Skip to main content
SpringerLink
Log in

Abstract Code Injection

A Semantic Approach Based on Abstract Non-Interference

  • Conference paper
  • First Online:
Verification, Model Checking, and Abstract Interpretation (VMCAI 2018)

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 10747))

Abstract

Code injection attacks have been the most critical security risks for almost a decade. These attacks are due to an interference between an untrusted input (potentially controlled by an attacker) and the execution of a string-to-code statement, interpreting as code its parameter. In this paper, we provide a semantic-based model for code injection parametric on what the programmer considers safe behaviors. In particular, we provide a general (abstract) non-interference-based framework for abstract code injection policies, i.e., policies characterizing safety against code injection w.r.t. a given specification of safe behaviors. We expect the new semantic perspective on code injection to provide a deeper knowledge on the nature itself of this security threat. Moreover, we devise a mechanism for enforcing (abstract) code injection policies, soundly detecting attacks, i.e., avoiding false negatives.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. The Open Web Application Security Project (OWASP). https://www.owasp.org/

  2. Anley, C.: Advanced SQL injection in SQL server applications (2002)

    Google Scholar 

  3. Bandhakavi, S., Bisht, P., Madhusudan, P., Venkatakrishnan, V.: Candid: preventing SQL injection attacks using dynamic candidate evaluations. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 12–24. ACM (2007)

    Google Scholar 

  4. Buehrer, G., Weide, B.W., Sivilotti, P.A.: Using parse tree validation to prevent SQL injection attacks. In: Proceedings of the 5th International Workshop on Software Engineering and Middleware, pp. 106–113. ACM (2005)

    Google Scholar 

  5. Cooper, K., Torczon, L.: Engineering a compiler. Elsevier (2011)

    Google Scholar 

  6. Cousot, P.: Constructive design of a hierarchy of semantics of a transition system by abstract interpretation. Theor. Comput. Sci. 277(1–2), 47–103 (2002)

    Article  MathSciNet  MATH  Google Scholar 

  7. Cytron, R., Ferrante, J., Rosen, B.K., Wegman, M.N., Zadeck, F.K.: Efficiently computing static single assignment form and the control dependence graph. ACM Transactions on Programming Languages and Systems (TOPLAS) 13(4), 451–490 (1991)

    Article  Google Scholar 

  8. Giacobazzi, R., Mastroeni, I.: Abstract non-interference: Parameterizing non-interference by abstract interpretation. ACM SIGPLAN Notices 39(1), 186–197 (2004)

    Article  MATH  Google Scholar 

  9. Goguen, J.A., Meseguer, J.: Security policies and security models. In: 1982 IEEE Symposium on Security and Privacy, pp. 11–11. IEEE (1982)

    Google Scholar 

  10. Halfond, W.G., Orso, A.: Amnesia: Analysis and monitoring for neutralizing SQL-injection attacks. In: Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering, pp. 174–183. ACM (2005)

    Google Scholar 

  11. Halfond, W.G., Orso, A., Manolios, P.: Using positive tainting and syntax-aware evaluation to counter SQL injection attacks. In: Proceedings of the 14th ACM SIGSOFT International Symposium on Foundations of Software Engineering, pp. 175–185. ACM (2006)

    Google Scholar 

  12. Jones, Neil D., Sestoft, Peter, Søndergaard, Harald: An experiment in partial evaluation: The generation of a compiler generator. In: Jouannaud, Jean-Pierre (ed.) RTA 1985. LNCS, vol. 202, pp. 124–140. Springer, Heidelberg (1985). https://doi.org/10.1007/3-540-15976-2_6

    Chapter  Google Scholar 

  13. Maor, O., Shulman, A.: SQL injection signatures evasion. Imperva Inc., April 2004

    Google Scholar 

  14. Mastroeni, Isabella: On the rôle of abstract non-interference in language-based security. In: Yi, Kwangkeun (ed.) APLAS 2005. LNCS, vol. 3780, pp. 418–433. Springer, Heidelberg (2005). https://doi.org/10.1007/11575467_27

    Chapter  Google Scholar 

  15. Mastroeni, I.: Abstract interpretation-based approaches to security - A survey on abstract non-interference and its challenging applications (2013). arXiv preprint arXiv:1309.5131

  16. Mastroeni, I., Banerjee, A.: Modelling declassification policies using abstract domain completeness. Mathematical Structures in Computer Science 21(6), 1253–1299 (2011)

    Article  MathSciNet  MATH  Google Scholar 

  17. Mastroeni, I., Zanardini, D.: Abstract program slicing: an abstract interpretation-based approach to program slicing. ACM Transactions on Computational Logic (TOCL) 18(1), 7 (2017)

    Google Scholar 

  18. McDonald, S.: Sql injection: Modes of attack, defense, and why it matters. White paper, GovernmentSecurity. org (2002)

    Google Scholar 

  19. Nguyen-Tuong, Anh, Guarnieri, Salvatore, Greene, Doug, Shirley, Jeff, Evans, David: Automatically Hardening Web Applications Using Precise Tainting. In: Sasaki, Ryoichi, Qing, Sihan, Okamoto, Eiji, Yoshiura, Hiroshi (eds.) SEC 2005. IFIP AICT, vol. 181, pp. 295–307. Springer, Boston, MA (2005). https://doi.org/10.1007/0-387-25660-1_20

    Chapter  Google Scholar 

  20. Nielson, F., Nielson, H.R., Hankin, C.: Principles of Program Analysis. Springer (1999)

    Google Scholar 

  21. OWASP: Top 10 2010. The Ten Most Critical Web Application Security Risks (2010)

    Google Scholar 

  22. OWASP: Top 10 2013. The Ten Most Critical Web Application Security Risks (2013)

    Google Scholar 

  23. OWASP: Top 10 2017 (release candidate 1). The Ten Most Critical Web Application Security Risks (2017)

    Google Scholar 

  24. Ray, D., Ligatti, J.: Defining code-injection attacks. In: ACM SIGPLAN Notices. vol. 47, pp. 179–190. ACM (2012)

    Google Scholar 

  25. Ruse, M.E., Basu, S.: Detecting cross-site scripting vulnerability using concolic testing. In: 2013 Tenth International Conference on Information Technology: New Generations (ITNG), pp. 633–638. IEEE (2013)

    Google Scholar 

  26. Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE Journal on Selected Areas in Communications 21(1), 5–19 (2003)

    Article  Google Scholar 

  27. Schneider, F.B.: Enforceable security policies. ACM Transactions on Information and System Security (TISSEC) 3(1), 30–50 (2000)

    Article  Google Scholar 

  28. Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. In: ACM SIGPLAN Notices, vol. 41, pp. 372–382. ACM (2006)

    Google Scholar 

  29. The Code Curmudgeon: Sql injection hall-of-shame. http://codecurmudgeon.com/wp/sql-injection-hall-of-shame/

  30. Wassermann, G., Su, Z.: An analysis framework for security in web applications. In: Proceedings of the FSE Workshop on Specification and Verification of component-Based Systems (SAVCBS 2004), pp. 70–78 (2004)

    Google Scholar 

  31. Xu, W., Bhatkar, S., Sekar, R.: Taint-enhanced policy enforcement: A practical approach to defeat a wide range of attacks. In: USENIX Security Symposium. pp. 121–136 (2006)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, University of Verona, Strada le Grazie 15, 37134, Verona, Italy

    Samuele Buro & Isabella Mastroeni

Authors
  1. Samuele Buro
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Isabella Mastroeni
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Isabella Mastroeni .

Editor information

Editors and Affiliations

  1. University of Texas , Austin, Texas, USA

    Isil Dillig

  2. University of California , Los Angeles, California, USA

    Jens Palsberg

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer International Publishing AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Buro, S., Mastroeni, I. (2018). Abstract Code Injection. In: Dillig, I., Palsberg, J. (eds) Verification, Model Checking, and Abstract Interpretation. VMCAI 2018. Lecture Notes in Computer Science(), vol 10747. Springer, Cham. https://doi.org/10.1007/978-3-319-73721-8_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-73721-8_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-73720-1

  • Online ISBN: 978-3-319-73721-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation