Advertisement

Secure Code Generation for Web Applications

  • Martin Johns
  • Christian Beyerlein
  • Rosemaria Giesecke
  • Joachim Posegga
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5965)

Abstract

A large percentage of recent security problems, such as Cross-site Scripting or SQL injection, is caused by string-based code injection vulnerabilities. These vulnerabilities exist because of implicit code creation through string serialization. Based on an analysis of the vulnerability class’ underlying mechanisms, we propose a general approach to outfit modern programming languages with mandatory means for explicit and secure code generation which provide strict separation between data and code. Using an exemplified implementation for the languages Java and HTML/JavaScript respectively, we show how our approach can be realized and enforced.

Keywords

External Interface Injection Attack USENIX Security Symposium Embed Code Code Injection 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    American National Standard for Information Technology. ANSI/INCITS 331.1-1999 - Database Languages - SQLJ - Part 1: SQL Routines using the Java (TM) Programming Language. InterNational Committee for Information Technology Standards (formerly NCITS) (September 1999)Google Scholar
  2. 2.
    Halfond, W.G.J., Orso, A., Manolios, P.: Using positive tainting and syntax-aware evaluation to counter sql injection attacks. In: 14th ACM Symposium on the Foundations of Software Engineering, FSE (2006)Google Scholar
  3. 3.
    Hansen, R.: XSS (cross-site scripting) cheat sheet - esp: for filter evasion, http://ha.ckers.org/xss.html (05/05/07)
  4. 4.
    Huang, Y.-W., Yu, F., Hang, C., Tsai, C.-H., Lee, D.-T., Kuo, S.-Y.: Securing web application code by static analysis and runtime protection. In: Proceedings of the 13th conference on World Wide Web, pp. 40–52. ACM Press, New York (2004)CrossRefGoogle Scholar
  5. 5.
    Jalkanen, J.: Jspwiki. [software], http://www.jspwiki.org/
  6. 6.
    Johns, M., Beyerlein, C.: SMask: Preventing Injection Attacks in Web Applications by Approximating Automatic Data/Code Separation. In: 22nd ACM Symposium on Applied Computing (SAC 2007) (March 2007)Google Scholar
  7. 7.
    Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: A static analysis tool for detecting web application vulnerabilities. In: IEEE Symposium on Security and Privacy (May 2006)Google Scholar
  8. 8.
    Kamkar, S.: Technical explanation of the myspace worm (October 2005), http://namb.la/popular/tech.html (01/10/06)
  9. 9.
    Klein, A.: DOM Based Cross Site Scripting or XSS of the Third Kind (September 2005), http://www.webappsec.org/projects/articles/071105.shtml (05/05/07)
  10. 10.
    Kratzer, J.: Jspwiki multiple vulnerabilitie. Posting to the Bugtraq mailinglist (September 2007), http://seclists.org/bugtraq/2007/Sep/0324.html
  11. 11.
    Livshits, B., Lam, M.S.: Finding security vulnerabilities in java applications using static analysis. In: Proceedings of the 14th USENIX Security Symposium (August 2005)Google Scholar
  12. 12.
    McClure, R.A., Krueger, I.H.: Sql dom: compile time checking of dynamic sql statements. In: Proceedings of the 27th International Conference on Software Engineering (2005)Google Scholar
  13. 13.
    Meijer, E., Beckman, B., Bierman, G.: LINQ: Reconciling Objects, Relations, and XML In the.NET Framework. In: SIGMOD 2006 Industrial Track (2006)Google Scholar
  14. 14.
    Meijer, E., Schulte, W., Bierman, G.: Unifying tables, objects, and documents. In: Declarative Programming in the Context of OO Languages (DP-COOL 2003), vol. 27. John von Neumann Institute of Computing (2003)Google Scholar
  15. 15.
  16. 16.
    Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., Evans, D.: Automatically hardening web applications using precise tainting. In: 20th IFIP International Information Security Conference (May 2005)Google Scholar
  17. 17.
    Ollmann, G.: Second-order code injection. Whitepaper, NGSSoftware Insight Security Research (2004), http://www.ngsconsulting.com/papers/SecondOrderCodeInjection.pdf
  18. 18.
    Pietraszek, T., Berghe, C.V.: Defending against injection attacks through context-sensitive string evaluation. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 124–145. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  19. 19.
    Robertson, W., Vigna, G.: Static Enforcement of Web Application Integrity Through Strong Typing. In: USENIX Security (August 2009)Google Scholar
  20. 20.
    Schneider, J., Yu, R., Dyer, J. (eds.): Ecmascript for xml (e4x) specification. ECMA Standard 357, 2nd edn. (December 2005), http://www.ecma-international.org/publications/standards/Ecma-357.htm
  21. 21.
    Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. In: Proceedings of POPL 2006 (January 2006)Google Scholar
  22. 22.
    von Stuppe, S.: Dealing with sql injection (part i) (February 2009), http://sylvanvonstuppe.blogspot.com/2009/02/dealing-with-sql-injection-part-i.html (04/24/09)
  23. 23.
    Wassermann, G., Su, Z.: Static detection of cross-site scripting vulnerabilities. In: Proceedings of the 30th International Conference on Software Engineering, Leipzig, Germany, May 2008. ACM Press, New York (2008)Google Scholar
  24. 24.
    Xu, W., Bhatkar, S., Sekar, R.: Taint-enhanced policy enforcement: A practical approach to defeat a wide range of attacks. In: 15th USENIX Security Symposium (August 2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Martin Johns
    • 1
    • 2
  • Christian Beyerlein
    • 3
  • Rosemaria Giesecke
    • 1
  • Joachim Posegga
    • 2
  1. 1.SAP Research – CEC Karlsruhe 
  2. 2.Faculty for Informatics and Mathematics, ISLUniversity of Passau 
  3. 3.Department of Informatics, SVSUniversity of Hamburg 

Personalised recommendations