Skip to main content
SpringerLink
Log in

Boolean Formulas for the Static Identification of Injection Attacks in Java

  • Conference paper
  • First Online:
Logic for Programming, Artificial Intelligence, and Reasoning (LPAR 2015)

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 9450))

Included in the following conference series:

Abstract

The most dangerous security-related software errors, according to CWE 2011, are those leading to injection attacks — user-provided data that result in undesired database access and updates (SQL-injections), dynamic generation of web pages (cross-site scripting-injections), redirection to user-specified web pages (redirect-injections), execution of OS commands (command-injections), class loading of user-specified classes (reflection-injections), and many others. This paper describes a flow- and context-sensitive static analysis that automatically identifies if and where injections of tainted data can occur in a program. The analysis models explicit flows of tainted data. Its notion of taintedness applies also to reference (non-primitive) types dynamically allocated in the heap, and is object-sensitive and field-sensitive. The analysis works by translating the program into Boolean formulas that model all possible flows. We implemented it within the Julia analyzer for Java and Android. Julia found injection security vulnerabilities in the Internet banking service and in the customer relationship management of a large Italian bank.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Appelt, D., Nguyen, C.D., Briand, L.C., Alshahwan, N.: Automated testing for SQL injection vulnerabilities: an input mutation approach. In: ISSTA, pp. 259–269, San Jose, CA, USA (2014)

    Google Scholar 

  2. Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., McDaniel, P.: Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In: PLDI, p. 29, Edinburgh, UK, June 2014

    Google Scholar 

  3. Barthe, G., Pichardie, D., Rezk, T.: A certified lightweight non-interference java bytecode verifier. Math. Struct. Comput. Sci. 23(5), 1032–1081 (2013)

    Article  MATH  MathSciNet  Google Scholar 

  4. Barthe, G., Rezk, T., Basu, A.: Security types preserving compilation. Comput. Lang. Syst. Struct. 33(2), 35–59 (2007)

    MATH  Google Scholar 

  5. Clark, D., Hankin, C., Hunt, S.: Information flow for ALGOL-like languages. Comput. Lang. 28(1), 3–28 (2002)

    MATH  Google Scholar 

  6. Cousot, P., Cousot, R.: Abstract Interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: POPL, pp. 238–252 (1977)

    Google Scholar 

  7. Doshi, J.C., Christian, M., Trivedi, B.H.: SQL FILTER – SQL Injection prevention and logging using dynamic network filter. In: Mauri, J.L., Thampi, S.M., Rawat, D.B., Jin, D. (eds.) SSCC 2014. CCIS, vol. 467, pp. 400–406. Springer, Heidelberg (2014)

    Google Scholar 

  8. Ernst, M.D., Lovato, A., Macedonio, D., Spiridon, C., Spoto, F.: Boolean Formulas for the Static Identification of Injection Attacks in Java. Technical Report UW-CSE-15-09-03, University of Washington Department of Computer Science and Engineering, Seattle, WA, USA, September 2015

    Google Scholar 

  9. Genaim, S., Giacobazzi, R., Mastroeni, I.: Modeling secure information flow with boolean functions. In: Peter Ryan, editor, WITS 2004, April 2004

    Google Scholar 

  10. Genaim, S., Spoto, F.: Information flow analysis for java bytecode. In: Cousot, R. (ed.) VMCAI 2005. LNCS, vol. 3385, pp. 346–362. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  11. Genaim, S., Spoto, F.: Constancy Analysis. In: Huisman, M. (ed.), FTfJP, Paphos, Cyprus, July 2008. Radboud University

    Google Scholar 

  12. Jang, Y.-S., Choi, J.-Y.: Detecting SQL injection attacks using query result size. Comput. Secur. 44, 104–118 (2014)

    Article  Google Scholar 

  13. Kobayashi, N., Shirane, K.: Type-based information flow analysis for low-level languages. In: APLAS (2002)

    Google Scholar 

  14. Kumar, D.G., Chatterjee, M.: MAC based solution for SQL injection. J. Comput. Virol. Hacking Tech. 11(1), 1–7 (2015)

    Article  Google Scholar 

  15. Laud, P.: Semantics and program analysis of computationally secure information flow. In: Sands, D. (ed.) ESOP 2001. LNCS, vol. 2028, pp. 77–91. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  16. Lindholm, T., Yellin, F., Bracha, G., Buckley, A.: The Java Virtual Machine Specification, Java SE 7 Edition. Addison-Wesley Professional, 1st edition (2013)

    Google Scholar 

  17. Liu, L., Xu, J., Li, M., Yang, J.: A Dynamic SQL injection vulnerability test case generation model based on the multiple phases detection approach. In: COMPSAC, pp. 256–261, Kyoto, Japan (2013)

    Google Scholar 

  18. Makiou, A., Begriche, Y., Serhrouchni, A.: Improving web application firewalls to detect advanced SQL injection attacks. In: IAS, pp. 35–40. Okinawa, Japan 2014

