Article

Using positive tainting and syntax-aware evaluation to counter SQL injection attacks

Authors:

William G. J. Halfond,

Alessandro Orso,

Panagiotis ManoliosAuthors Info & Claims

SIGSOFT '06/FSE-14: Proceedings of the 14th ACM SIGSOFT international symposium on Foundations of software engineering

Pages 175 - 185

https://doi.org/10.1145/1181775.1181797

Published: 05 November 2006 Publication History

Abstract

SQL injection attacks pose a serious threat to the security of Web applications because they can give attackers unrestricted access to databases that contain sensitive information. In this paper, we propose a new, highly automated approach for protecting existing Web applications against SQL injection. Our approach has both conceptual and practical advantages over most existing techniques. From the conceptual standpoint, the approach is based on the novel idea of positive tainting and the concept of syntax-aware evaluation. From the practical standpoint, our technique is at the same time precise and efficient and has minimal deployment requirements. The paper also describes wasp, a tool that implements our technique, and a set of studies performed to evaluate our approach. In the studies, we used our tool to protect several Web applications and then subjected them to a large and varied set of attacks and legitimate accesses. The evaluation was a complete success: wasp successfully and efficiently stopped all of the attacks without generating any false positives.

References

[1]

C. Anley. Advanced SQL Injection In SQL Server Applications. White paper, Next Generation Security Software Ltd., 2002.

[2]

S. W. Boyd and A. D. Keromytis. SQLrand: Preventing SQL Injection Attacks. In Proc. of the 2nd Applied Cryptography and Network Security Conf. (ACNS '04), pages 292--302, Jun. 2004.

[3]

G. T. Buehrer, B. W. Weide, and P. A. G. Sivilotti. Using Parse Tree Validation to Prevent SQL Injection Attacks. In Proc. of the 5th Intl. Workshop on Software Engineering and Middleware (SEM '05), pages 106--113, Sep. 2005.

Digital Library

[4]

W. R. Cook and S. Rai. Safe Query Objects: Statically Typed Objects as Remotely Executable Queries. In Proc. of the 27th Intl. Conference on Software Engineering (ICSE 2005), pages 97--106, May 2005.

Digital Library

[5]

T. O. Foundation. Top ten most critical web application vulnerabilities, 2005. http://www.owasp.org/documentation/topten.html.

[6]

C. Gould, Z. Su, and P. Devanbu. JDBC Checker: A Static Analysis Tool for SQL/JDBC Applications. In Proc. of the 26th Intl. Conference on Software Engineering (ICSE 04) -- Formal Demos, pages 697--698, May 2004.

Digital Library

[7]

C. Gould, Z. Su, and P. Devanbu. Static Checking of Dynamically Generated Queries in Database Applications. In Proc. of the 26th Intl. Conference on Software Engineering (ICSE 04), pages 645--654, May 2004.

Digital Library

[8]

V. Haldar, D. Chandra, and M. Franz. Dynamic Taint Propagation for Java. In Proc. of the 21st Annual Computer Security Applications Conference, pages 303--311, Dec. 2005.

Digital Library

[9]

W. G. Halfond and A. Orso. AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks. In Proc. of the IEEE and ACM Intl. Conference on Automated Software Engineering (ASE 2005), pages 174--183, Long Beach, CA, USA, Nov. 2005.

Digital Library

[10]

W. G. Halfond, J. Viegas, and A. Orso. A Classification of SQL-Injection Attacks and Countermeasures. In Proc. of the Intl. Symposium on Secure Software Engineering, Mar. 2006.

[11]

M. Howard and D. LeBlanc. Writing Secure Code. Microsoft Press, Redmond, Washington, Second Edition, 2003.

Digital Library

[12]

Y. Huang, S. Huang, T. Lin, and C. Tsai. Web Application Security Assessment by Fault Injection and Behavior Monitoring. In Proc. of the 12th Intl. World Wide Web Conference (WWW 03), pages 148--159, May 2003.

Digital Library

[13]

Y. Huang, F. Yu, C. Hang, C. H. Tsai, D. T. Lee, and S. Y. Kuo. Securing Web Application Code by Static Analysis and Runtime Protection. In Proc. of the 13th Intl. World Wide Web Conference (WWW 04), pages 40--52, May 2004.

Digital Library

[14]

N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities. In 2006 IEEE Symposium on Security and Privacy, May 2006.

Digital Library

[15]

V. B. Livshits and M. S. Lam. Finding Security Vulnerabilities in Java Applications with Static Analysis. In Proceedings of the 14th Usenix Security Symposium, Aug. 2005.

Digital Library

[16]

O. Maor and A. Shulman. SQL Injection Signatures Evasion. White paper, Imperva, Apr. 2004. http://www.imperva.com/application_defense_center/white_papers/sql_injection_signatures_evasion.html.

[17]

M. Martin, B. Livshits, and M. S. Lam. Finding Application Errors and Security Flaws Using PQL: a Program Query Language. In OOPSLA '05: Proc. of the 20th Annual ACM SIGPLAN Conference on Object Oriented Programming Systems Languages and Applications, pages 365--383, Oct. 2005.

Digital Library

[18]

R. McClure and I. Krüger. SQL DOM: Compile Time Checking of Dynamic SQL Statements. In Proc. of the 27th Intl. Conference on Software Engineering (ICSE 05), pages 88--96, May 2005.

Digital Library

[19]

J. Newsome and D. Song. Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In Proc. of the 12th Annual Network and Distributed System Security Symposium (NDSS 05), Feb. 2005.

[20]

A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically Hardening Web Applications Using Precise Tainting. In Twentieth IFIP Intl. Information Security Conference (SEC 2005), May 2005.

[21]

T. Pietraszek and C. V. Berghe. Defending Against Injection Attacks through Context-Sensitive String Evaluation. In Proc. of Recent Advances in Intrusion Detection (RAID2005), Sep. 2005.

Digital Library

[22]

J. Saltzer and M. Schroeder. The Protection of Information in Computer Systems. In Proceedings of the IEEE, Sep 1975.

[23]

D. Scott and R. Sharp. Abstracting Application-level Web Security. In Proc. of the 11th Intl. Conference on the World Wide Web (WWW 2002), pages 396--407, May 2002.

Digital Library

[24]

Z. Su and G. Wassermann. The Essence of Command Injection Attacks in Web Applications. In The 33rd Annual Symposium on Principles of Programming Languages, pages 372--382, Jan. 2006.

Digital Library

[25]

F. Valeur, D. Mutz, and G. Vigna. A Learning-Based Approach to the Detection of SQL Attacks. In Proc. of the Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA), Vienna, Austria, Jul. 2005.

Digital Library

[26]

G. Wassermann and Z. Su. An Analysis Framework for Security in Web Applications. In Proc. of the FSE Workshop on Specification and Verification of Component-Based Systems (SAVCBS 2004), pages 70--78, Oct. 2004.

[27]

Y. Xie and A. Aiken. Static Detection of Security Vulnerabilities in Scripting Languages. In Proceedings of the 15th USENIX Security Symposium, July 2006.

Digital Library

Cited By

Cela SCiancone AGustafsson PHajdu ÁJia YKapus TKoshtenko MLewis WMao KMartac Dd'Amorim M(2024)Automated End-to-End Dynamic Taint Analysis for WhatsAppCompanion Proceedings of the 32nd ACM International Conference on the Foundations of Software Engineering10.1145/3663529.3663824(21-26)Online publication date: 10-Jul-2024
https://dl.acm.org/doi/10.1145/3663529.3663824
Zhang BRen RLiu JJiang MRen JLi J(2024)SQLPsdem: A Proxy-Based Mechanism Towards Detecting, Locating and Preventing Second-Order SQL InjectionsIEEE Transactions on Software Engineering10.1109/TSE.2024.340040450:7(1807-1826)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1109/TSE.2024.3400404
Mahesh RChellathurai SThirunavukkarasu MRaman P(2024)SQL Injection Attack Detection and Prevention Based on Manipulating the SQL Query Input AttributesComputational Sciences and Sustainable Technologies10.1007/978-3-031-50993-3_17(213-221)Online publication date: 3-Feb-2024
https://doi.org/10.1007/978-3-031-50993-3_17
Show More Cited By

Index Terms

Using positive tainting and syntax-aware evaluation to counter SQL injection attacks
1. Security and privacy
  1. Software and application security
    1. Software security engineering
2. Software and its engineering
  1. Software organization and properties
    1. Software functional properties
      1. Correctness
        Access protection

Recommendations

Preventing SQL injection attacks using AMNESIA
ICSE '06: Proceedings of the 28th international conference on Software engineering

AMNESIA is a tool that detects and prevents SQL injection attacks by combining static analysis and runtime monitoring. Empirical evaluation has shown that AMNESIA is both effective and efficient against SQL injection.
Mitigation of SQL Injection Attacks using Threat Modeling

Day after day, SQL Injection (SQLI) attack is consistently proliferating across the globe. According to Open Web Application Security Project (OWASP) Top Ten Cheat Sheet-2014, SQLI is at top in the list of online attacks. The cause of spread of SQLI is ...
Retrofitting Existing Web Applications with Effective Dynamic Protection Against SQL Injection Attacks

This article presents an approach for retrofitting existing Web applications with run-time protection against known, as well as unseen, SQL injection attacks SQLIAs without the involvement of application developers. The precision of the approach is also ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SIGSOFT '06/FSE-14: Proceedings of the 14th ACM SIGSOFT international symposium on Foundations of software engineering

November 2006

298 pages

ISBN:1595934685

DOI:10.1145/1181775

General Chair:
Michal Young
University of Oregon
,
Program Chair:
Premkumar Devanbu
University of California, Davis

Copyright © 2006 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 November 2006

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

SIGSOFT06/FSE-14

Sponsor:

SIGSOFT06/FSE-14: SIGSOFT 2006 -14th International Symposium on the Foundations of Software Engineering

November 5 - 11, 2006

Oregon, Portland, USA

Acceptance Rates

Overall Acceptance Rate 17 of 128 submissions, 13%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

135
Total Citations
View Citations
2,183
Total Downloads

Downloads (Last 12 months)30
Downloads (Last 6 weeks)4

Reflects downloads up to 12 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Cela SCiancone AGustafsson PHajdu ÁJia YKapus TKoshtenko MLewis WMao KMartac Dd'Amorim M(2024)Automated End-to-End Dynamic Taint Analysis for WhatsAppCompanion Proceedings of the 32nd ACM International Conference on the Foundations of Software Engineering10.1145/3663529.3663824(21-26)Online publication date: 10-Jul-2024
https://dl.acm.org/doi/10.1145/3663529.3663824
Zhang BRen RLiu JJiang MRen JLi J(2024)SQLPsdem: A Proxy-Based Mechanism Towards Detecting, Locating and Preventing Second-Order SQL InjectionsIEEE Transactions on Software Engineering10.1109/TSE.2024.340040450:7(1807-1826)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1109/TSE.2024.3400404
Mahesh RChellathurai SThirunavukkarasu MRaman P(2024)SQL Injection Attack Detection and Prevention Based on Manipulating the SQL Query Input AttributesComputational Sciences and Sustainable Technologies10.1007/978-3-031-50993-3_17(213-221)Online publication date: 3-Feb-2024
https://doi.org/10.1007/978-3-031-50993-3_17
Ahmed KWang YLis MRubin JChandra SBlincoe KTonella P(2023)ViaLin: Path-Aware Dynamic Taint Analysis for AndroidProceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3611643.3616330(1598-1610)Online publication date: 30-Nov-2023
https://dl.acm.org/doi/10.1145/3611643.3616330
Wang YWu JZheng HNing ZHe BZhang F(2023)Raft: Hardware-assisted Dynamic Information Flow Tracking for Runtime Protection on RISC-VProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607246(595-608)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3607199.3607246
Klein DRolle BBarber TKarl MJohns MMeng WJensen CCremers CKirda E(2023)General Data Protection Runtime: Enforcing Transparent GDPR Compliance for Existing ApplicationsProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3616604(3343-3357)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3616604
Mallissery SChiang KBau CWu Y(2023)Pervasive Micro Information Flow TrackingIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.323854720:6(4957-4975)Online publication date: Nov-2023
https://doi.org/10.1109/TDSC.2023.3238547
Pružinec JQuynh N(2023)Hakuin: Optimizing Blind SQL Injection with Probabilistic Language Models2023 IEEE Security and Privacy Workshops (SPW)10.1109/SPW59333.2023.00039(384-393)Online publication date: May-2023
https://doi.org/10.1109/SPW59333.2023.00039
Matos DPardal MSilva ACorreia M(2023)μVerum: Intrusion Recovery for Microservice ApplicationsIEEE Access10.1109/ACCESS.2023.329811311(78457-78470)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3298113
Jia ZYang CZhao XLi XMa J(2023)Design and implementation of an efficient container tag dynamic taint analysisComputers & Security10.1016/j.cose.2023.103528135(103528)Online publication date: Dec-2023
https://doi.org/10.1016/j.cose.2023.103528
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten