Abstract
Code injection attacks have been the most critical security risks for almost a decade. These attacks are due to an interference between an untrusted input (potentially controlled by an attacker) and the execution of a string-to-code statement, interpreting as code its parameter. In this paper, we provide a semantic-based model for code injection parametric on what the programmer considers safe behaviors. In particular, we provide a general (abstract) non-interference-based framework for abstract code injection policies, i.e., policies characterizing safety against code injection w.r.t. a given specification of safe behaviors. We expect the new semantic perspective on code injection to provide a deeper knowledge on the nature itself of this security threat. Moreover, we devise a mechanism for enforcing (abstract) code injection policies, soundly detecting attacks, i.e., avoiding false negatives.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
The Open Web Application Security Project (OWASP). https://www.owasp.org/
Anley, C.: Advanced SQL injection in SQL server applications (2002)
Bandhakavi, S., Bisht, P., Madhusudan, P., Venkatakrishnan, V.: Candid: preventing SQL injection attacks using dynamic candidate evaluations. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 12–24. ACM (2007)
Buehrer, G., Weide, B.W., Sivilotti, P.A.: Using parse tree validation to prevent SQL injection attacks. In: Proceedings of the 5th International Workshop on Software Engineering and Middleware, pp. 106–113. ACM (2005)
Cooper, K., Torczon, L.: Engineering a compiler. Elsevier (2011)
Cousot, P.: Constructive design of a hierarchy of semantics of a transition system by abstract interpretation. Theor. Comput. Sci. 277(1–2), 47–103 (2002)
Cytron, R., Ferrante, J., Rosen, B.K., Wegman, M.N., Zadeck, F.K.: Efficiently computing static single assignment form and the control dependence graph. ACM Transactions on Programming Languages and Systems (TOPLAS) 13(4), 451–490 (1991)
Giacobazzi, R., Mastroeni, I.: Abstract non-interference: Parameterizing non-interference by abstract interpretation. ACM SIGPLAN Notices 39(1), 186–197 (2004)
Goguen, J.A., Meseguer, J.: Security policies and security models. In: 1982 IEEE Symposium on Security and Privacy, pp. 11–11. IEEE (1982)
Halfond, W.G., Orso, A.: Amnesia: Analysis and monitoring for neutralizing SQL-injection attacks. In: Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering, pp. 174–183. ACM (2005)
Halfond, W.G., Orso, A., Manolios, P.: Using positive tainting and syntax-aware evaluation to counter SQL injection attacks. In: Proceedings of the 14th ACM SIGSOFT International Symposium on Foundations of Software Engineering, pp. 175–185. ACM (2006)
Jones, Neil D., Sestoft, Peter, Søndergaard, Harald: An experiment in partial evaluation: The generation of a compiler generator. In: Jouannaud, Jean-Pierre (ed.) RTA 1985. LNCS, vol. 202, pp. 124–140. Springer, Heidelberg (1985). https://doi.org/10.1007/3-540-15976-2_6
Maor, O., Shulman, A.: SQL injection signatures evasion. Imperva Inc., April 2004
Mastroeni, Isabella: On the rôle of abstract non-interference in language-based security. In: Yi, Kwangkeun (ed.) APLAS 2005. LNCS, vol. 3780, pp. 418–433. Springer, Heidelberg (2005). https://doi.org/10.1007/11575467_27
Mastroeni, I.: Abstract interpretation-based approaches to security - A survey on abstract non-interference and its challenging applications (2013). arXiv preprint arXiv:1309.5131
Mastroeni, I., Banerjee, A.: Modelling declassification policies using abstract domain completeness. Mathematical Structures in Computer Science 21(6), 1253–1299 (2011)
Mastroeni, I., Zanardini, D.: Abstract program slicing: an abstract interpretation-based approach to program slicing. ACM Transactions on Computational Logic (TOCL) 18(1), 7 (2017)
McDonald, S.: Sql injection: Modes of attack, defense, and why it matters. White paper, GovernmentSecurity. org (2002)
Nguyen-Tuong, Anh, Guarnieri, Salvatore, Greene, Doug, Shirley, Jeff, Evans, David: Automatically Hardening Web Applications Using Precise Tainting. In: Sasaki, Ryoichi, Qing, Sihan, Okamoto, Eiji, Yoshiura, Hiroshi (eds.) SEC 2005. IFIP AICT, vol. 181, pp. 295–307. Springer, Boston, MA (2005). https://doi.org/10.1007/0-387-25660-1_20
Nielson, F., Nielson, H.R., Hankin, C.: Principles of Program Analysis. Springer (1999)
OWASP: Top 10 2010. The Ten Most Critical Web Application Security Risks (2010)
OWASP: Top 10 2013. The Ten Most Critical Web Application Security Risks (2013)
OWASP: Top 10 2017 (release candidate 1). The Ten Most Critical Web Application Security Risks (2017)
Ray, D., Ligatti, J.: Defining code-injection attacks. In: ACM SIGPLAN Notices. vol. 47, pp. 179–190. ACM (2012)
Ruse, M.E., Basu, S.: Detecting cross-site scripting vulnerability using concolic testing. In: 2013 Tenth International Conference on Information Technology: New Generations (ITNG), pp. 633–638. IEEE (2013)
Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE Journal on Selected Areas in Communications 21(1), 5–19 (2003)
Schneider, F.B.: Enforceable security policies. ACM Transactions on Information and System Security (TISSEC) 3(1), 30–50 (2000)
Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. In: ACM SIGPLAN Notices, vol. 41, pp. 372–382. ACM (2006)
The Code Curmudgeon: Sql injection hall-of-shame. http://codecurmudgeon.com/wp/sql-injection-hall-of-shame/
Wassermann, G., Su, Z.: An analysis framework for security in web applications. In: Proceedings of the FSE Workshop on Specification and Verification of component-Based Systems (SAVCBS 2004), pp. 70–78 (2004)
Xu, W., Bhatkar, S., Sekar, R.: Taint-enhanced policy enforcement: A practical approach to defeat a wide range of attacks. In: USENIX Security Symposium. pp. 121–136 (2006)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG
About this paper
Cite this paper
Buro, S., Mastroeni, I. (2018). Abstract Code Injection. In: Dillig, I., Palsberg, J. (eds) Verification, Model Checking, and Abstract Interpretation. VMCAI 2018. Lecture Notes in Computer Science(), vol 10747. Springer, Cham. https://doi.org/10.1007/978-3-319-73721-8_6
Download citation
DOI: https://doi.org/10.1007/978-3-319-73721-8_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-73720-1
Online ISBN: 978-3-319-73721-8
eBook Packages: Computer ScienceComputer Science (R0)