    Google Scholar 

  19. MITRE/SANS. Top 25 Most Dangerous Software Errors. http://cwe.mitre.org/top25, September 2011

  20. Mizuno, M.: A least fixed point approach to inter-procedural information flow control. In: NCSC, pp. 558–570 (1989)

    Google Scholar 

  21. Naghmeh, N.M., Sheykhkanloo, M.: Employing neural networks for the detection of SQL injection attack. In: SIN, pp. 318, Glasgow, Scotland, UK (2014)

    Google Scholar 

  22. Nikolić, D., Spoto, F.: Reachability analysis of program variables. ACM Trans. Program. Lang. Syst. 35(4), 14 (2013)

    Google Scholar 

  23. Payet, É., Spoto, F.: Magic-sets transformation for the analysis of java bytecode. In: Riis Nielson, H., Filé, G. (eds.) SAS 2007. LNCS, vol. 4634, pp. 452–467. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  24. Resp, T.W., Horwitz, S., Sagiv, S.: Precise interprocedural dataflow analysis via graph reachability. In: POPL 1995, pp. 49–61. San Francisco, California, USA, January 1995

    Google Scholar 

  25. Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Sel. Areas Commun. 21(1), 5–19 (2003)

    Article  Google Scholar 

  26. Sabelfeld, A., Sands, D.: A PER model of secure information flow in sequential programs. High. Order Symbolic Comput. 14(1), 59–91 (2001)

    Article  MATH  Google Scholar 

  27. Secci, S., Spoto, F.: Pair-sharing analysis of object-oriented programs. In: Hankin, C., Siveroni, I. (eds.) SAS 2005. LNCS, vol. 3672, pp. 320–335. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  28. Shahriar, H., Zulkernine, M.: Information-theoretic detection of SQL injection attacks. In: HASE, pp. 40–47. Omaha, NE, USA (2012)

    Google Scholar 

  29. Shar, L.K., Tan, K.: H. B. defeating SQL injection. IEEE Comput. 46(3), 69–77 (2013)

    Article  Google Scholar 

  30. Simic, B., Walden, J.: Eliminating SQL injection and cross site scripting using aspect oriented programming. In: Jürjens, J., Livshits, B., Scandariato, R. (eds.) ESSoS 2013. LNCS, vol. 7781, pp. 213–228. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  31. Skalka, C., Smith, S.: Static enforcement of security with types. In: ICFP, pp. 254–267. ACM press (2000)

    Google Scholar 

  32. Spoto, F.: Nullness analysis in boolean form. In: SEFM, pp. 21–30. IEEE, Washington, DC, USA (2008)

    Google Scholar 

  33. Tripp, O., Pistoia, M., Fink, S.J., Sridharan, M., Weisman, O.: TAJ: effective taint analysis of web applications. SIGPLAN Not. 44(6), 87–97 (2009)

    Article  Google Scholar 

  34. Volpano, D., Smith, G., Irvine, C.: A sound type system for secure flow analysis. J. Comput. Secur. 4(2,3), 167–187 (1996)

    Google Scholar 

  35. Wu, T.-Y., Pan, J.-S., Chen, C.-M., Lin, C.-W.: Towards SQL injection attacks detection mechanism using parse tree. In: Sun, H., Yang, C.-Y., Lin, C.-W., Pan, J.-S., Snasel, V., Abraham, A. (eds.) Genetic and Evolutionary Computing. AISC, vol. 329, pp. 371–380. Springer, Heidelberg (2015)

    Google Scholar 

Download references

Acknowledgments

This material is based upon work supported by the United States Air Force under Contract No. FA8750-12-C-0174.

Author information

Authors and Affiliations

  1. University of Washington, Seattle, USA

    Michael D. Ernst

  2. Dipartimento di Informatica, Università di Verona, Verona, Italy

    Alberto Lovato & Fausto Spoto

  3. Julia Srl, Verona, Italy

    Damiano Macedonio, Ciprian Spiridon & Fausto Spoto

Authors
  1. Michael D. Ernst
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Alberto Lovato
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Damiano Macedonio
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Ciprian Spiridon
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Fausto Spoto
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Alberto Lovato .

Editor information

Editors and Affiliations

  1. New York University, New York, New York, USA

    Martin Davis

  2. University of the South Pacific, Suva, Fiji

    Ansgar Fehnker

  3. Macquarie University, Sydney, New South Wales, Australia

    Annabelle McIver

  4. The University of Manchester, Manchester, United Kingdom

    Andrei Voronkov

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Ernst, M.D., Lovato, A., Macedonio, D., Spiridon, C., Spoto, F. (2015). Boolean Formulas for the Static Identification of Injection Attacks in Java. In: Davis, M., Fehnker, A., McIver, A., Voronkov, A. (eds) Logic for Programming, Artificial Intelligence, and Reasoning. LPAR 2015. Lecture Notes in Computer Science(), vol 9450. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-48899-7_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-662-48899-7_10

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-662-48898-0

  • Online ISBN: 978-3-662-48899-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation