Skip to main content
SpringerLink
Log in
Book cover

International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment

DIMVA 2016: Detection of Intrusions and Malware, and Vulnerability Assessment pp 37–57Cite as

AutoRand: Automatic Keyword Randomization to Prevent Injection Attacks

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9721))

Abstract

AutoRand automatically transforms Java applications to use SQL keyword randomization to defend against SQL injection vulnerabilities. AutoRand is completely automatic. Unlike previous approaches it requires no manual modifications to existing code and does not require source (it works directly on Java bytecode). It can thus easily be applied to the large numbers of existing potentially insecure applications without developer assistance. Our key technical innovation is augmented strings. Augmented strings allow extra information (such as random keys) to be embedded within a string. AutoRand transforms string operations so that the extra information is transparent to the program, but is always propagated with each string operation. AutoRand checks each keyword at SQL statements for the random key. Experimental results on large, production Java applications and malicious inputs provided by an independent evaluation team hired by an agency of the United States government showed that AutoRand successfully blocked all SQL injection attacks and preserved transparent execution for benign inputs, all with low overhead.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    We use the term keyword to include keywords, operators and comment tokens.

  2. 2.

    For simplicity, we use the term ‘string’ to refer to objects of all three classes.

  3. 3.

    The requirement assumes that the key does not occur in S. The space of keys ensures a sufficiently small probability that the key occurs in the application code or data by happenstance.

  4. 4.

    The full test suite runs in a special environment and is difficult to instrument. The subset allowed for more manageable experiments.

References

  1. Common Weakness Enumeration (CWE) 89: Improper neutralization of special elements used in an SQL command (‘SQL injection’). http://cwe.mitre.org

  2. SANS Institute, MITRE, et al.: CWE/SANS Top 25 Most Dangerous Software Errors, September 2011. http://cwe.mitre.org/top25

  3. OWASP Foundation: OWASP Top Ten Project, June 2013. https://www.owasp.org/index.php/Top_10_2013-Top_10

  4. Clarke, J.: SQL Injection Attacks and Defenses, 2nd edn. Syngress, Massachusetts (2012)

    Google Scholar 

  5. Code Curmudgeon: SQL injection hall of shame. http://codecurmudgeon.com/wp/sql-injection-hall-of-shame/. Accessed 24 June 2014

  6. Kc, G.S., Keromytis, A.D., Prevelakis, V.: Countering code-injection attacks with instruction-set randomization. In: CCS 2003, pp. 272–280 (2003)

    Google Scholar 

  7. Boyd, S.W., Keromytis, A.D.: SQLrand: preventing SQL injection attacks. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 292–302. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  8. Halfond, W.G.J., Orso, A., Manolios, P.: Using positive tainting and syntax-aware evaluation to counter SQL injection attacks. In: SIGSOFT 2006/FSE-14 (2006)

    Google Scholar 

  9. Bisht, P., Madhusudan, P., Venkatakrishnan, V.N.: Candid: dynamic candidate evaluations for automatic prevention of SQL injection attacks. ACM Trans. Inf. Syst. Secur. 13(2), 14:1–14:39 (2010)

    Article  Google Scholar 

  10. Chin, E., Wagner, D.: Efficient character-level taint tracking for Java. In: Proceedings of the 2009 ACM Workshop on Secure Web Services (2009)

    Google Scholar 

  11. ISO/IEC 9075:2011 - Information technology - Database languages - SQL

    Google Scholar 

  12. Alkacon Software: OpenCms, May 2012. http://www.opencms.org

  13. Apache Foundation: Apache Tomcat, January 2012. http://tomcat.apache.org/

  14. Veracode: SQL injection cheat sheet and tutorial. http://www.veracode.com/security/sql-injection. Accessed 1 August 2014

  15. OWASP: SQL injection prevention cheat sheet. https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet. Accessed 1 Aug 2014

  16. Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., Evans, D.: Automatically hardening web applications using precise tainting (2005)

    Google Scholar 

  17. Pietraszek, T., Berghe, C.V.: Defending against injection attacks through context-sensitive string evaluation (2006)

    Google Scholar 

  18. Son, S., McKinley, K.S., Shmatikov, V.: Diglossia: detecting code injection attacks with precision and efficiency. In: CCS 2013, pp. 1181–1192 (2013)

    Google Scholar 

  19. Buehrer, G., Weide, B.W., Sivilotti, P.A.G.: Using parse tree validation to prevent SQL injection attacks. In: SEM 2005 (2005)

    Google Scholar 

  20. Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. In: POPL 2006, pp. 372–382 (2006)

    Google Scholar 

  21. Bandhakavi, S., Bisht, P., Madhusudan, P., Venkatakrishnan, V.N.: Candid: preventing SQL injection attacks using dynamic candidate evaluations. In: CCS 2007 (2007)

    Google Scholar 

  22. Halfond, W.G.J., Orso, A.: Amnesia: analysis and monitoring for neutralizing SQL-injection attacks. In: ASE 2005, pp. 174–183 (2005)

    Google Scholar 

  23. Halder, R., Cortesi, A.: Obfuscation-based analysis of SQL injection attacks. In: ISCC 2010, pp. 931–938 (2010)

    Google Scholar 

  24. Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: a static analysis tool for detecting web application vulnerabilities (short paper). In: SP 2006 (2006)

    Google Scholar 

  25. Livshits, V.B., Lam, M.S.: Finding security vulnerabilities in Java applications with static analysis. In: SSYM 2005, p. 18 (2005)

    Google Scholar 

  26. Fu, X., Lu, X., Peltsverger, B., Chen, S., Qian, K., Tao, L.: A static analysis framework for detecting SQL injection vulnerabilities. In: COMPSAC 2007 (2007)

    Google Scholar 

Download references

Acknowledgements

We thank the MITRE Corporation test and evaluation team for creating an automatic and thorough testing apparatus. We thank Stephen Fitzpatrick and Eric McCarthy of Kestrel Institute for their contributions to the project. We thank Michael Gordon of Aarno Labs for comments that greatly improved the manuscript.

Author information

Authors and Affiliations

  1. MIT/CSAIL, Cambridge, MA, USA

    Jeff Perkins, Jordan Eikenberry, Daniel Willenson, Stelios Sidiroglou-Douskos & Martin Rinard

  2. Kestrel Institute, Palo Alto, CA, USA

    Alessandro Coglio

Authors
  1. Jeff Perkins
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jordan Eikenberry
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Alessandro Coglio
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Daniel Willenson
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Stelios Sidiroglou-Douskos
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Martin Rinard
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jeff Perkins .

Editor information

Editors and Affiliations

  1. IMDEA Software Institute, Pozuelo de Alarcón, Madrid, Spain

    Juan Caballero

  2. Mondragon University, Arrasate, Guipúzcoa, Spain

    Urko Zurutuza

  3. Universidad de Zaragoza, Zaragoza, Spain

    Ricardo J. Rodríguez

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Perkins, J., Eikenberry, J., Coglio, A., Willenson, D., Sidiroglou-Douskos, S., Rinard, M. (2016). AutoRand: Automatic Keyword Randomization to Prevent Injection Attacks. In: Caballero, J., Zurutuza, U., Rodríguez, R. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2016. Lecture Notes in Computer Science(), vol 9721. Springer, Cham. https://doi.org/10.1007/978-3-319-40667-1_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-40667-1_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-40666-4

  • Online ISBN: 978-3-319-40667-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation