nach oben

Erschienen in:

2016 | OriginalPaper | Buchkapitel

AutoRand: Automatic Keyword Randomization to Prevent Injection Attacks

verfasst von : Jeff Perkins, Jordan Eikenberry, Alessandro Coglio, Daniel Willenson, Stelios Sidiroglou-Douskos, Martin Rinard

Erschienen in: Detection of Intrusions and Malware, and Vulnerability Assessment

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

AutoRand automatically transforms Java applications to use SQL keyword randomization to defend against SQL injection vulnerabilities. AutoRand is completely automatic. Unlike previous approaches it requires no manual modifications to existing code and does not require source (it works directly on Java bytecode). It can thus easily be applied to the large numbers of existing potentially insecure applications without developer assistance. Our key technical innovation is augmented strings. Augmented strings allow extra information (such as random keys) to be embedded within a string. AutoRand transforms string operations so that the extra information is transparent to the program, but is always propagated with each string operation. AutoRand checks each keyword at SQL statements for the random key. Experimental results on large, production Java applications and malicious inputs provided by an independent evaluation team hired by an agency of the United States government showed that AutoRand successfully blocked all SQL injection attacks and preserved transparent execution for benign inputs, all with low overhead.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel DeepFuzz: Triggering Vulnerabilities Deeply Hidden in Binaries

Nächstes Kapitel AVRAND: A Software-Based Defense Against Code Reuse Attacks for AVR Embedded Devices

We use the term keyword to include keywords, operators and comment tokens.

For simplicity, we use the term ‘string’ to refer to objects of all three classes.

The requirement assumes that the key does not occur in S. The space of keys ensures a sufficiently small probability that the key occurs in the application code or data by happenstance.

The full test suite runs in a special environment and is difficult to instrument. The subset allowed for more manageable experiments.

Common Weakness Enumeration (CWE) 89: Improper neutralization of special elements used in an SQL command (‘SQL injection’). http://cwe.mitre.org

SANS Institute, MITRE, et al.: CWE/SANS Top 25 Most Dangerous Software Errors, September 2011. http://cwe.mitre.org/top25

OWASP Foundation: OWASP Top Ten Project, June 2013. https://www.owasp.org/index.php/Top_10_2013-Top_10

Clarke, J.: SQL Injection Attacks and Defenses, 2nd edn. Syngress, Massachusetts (2012)

Code Curmudgeon: SQL injection hall of shame. http://codecurmudgeon.com/wp/sql-injection-hall-of-shame/. Accessed 24 June 2014

Kc, G.S., Keromytis, A.D., Prevelakis, V.: Countering code-injection attacks with instruction-set randomization. In: CCS 2003, pp. 272–280 (2003)

Boyd, S.W., Keromytis, A.D.: SQLrand: preventing SQL injection attacks. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 292–302. Springer, Heidelberg (2004)CrossRef

Halfond, W.G.J., Orso, A., Manolios, P.: Using positive tainting and syntax-aware evaluation to counter SQL injection attacks. In: SIGSOFT 2006/FSE-14 (2006)

Bisht, P., Madhusudan, P., Venkatakrishnan, V.N.: Candid: dynamic candidate evaluations for automatic prevention of SQL injection attacks. ACM Trans. Inf. Syst. Secur. 13(2), 14:1–14:39 (2010)CrossRef

10.

Chin, E., Wagner, D.: Efficient character-level taint tracking for Java. In: Proceedings of the 2009 ACM Workshop on Secure Web Services (2009)

11.

ISO/IEC 9075:2011 - Information technology - Database languages - SQL

12.

Alkacon Software: OpenCms, May 2012. http://www.opencms.org

13.

Apache Foundation: Apache Tomcat, January 2012. http://tomcat.apache.org/

14.

Veracode: SQL injection cheat sheet and tutorial. http://www.veracode.com/security/sql-injection. Accessed 1 August 2014

15.

OWASP: SQL injection prevention cheat sheet. https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet. Accessed 1 Aug 2014

16.

Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., Evans, D.: Automatically hardening web applications using precise tainting (2005)

17.

Pietraszek, T., Berghe, C.V.: Defending against injection attacks through context-sensitive string evaluation (2006)

18.

Son, S., McKinley, K.S., Shmatikov, V.: Diglossia: detecting code injection attacks with precision and efficiency. In: CCS 2013, pp. 1181–1192 (2013)

19.

Buehrer, G., Weide, B.W., Sivilotti, P.A.G.: Using parse tree validation to prevent SQL injection attacks. In: SEM 2005 (2005)

20.

Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. In: POPL 2006, pp. 372–382 (2006)

21.

Bandhakavi, S., Bisht, P., Madhusudan, P., Venkatakrishnan, V.N.: Candid: preventing SQL injection attacks using dynamic candidate evaluations. In: CCS 2007 (2007)

22.

Halfond, W.G.J., Orso, A.: Amnesia: analysis and monitoring for neutralizing SQL-injection attacks. In: ASE 2005, pp. 174–183 (2005)

23.

Halder, R., Cortesi, A.: Obfuscation-based analysis of SQL injection attacks. In: ISCC 2010, pp. 931–938 (2010)

24.

Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: a static analysis tool for detecting web application vulnerabilities (short paper). In: SP 2006 (2006)

25.

Livshits, V.B., Lam, M.S.: Finding security vulnerabilities in Java applications with static analysis. In: SSYM 2005, p. 18 (2005)

26.

Fu, X., Lu, X., Peltsverger, B., Chen, S., Qian, K., Tao, L.: A static analysis framework for detecting SQL injection vulnerabilities. In: COMPSAC 2007 (2007)

Titel: AutoRand: Automatic Keyword Randomization to Prevent Injection Attacks
verfasst von: Jeff Perkins
Jordan Eikenberry
Alessandro Coglio
Daniel Willenson
Stelios Sidiroglou-Douskos
Martin Rinard
Verlag: Springer International Publishing
Buch: Detection of Intrusions and Malware, and Vulnerability Assessment
Print ISBN: 978-3-319-40666-4

Electronic ISBN: 978-3-319-40667-1

Copyright-Jahr: 2016
DOI: https://doi.org/10.1007/978-3-319-40667-1_3

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner