Abstract
The most dangerous security-related software errors, according to CWE 2011, are those leading to injection attacks — user-provided data that result in undesired database access and updates (SQL-injections), dynamic generation of web pages (cross-site scripting-injections), redirection to user-specified web pages (redirect-injections), execution of OS commands (command-injections), class loading of user-specified classes (reflection-injections), and many others. This paper describes a flow- and context-sensitive static analysis that automatically identifies if and where injections of tainted data can occur in a program. The analysis models explicit flows of tainted data. Its notion of taintedness applies also to reference (non-primitive) types dynamically allocated in the heap, and is object-sensitive and field-sensitive. The analysis works by translating the program into Boolean formulas that model all possible flows. We implemented it within the Julia analyzer for Java and Android. Julia found injection security vulnerabilities in the Internet banking service and in the customer relationship management of a large Italian bank.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Appelt, D., Nguyen, C.D., Briand, L.C., Alshahwan, N.: Automated testing for SQL injection vulnerabilities: an input mutation approach. In: ISSTA, pp. 259–269, San Jose, CA, USA (2014)
Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., McDaniel, P.: Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In: PLDI, p. 29, Edinburgh, UK, June 2014
Barthe, G., Pichardie, D., Rezk, T.: A certified lightweight non-interference java bytecode verifier. Math. Struct. Comput. Sci. 23(5), 1032–1081 (2013)
Barthe, G., Rezk, T., Basu, A.: Security types preserving compilation. Comput. Lang. Syst. Struct. 33(2), 35–59 (2007)
Clark, D., Hankin, C., Hunt, S.: Information flow for ALGOL-like languages. Comput. Lang. 28(1), 3–28 (2002)
Cousot, P., Cousot, R.: Abstract Interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: POPL, pp. 238–252 (1977)
Doshi, J.C., Christian, M., Trivedi, B.H.: SQL FILTER – SQL Injection prevention and logging using dynamic network filter. In: Mauri, J.L., Thampi, S.M., Rawat, D.B., Jin, D. (eds.) SSCC 2014. CCIS, vol. 467, pp. 400–406. Springer, Heidelberg (2014)
Ernst, M.D., Lovato, A., Macedonio, D., Spiridon, C., Spoto, F.: Boolean Formulas for the Static Identification of Injection Attacks in Java. Technical Report UW-CSE-15-09-03, University of Washington Department of Computer Science and Engineering, Seattle, WA, USA, September 2015
Genaim, S., Giacobazzi, R., Mastroeni, I.: Modeling secure information flow with boolean functions. In: Peter Ryan, editor, WITS 2004, April 2004
Genaim, S., Spoto, F.: Information flow analysis for java bytecode. In: Cousot, R. (ed.) VMCAI 2005. LNCS, vol. 3385, pp. 346–362. Springer, Heidelberg (2005)
Genaim, S., Spoto, F.: Constancy Analysis. In: Huisman, M. (ed.), FTfJP, Paphos, Cyprus, July 2008. Radboud University
Jang, Y.-S., Choi, J.-Y.: Detecting SQL injection attacks using query result size. Comput. Secur. 44, 104–118 (2014)
Kobayashi, N., Shirane, K.: Type-based information flow analysis for low-level languages. In: APLAS (2002)
Kumar, D.G., Chatterjee, M.: MAC based solution for SQL injection. J. Comput. Virol. Hacking Tech. 11(1), 1–7 (2015)
Laud, P.: Semantics and program analysis of computationally secure information flow. In: Sands, D. (ed.) ESOP 2001. LNCS, vol. 2028, pp. 77–91. Springer, Heidelberg (2001)
Lindholm, T., Yellin, F., Bracha, G., Buckley, A.: The Java Virtual Machine Specification, Java SE 7 Edition. Addison-Wesley Professional, 1st edition (2013)
Liu, L., Xu, J., Li, M., Yang, J.: A Dynamic SQL injection vulnerability test case generation model based on the multiple phases detection approach. In: COMPSAC, pp. 256–261, Kyoto, Japan (2013)
Makiou, A., Begriche, Y., Serhrouchni, A.: Improving web application firewalls to detect advanced SQL injection attacks. In: IAS, pp. 35–40. Okinawa, Japan 2014
MITRE/SANS. Top 25 Most Dangerous Software Errors. http://cwe.mitre.org/top25, September 2011
Mizuno, M.: A least fixed point approach to inter-procedural information flow control. In: NCSC, pp. 558–570 (1989)
Naghmeh, N.M., Sheykhkanloo, M.: Employing neural networks for the detection of SQL injection attack. In: SIN, pp. 318, Glasgow, Scotland, UK (2014)
Nikolić, D., Spoto, F.: Reachability analysis of program variables. ACM Trans. Program. Lang. Syst. 35(4), 14 (2013)
Payet, É., Spoto, F.: Magic-sets transformation for the analysis of java bytecode. In: Riis Nielson, H., Filé, G. (eds.) SAS 2007. LNCS, vol. 4634, pp. 452–467. Springer, Heidelberg (2007)
Resp, T.W., Horwitz, S., Sagiv, S.: Precise interprocedural dataflow analysis via graph reachability. In: POPL 1995, pp. 49–61. San Francisco, California, USA, January 1995
Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Sel. Areas Commun. 21(1), 5–19 (2003)
Sabelfeld, A., Sands, D.: A PER model of secure information flow in sequential programs. High. Order Symbolic Comput. 14(1), 59–91 (2001)
Secci, S., Spoto, F.: Pair-sharing analysis of object-oriented programs. In: Hankin, C., Siveroni, I. (eds.) SAS 2005. LNCS, vol. 3672, pp. 320–335. Springer, Heidelberg (2005)
Shahriar, H., Zulkernine, M.: Information-theoretic detection of SQL injection attacks. In: HASE, pp. 40–47. Omaha, NE, USA (2012)
Shar, L.K., Tan, K.: H. B. defeating SQL injection. IEEE Comput. 46(3), 69–77 (2013)
Simic, B., Walden, J.: Eliminating SQL injection and cross site scripting using aspect oriented programming. In: Jürjens, J., Livshits, B., Scandariato, R. (eds.) ESSoS 2013. LNCS, vol. 7781, pp. 213–228. Springer, Heidelberg (2013)
Skalka, C., Smith, S.: Static enforcement of security with types. In: ICFP, pp. 254–267. ACM press (2000)
Spoto, F.: Nullness analysis in boolean form. In: SEFM, pp. 21–30. IEEE, Washington, DC, USA (2008)
Tripp, O., Pistoia, M., Fink, S.J., Sridharan, M., Weisman, O.: TAJ: effective taint analysis of web applications. SIGPLAN Not. 44(6), 87–97 (2009)
Volpano, D., Smith, G., Irvine, C.: A sound type system for secure flow analysis. J. Comput. Secur. 4(2,3), 167–187 (1996)
Wu, T.-Y., Pan, J.-S., Chen, C.-M., Lin, C.-W.: Towards SQL injection attacks detection mechanism using parse tree. In: Sun, H., Yang, C.-Y., Lin, C.-W., Pan, J.-S., Snasel, V., Abraham, A. (eds.) Genetic and Evolutionary Computing. AISC, vol. 329, pp. 371–380. Springer, Heidelberg (2015)
Acknowledgments
This material is based upon work supported by the United States Air Force under Contract No. FA8750-12-C-0174.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Ernst, M.D., Lovato, A., Macedonio, D., Spiridon, C., Spoto, F. (2015). Boolean Formulas for the Static Identification of Injection Attacks in Java. In: Davis, M., Fehnker, A., McIver, A., Voronkov, A. (eds) Logic for Programming, Artificial Intelligence, and Reasoning. LPAR 2015. Lecture Notes in Computer Science(), vol 9450. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-48899-7_10
Download citation
DOI: https://doi.org/10.1007/978-3-662-48899-7_10
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-48898-0
Online ISBN: 978-3-662-48899-7
eBook Packages: Computer ScienceComputer Science (R0)