Abstract
Injection vulnerabilities pose a major threat to application-level security. Some of the more common types are SQL injection, cross-site scripting and shell injection vulnerabilities. Existing methods for defending against injection attacks, that is, attacks exploiting these vulnerabilities, rely heavily on the application developers and are therefore error-prone.
In this paper we introduce CSSE, a method to detect and prevent injection attacks. CSSE works by addressing the root cause why such attacks can succeed, namely the ad-hoc serialization of user-provided input. It provides a platform-enforced separation of channels, using a combination of assignment of metadata to user-provided input, metadata-preserving string operations and context-sensitive string evaluation.
CSSE requires neither application developer interaction nor application source code modifications. Since only changes to the underlying platform are needed, it effectively shifts the burden of implementing countermeasures against injection attacks from the many application developers to the small team of security-savvy platform developers. Our method is effective against most types of injection attacks, and we show that it is also less error-prone than other solutions proposed so far.
We have developed a prototype CSSE implementation for PHP, a platform that is particularly prone to these vulnerabilities. We used our prototype with phpBB, a well-known bulletin-board application, to validate our method. CSSE detected and prevented all the SQL injection attacks we could reproduce and incurred only reasonable run-time overhead.
Access provided by Autonomous University of Puebla. Download to read the full chapter text
Chapter PDF
Similar content being viewed by others
References
Anley, C.: Advanced SQL Injectio. In: SQL Server Applications. Technical report, NGSSoftware Insight Security Research (2002)
Anley, C. (more) Advanced SQL Injection. Technical report, NGSSoftware Insight Security Research (2002)
Boyd, S., Keromytis, A.: SQLrand: Preventing SQL injection attacks. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 292–302. Springer, Heidelberg (2004)
Descartes, A., Bunce, T.: Perl DBI. O’Reilly, Sebastopol (2000)
Kiczales, G., Lamping, J., Menhdhekar, A., Maeda, C., Lopes, C., Loingtier, J.M., Irwin, J.: Aspect-Oriented Programming. In: Aksit, M., Matsuoka, S. (eds.) ECOOP 1997. LNCS, vol. 1241, pp. 220–242. Springer, Heidelberg (1997)
Larson, E., Austin, T.: High coverage detection of input-related security faults. In: Proceedings of the 12th USENIX Security Symposium, Washington DC, USENIX, pp. 121–136 (2003)
Lim, J.: ADOdb Database Abstraction Library for PHP (and Python) (2000–2004), Web page at http://adodb.sourceforge.net
Maor, O., Shulman, A.: SQL Injection Signatures Evasion. Technical report, Imperva Application Defense Center (2004)
Meijer, E., Schulte, W., Bierman, G.: Unifying tables, objects and documents. In: Workshop on Declarative Programming in the Context of OO Languages (DP-COOL 2003), Uppsala, Sweeden, pp. 145–166 (2003)
MITRE: Common Vulnerabilites and Exposures (1999–2004), Web page at http://cve.mitre.org
NIST: ICAT Metabase (2000–2004), Web page at http://icat.nist.gov/
Ollmann, G.: HTML Code Injection and Cross-site Scripting. Technical report, Gunter Ollmann (2002)
Ollmann, G.: Second-order Code Injection Attacks. Technical report, NGSSoftware Insight Security Research (2004)
PHP Group, T.: PHP Hypertext Preprocessor (2001–2004), Web page at http://www.php.net
phpBB Group, T.: phpBB.com (2001–2004), Web page at http://www.phpbb.com
SecurityFocus: BugTraq (1998–2004), Web page at http://www.securityfocus.com/bid
Shankar, U., Talwar, K., Foster, J.S., Wagner, D.: Detecting format string vulnerabilities with type qualifiers. In: Proceedings of the 10th USENIX Security Symposium, Washington DC, USENIX, pp. 257–272 (2001)
Stamey, J.W., Saunders, B.T., Cameron, M.: Aspect Oriented PHP (AOPHP) (2004–2005), Web page at http://www.aophp.net
Valgrind Developers: Valgrind (2000–2005), Web page at http://valgrind.org
Wall, L., Christiansen, T., Orwant, J.: Programming Perl. O’Reilly, Sebastopol (2000)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Pietraszek, T., Berghe, C.V. (2006). Defending Against Injection Attacks Through Context-Sensitive String Evaluation. In: Valdes, A., Zamboni, D. (eds) Recent Advances in Intrusion Detection. RAID 2005. Lecture Notes in Computer Science, vol 3858. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11663812_7
Download citation
DOI: https://doi.org/10.1007/11663812_7
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-31778-4
Online ISBN: 978-3-540-31779-1
eBook Packages: Computer ScienceComputer Science (R0)