skip to main content
10.1145/2508859.2516696acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

Diglossia: detecting code injection attacks with precision and efficiency

Published: 04 November 2013 Publication History

Abstract

Code injection attacks continue to plague applications that incorporate user input into executable programs. For example, SQL injection vulnerabilities rank fourth among all bugs reported in CVE, yet all previously proposed methods for detecting SQL injection attacks suffer from false positives and false negatives.
This paper describes the design and implementation of DIGLOSSIA, a new tool that precisely and efficiently detects code injection attacks on server-side Web applications generating SQL and NoSQL queries. The main problems in detecting injected code are (1) recognizing code in the generated query, and (2) determining which parts of the query are tainted by user input. To recognize code, DIGLOSSIA relies on the precise definition due to Ray and Ligatti. To identify tainted characters, DIGLOSSIA dynamically maps all application-generated characters to shadow characters that do not occur in user input and computes shadow values for all input-dependent strings. Any original characters in a shadow value are thus exactly the taint from user input.
Our key technical innovation is dual parsing. To detect injected code in a generated query, DIGLOSSIA parses the query in tandem with its shadow and checks that (1) the two parse trees are syntactically isomorphic, and (2) all code in the shadow query is in shadow characters and, therefore, originated from the application itself, as opposed to user input.
We demonstrate that DIGLOSSIA accurately detects both SQL and NoSQL code injection attacks while avoiding the false positives and false negatives of prior methods. By recasting the problem of detecting injected code as a string propagation and parsing problem, we gain substantial improvements in efficiency and precision over prior work. Our approach does not require any changes to the databases, Web servers, or Web browsers, adds virtually unnoticeable performance overhead, and is deployable today.

References

[1]
S. Bandhakavi, P. Bisht, P. Madhusudan, and V. N. Venkatakrishnan. CANDID: Preventing SQL injection attacks using dynamic candidate evaluations. In CCS, 2007.
[2]
S. Boyd and A. Keromytis. SQLrand: Preventing SQL injection attacks. In ACNS, 2004.
[3]
E. Chin and D. Wagner. Efficient character-level taint tracking for Java. In SWS, 2009.
[4]
CVE Details. http://www.cvedetails.com/vulnerabilities-by-types.php.
[5]
W. Halfond, A. Orso, and P. Manolios. Using positive tainting and syntax-aware evaluation to counter SQL injection attacks. In FSE, 2006.
[6]
N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A static analysis tool for detecting Web application vulnerabilities. In S&P, 2006.
[7]
A. Kiezun, P. Guo, K. Jayaraman, and M. Ernst. Automatic creation of SQL injection and cross-site scripting attacks. In ICSE, 2009.
[8]
A. Liu, Y. Yuan, D. Wijesekera, and A. Stavrou. SQLProb: A proxy-based architecture towards preventing SQL injection attacks. In SAC, 2009.
[9]
V. Livshits and M. Lam. Finding security vulnerabilities in Java applications with static analysis. In USENIX Security, 2005.
[10]
mongoDB production deployments. http://www.mongodb.org/about/production-deployments/.
[11]
R. Mui and P. Frankl. Preventing web application injections with complementary character coding. In ESORICS, 2011.
[12]
MyYoutube MyBB Plugin 1.0 SQL Injection. http://www.exploit-db.com/exploits/23353.
[13]
A. Nguyen-Tuong, S. Guarnieri, D. Greene, and D. Evans. Automatically hardening Web applications using precise tainting. In SEC, 2005.
[14]
NoSQL. http://nosql-database.org/.
[15]
NoSQL injection attack on Diaspora. http://www.kalzumeus.com/2010/09/22/security-lessonslearned-from-the-diaspora-launch/.
[16]
T. Pietraszek and C. Berghe. Defending against injection attacks through context-sensitive string evaluation. In RAID, 2006.
[17]
D. Ray and J. Ligatti. Defining code-injection attacks. In POPL, 2012.
[18]
R. Sekar. An efficient black-box technique for defeating Web application attacks. In NDSS, 2009.
[19]
S. Son and V. Shmatikov. SAFERPHP: Finding semantic vulnerabilities in PHP applications. In PLAS, 2011.
[20]
Z. Su and G. Wassermann. The essence of command injection attacks in Web applications. In POPL, 2006.
[21]
B. Sullivan. Server-side JavaScript injection. http://media.blackhat.com/bh-us-11/Sullivan/BH_US_11_Sullivan_Server_Side_WP.pdf, 2011.
[22]
The BNF grammar for SQL-99. http://savage.net.au/SQL/.
[23]
J. Vijayan. TJX data breach: At 45.6M card numbers, it's the biggest ever. http://www.computerworld.com/s/article/9014782/TJX_data_breach_At_45.6M_card_numbers_it_s_the_biggest_ever, 2007.
[24]
G. Wassermann and Z. Su. Sound and precise analysis of Web applications for injection vulnerabilities. In PLDI, 2007.
[25]
WhiteHat website security statistics report. https://www.whitehatsec.com/resource/stats.html, 2012.
[26]
W. Xu, S. Bhatkar, and R. Sekar. Taint-enhanced policy enforcement: A practical approach to defeat a wide range of attacks. In USENIX Security, 2006.

Cited By

View all
  • (2024)Survey on Bio-Inspired Algorithm for SQL Injection AttacksBasrah Researches Sciences10.56714/bjrs.50.1.2750:1(340)Online publication date: 30-Jun-2024
  • (2024)SQLPsdem: A Proxy-based Mechanism towards Detecting, Locating and Preventing Second-Order SQL InjectionsIEEE Transactions on Software Engineering10.1109/TSE.2024.3400404(1-20)Online publication date: 2024
  • (2022)Detection of SQL Injection Attack Using Machine Learning Techniques: A Systematic Literature ReviewJournal of Cybersecurity and Privacy10.3390/jcp20400392:4(764-777)Online publication date: 20-Sep-2022
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
November 2013
1530 pages
ISBN:9781450324779
DOI:10.1145/2508859
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 November 2013

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. code injection
  2. dynamic analysis
  3. nosql injection
  4. sql injection
  5. taint tracking
  6. web application security

Qualifiers

  • Research-article

Conference

CCS'13
Sponsor:

Acceptance Rates

CCS '13 Paper Acceptance Rate 105 of 530 submissions, 20%;
Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)25
  • Downloads (Last 6 weeks)1
Reflects downloads up to 17 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Survey on Bio-Inspired Algorithm for SQL Injection AttacksBasrah Researches Sciences10.56714/bjrs.50.1.2750:1(340)Online publication date: 30-Jun-2024
  • (2024)SQLPsdem: A Proxy-based Mechanism towards Detecting, Locating and Preventing Second-Order SQL InjectionsIEEE Transactions on Software Engineering10.1109/TSE.2024.3400404(1-20)Online publication date: 2024
  • (2022)Detection of SQL Injection Attack Using Machine Learning Techniques: A Systematic Literature ReviewJournal of Cybersecurity and Privacy10.3390/jcp20400392:4(764-777)Online publication date: 20-Sep-2022
  • (2022)Detection and prevention of SQLI attacks and developing compressive framework using machine learning and hybrid techniquesJournal of Big Data10.1186/s40537-022-00678-09:1Online publication date: 30-Dec-2022
  • (2022)[Retracted] Dynamic Data Infrastructure Security for Interoperable e‐Healthcare Systems: A Semantic Feature‐Driven NoSQL Intrusion Attack Detection ModelBioMed Research International10.1155/2022/40801992022:1Online publication date: 10-Jun-2022
  • (2022)On the Satisfiability of Context-free String Constraints with Subword-OrderingProceedings of the 37th Annual ACM/IEEE Symposium on Logic in Computer Science10.1145/3531130.3533329(1-13)Online publication date: 2-Aug-2022
  • (2021)Spinner: Automated Dynamic Command Subsystem PerturbationProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484577(1839-1860)Online publication date: 12-Nov-2021
  • (2021)Virtual Static Security Analyzer for Web Applications2021 IEEE 20th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom53373.2021.00119(840-848)Online publication date: Oct-2021
  • (2021)Privacy-Breaching Patterns in NoSQL DatabasesIEEE Access10.1109/ACCESS.2021.30620349(35229-35239)Online publication date: 2021
  • (2021)NodeXP: NOde.js server-side JavaScript injection vulnerability DEtection and eXPloitationJournal of Information Security and Applications10.1016/j.jisa.2021.10275258(102752)Online publication date: May-2021
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media