The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.01 - January (2008 vol.34)
pp: 65-81
ABSTRACT
Many software systems have evolved to include a web-based component that makes them available to the public via the Internet and can expose them to a variety of web-based attacks. One of these attacks is SQL injection, which can give attackers unrestricted access to the databases underlying web applications and has become increasingly frequent and serious. This paper presents a new, highly automated approach for protecting web applications against SQL injection that has both conceptual and practical advantages over most existing techniques. From a conceptual standpoint, the approach is based on the novel idea of positive tainting and on the concept of syntax-aware evaluation. From a practical standpoint, our technique is precise and efficient and has minimal deployment requirements. We also present an extensive empirical evaluation of our approach performed using WASP, a tool that implements our technique. In the evaluation, we used WASP to protect a wide range of web applications while subjecting them to a large and varied set of attacks and legitimate accesses. WASP was able to stop all attacks and did not generate any false positives. Our studies also show that the overhead imposed by WASP was negligible in most cases.
INDEX TERMS
Protection mechanisms, Security and Protection
CITATION
William Halfond, Alex Orso, Pete Manolios, "WASP: Protecting Web Applications Using Positive Tainting and Syntax-Aware Evaluation", IEEE Transactions on Software Engineering, vol.34, no. 1, pp. 65-81, January 2008, doi:10.1109/TSE.2007.70748
REFERENCES
[1] C. Anley, “Advanced SQL Injection In SQL Server Applications,” white paper, Next Generation Security Software, 2002.
[2] S.W. Boyd and A.D. Keromytis, “SQLrand: Preventing SQL Injection Attacks,” Proc. Second Int'l Conf. Applied Cryptography and Network Security, pp. 292-302, June 2004.
[3] G.T. Buehrer, B.W. Weide, and P.A.G. Sivilotti, “Using Parse Tree Validation to Prevent SQL Injection Attacks,” Proc. Fifth Int'l Workshop Software Eng. and Middleware, pp. 106-113, Sept. 2005.
[4] J. Clause, W. Li, and A. Orso, “Dytan: A Generic Dynamic Taint Analysis Framework,” Proc. Int'l Symp. Software Testing and Analysis, pp. 196-206, July 2007.
[5] W.R. Cook and S. Rai, “Safe Query Objects: Statically Typed Objects as Remotely Executable Queries,” Proc. 27th Int'l Conf. Software Eng., pp. 97-106, May 2005.
[6] “Top Ten Most Critical Web Application Vulnerabilities,” OWASP Foundation, http://www.owasp.org/documentation topten.html , 2005.
[7] C. Gould, Z. Su, and P. Devanbu, “JDBC Checker: A Static Analysis Tool for SQL/JDBC Applications,” Proc. 26th Int'l Conf. Software Eng., formal demos, pp. 697-698, May 2004.
[8] C. Gould, Z. Su, and P. Devanbu, “Static Checking of Dynamically Generated Queries in Database Applications,” Proc. 26th Int'l Conf. Software Eng., pp. 645-654, May 2004.
[9] V. Haldar, D. Chandra, and M. Franz, “Dynamic Taint Propagation for Java,” Proc. 21st Ann. Computer Security Applications Conf., pp. 303-311, Dec. 2005.
[10] W. Halfond, A. Orso, and P. Manolios, “Using Positive Tainting and Syntax-Aware Evaluation to Counter SQL Injection Attacks,” Proc. ACM SIGSOFT Symp. Foundations of Software Eng., pp. 175-185, Nov. 2006.
[11] W.G. Halfond and A. Orso, “AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks,” Proc. 20th IEEE and ACM Int'l Conf. Automated Software Eng., pp. 174-183, Nov. 2005.
[12] W.G. Halfond, J. Viegas, and A. Orso, “A Classification of SQL-Injection Attacks and Countermeasures,” Proc. IEEE Int'l Symp. Secure Software Eng., Mar. 2006.
[13] M. Howard and D. LeBlanc, Writing Secure Code, second ed. Microsoft Press, 2003.
[14] Y. Huang, S. Huang, T. Lin, and C. Tsai, “Web Application Security Assessment by Fault Injection and Behavior Monitoring,” Proc. 12th Int'l Conf. World Wide Web, pp. 148-159, May 2003.
[15] Y. Huang, F. Yu, C. Hang, C.H. Tsai, D.T. Lee, and S.Y. Kuo, “Securing Web Application Code by Static Analysis and Runtime Protection,” Proc. 13th Int'l Conf. World Wide Web, pp. 40-52, May 2004.
[16] N. Jovanovic, C. Kruegel, and E. Kirda, “Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities,” Proc. IEEE Symp. Security and Privacy, May 2006.
[17] N. Jovanovic, C. Kruegel, and E. Kirda, “Precise Alias Analysis for Static Detection of Web Application Vulnerabilities,” Proc. Workshop Programming Languages and Analysis for Security, pp. 27-36, June 2006.
[18] V.B. Livshits and M.S. Lam, “Finding Security Vulnerabilities in Java Applications with Static Analysis,” Proc. 14th Usenix Security Symp., Aug. 2005.
[19] O. Maor and A. Shulman, “SQL Injection Signatures Evasion,” white paper, Imperva, http://www.imperva.com/application_ defense_center/ white_paperssql_injection_signatures_ evasion.html , Apr. 2004.
[20] M. Martin, B. Livshits, and M.S. Lam, “Finding Application Errors and Security Flaws Using PQL: A Program Query Language,” Proc. 20th Ann. ACM SIGPLAN Conf. Object Oriented Programming Systems Languages and Applications, pp. 365-383, Oct. 2005.
[21] R. McClure and I. Krüger, “SQL DOM: Compile Time Checking of Dynamic SQL Statements,” Proc. 27th Int'l Conf. Software Eng., pp.88-96, May 2005.
[22] J. Newsome and D. Song, “Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software,” Proc. 12th Ann. Network and Distributed System Security Symp., Feb. 2005.
[23] A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans, “Automatically Hardening Web Applications Using Precise Tainting Information,” Proc. 20th IFIP Int'l Information Security Conf., May 2005.
[24] T. Pietraszek and C.V. Berghe, “Defending against Injection Attacks through Context-Sensitive String Evaluation,” Proc. Eighth Int'l Symp. Recent Advances in Intrusion Detection, Sept. 2005.
[25] J. Saltzer and M. Schroeder, “The Protection of Information in Computer Systems,” Proc. Fourth ACM Symp. Operating System Principles, Oct. 1973.
[26] D. Scott and R. Sharp, “Abstracting Application-Level Web Security,” Proc. 11th Int'l Conf. World Wide Web, pp. 396-407, May 2002.
[27] Z. Su and G. Wassermann, “The Essence of Command Injection Attacks in Web Applications.,” Proc. 33rd Ann. Symp. Principles of Programming Languages, pp. 372-382, Jan. 2006.
[28] F. Valeur, D. Mutz, and G. Vigna, “A Learning-Based Approach to the Detection of SQL Attacks,” Proc. Conf. Detection of Intrusions and Malware and Vulnerability Assessment, July 2005.
[29] G. Wassermann and Z. Su, “An Analysis Framework for Security in Web Applications,” Proc. FSE Workshop Specification and Verification of Component-Based Systems, pp. 70-78, Oct. 2004.
[30] Y. Xie and A. Aiken, “Static Detection of Security Vulnerabilities in Scripting Languages,” Proc. 15th Usenix Security Symp., Aug. 2006.
[31] W. Xu, S. Bhatkar, and R. Sekar, “Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks,” Proc. 15th Usenix Security Symp., Aug. 2006.
19 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool