace-processor that has post-mortem debug ability. We implement the proposed solution as a development environment, named Python-S, based on CPython’s source code. Python-S successfully displays the protection capabilities for the SQL injection attack.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. OWASP Homepage. https://www.owasp.org

  2. Cwe/sans top 25 most dangerous software errors (2011). http://www.sans.org/top25-software-errors/

  3. 2011 Trustwave Global Security Report. https://www.trustwave.com

  4. Python 3 - CGI Programming. https://www.tutorialspoint.com

  5. Stack Overflow’s annual Developer Survey (2019). https://insights.stackoverflow.com/survey/2019#most-popular-technologies

  6. JetBrains Python Developers Survey (2018). https://www.jetbrains.com/research/python-developers-survey-2018/

  7. Juillerat, N.: Enforcing code security in database web applications using libraries and object models. In: Proceedings of the 2007 Symposium on Library-Centric Software Design, pp. 31–41. ACM (2007)

    Google Scholar 

  8. Grabowski, R., Hofmann, M., Li, K.: Type-based enforcement of secure programming guidelines — code injection prevention at SAP. In: Barthe, G., Datta, A., Etalle, S. (eds.) FAST 2011. LNCS, vol. 7140, pp. 182–197. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29420-4_12

    Chapter  Google Scholar 

  9. Kals, S., Kirda, E., Kruegel, C., Jovanovic, N.: SecuBat: a web vulnerability scanner. In: Proceedings of the 15th International Conference on World Wide Web, pp. 247–256. ACM (2006)

    Google Scholar 

  10. Shar, L.K., Tan, H.B.K.: Predicting SQL injection and cross site scripting vulnerabilities through mining input sanitization patterns. Inf. Softw. Technol. 55(10), 1767–1780 (2013)

    Article  Google Scholar 

  11. Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. ACM SIGPLAN Not. 41(1), 372–382 (2006)

    Article  Google Scholar 

  12. Johns, M., Engelmann, B., Posegga, J.: XSSDS: server-side detection of cross-site scripting attacks. In: 2008 Annual Computer Security Applications Conference (ACSAC), pp. 335–344. IEEE (2008)

    Google Scholar 

  13. Fulton, N., Omar, C., Aldrich, J.: Statically typed string sanitation inside a Python. In: Proceedings of the 2014 International Workshop on Privacy & Security in Programming. ACM (2014)

    Google Scholar 

  14. Micheelsen, S., Thalmann, B.: A static analysis tool for detecting security vulnerabilities in python web applications (2016)

    Google Scholar 

  15. Giannopoulos, L., et al.: Pythia: identifying dangerous data-flows in Django-based applications. EuroSec@ EuroSys (2019)

    Google Scholar 

  16. Johns, M.: Towards practical prevention of code injection vulnerabilities on the programming language level (2007)

    Google Scholar 

  17. Johns, M., Beyerlein, C., Giesecke, R., Posegga, J.: Secure code generation for web applications. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 96–113. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-11747-3_8

    Chapter  Google Scholar 

  18. Johns, M.: Code-injection vulnerabilities in web applications — exemplified at cross-site scripting. IT Inf. Technol. Methoden Innov. Anwend. Inform. Inf. 53(5), 256–260 (2011)

    MathSciNet  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science and Engineering, Sungkyunkwan University, Suwon, Korea

    Vinh Pham & Tai-Myoung Chung

  2. Department of Electrical and Computer Engineering, Sungkyunkwan University, Suwon, Korea

    Namuk Kim & Eunil Seo

  3. Department of Mathematics and Computer Science, University of Illinois at Urbana-Champaign, Urbana, USA

    Jun Suk Ha

Authors
  1. Vinh Pham
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Namuk Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Eunil Seo
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Jun Suk Ha
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Tai-Myoung Chung
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Tai-Myoung Chung .

Editor information

Editors and Affiliations

  1. Ho Chi Minh City University of Technology, Ho Chi Minh City, Vietnam

    Tran Khanh Dang

  2. Johannes Kepler Universität Linz, Linz, Austria

    Josef Küng

  3. Hosei University, Tokyo, Japan

    Makoto Takizawa

  4. Telecommunications University, Nha Trang City, Vietnam

    Son Ha Bui

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Pham, V., Kim, N., Seo, E., Ha, J.S., Chung, TM. (2019). A Method to Enhance the Security Capability of Python IDE. In: Dang, T., Küng, J., Takizawa, M., Bui, S. (eds) Future Data and Security Engineering. FDSE 2019. Lecture Notes in Computer Science(), vol 11814. Springer, Cham. https://doi.org/10.1007/978-3-030-35653-8_27

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-35653-8_27

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-35652-1

  • Online ISBN: 978-3-030-35653-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation