Boolean Formulas for the Static Identification of Injection Attacks in Java

  • Michael D. Ernst
  • Alberto LovatoEmail author
  • Damiano Macedonio
  • Ciprian Spiridon
  • Fausto Spoto
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9450)


The most dangerous security-related software errors, according to CWE 2011, are those leading to injection attacks — user-provided data that result in undesired database access and updates (SQL-injections), dynamic generation of web pages (cross-site scripting-injections), redirection to user-specified web pages (redirect-injections), execution of OS commands (command-injections), class loading of user-specified classes (reflection-injections), and many others. This paper describes a flow- and context-sensitive static analysis that automatically identifies if and where injections of tainted data can occur in a program. The analysis models explicit flows of tainted data. Its notion of taintedness applies also to reference (non-primitive) types dynamically allocated in the heap, and is object-sensitive and field-sensitive. The analysis works by translating the program into Boolean formulas that model all possible flows. We implemented it within the Julia analyzer for Java and Android. Julia found injection security vulnerabilities in the Internet banking service and in the customer relationship management of a large Italian bank.


Tainted Data Internet Banking Services Explicit Flow Largest Italian Bank Java Bytecode Programs 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



This material is based upon work supported by the United States Air Force under Contract No. FA8750-12-C-0174.


  1. 1.
    Appelt, D., Nguyen, C.D., Briand, L.C., Alshahwan, N.: Automated testing for SQL injection vulnerabilities: an input mutation approach. In: ISSTA, pp. 259–269, San Jose, CA, USA (2014)Google Scholar
  2. 2.
    Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., McDaniel, P.: Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In: PLDI, p. 29, Edinburgh, UK, June 2014Google Scholar
  3. 3.
    Barthe, G., Pichardie, D., Rezk, T.: A certified lightweight non-interference java bytecode verifier. Math. Struct. Comput. Sci. 23(5), 1032–1081 (2013)zbMATHMathSciNetCrossRefGoogle Scholar
  4. 4.
    Barthe, G., Rezk, T., Basu, A.: Security types preserving compilation. Comput. Lang. Syst. Struct. 33(2), 35–59 (2007)zbMATHGoogle Scholar
  5. 5.
    Clark, D., Hankin, C., Hunt, S.: Information flow for ALGOL-like languages. Comput. Lang. 28(1), 3–28 (2002)zbMATHGoogle Scholar
  6. 6.
    Cousot, P., Cousot, R.: Abstract Interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: POPL, pp. 238–252 (1977)Google Scholar
  7. 7.
    Doshi, J.C., Christian, M., Trivedi, B.H.: SQL FILTER – SQL Injection prevention and logging using dynamic network filter. In: Mauri, J.L., Thampi, S.M., Rawat, D.B., Jin, D. (eds.) SSCC 2014. CCIS, vol. 467, pp. 400–406. Springer, Heidelberg (2014) Google Scholar
  8. 8.
    Ernst, M.D., Lovato, A., Macedonio, D., Spiridon, C., Spoto, F.: Boolean Formulas for the Static Identification of Injection Attacks in Java. Technical Report UW-CSE-15-09-03, University of Washington Department of Computer Science and Engineering, Seattle, WA, USA, September 2015Google Scholar
  9. 9.
    Genaim, S., Giacobazzi, R., Mastroeni, I.: Modeling secure information flow with boolean functions. In: Peter Ryan, editor, WITS 2004, April 2004Google Scholar
  10. 10.
    Genaim, S., Spoto, F.: Information flow analysis for java bytecode. In: Cousot, R. (ed.) VMCAI 2005. LNCS, vol. 3385, pp. 346–362. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  11. 11.
    Genaim, S., Spoto, F.: Constancy Analysis. In: Huisman, M. (ed.), FTfJP, Paphos, Cyprus, July 2008. Radboud UniversityGoogle Scholar
  12. 12.
    Jang, Y.-S., Choi, J.-Y.: Detecting SQL injection attacks using query result size. Comput. Secur. 44, 104–118 (2014)CrossRefGoogle Scholar
  13. 13.
    Kobayashi, N., Shirane, K.: Type-based information flow analysis for low-level languages. In: APLAS (2002)Google Scholar
  14. 14.
    Kumar, D.G., Chatterjee, M.: MAC based solution for SQL injection. J. Comput. Virol. Hacking Tech. 11(1), 1–7 (2015)CrossRefGoogle Scholar
  15. 15.
    Laud, P.: Semantics and program analysis of computationally secure information flow. In: Sands, D. (ed.) ESOP 2001. LNCS, vol. 2028, pp. 77–91. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  16. 16.
    Lindholm, T., Yellin, F., Bracha, G., Buckley, A.: The Java Virtual Machine Specification, Java SE 7 Edition. Addison-Wesley Professional, 1st edition (2013)Google Scholar
  17. 17.
    Liu, L., Xu, J., Li, M., Yang, J.: A Dynamic SQL injection vulnerability test case generation model based on the multiple phases detection approach. In: COMPSAC, pp. 256–261, Kyoto, Japan (2013)Google Scholar
  18. 18.
    Makiou, A., Begriche, Y., Serhrouchni, A.: Improving web application firewalls to detect advanced SQL injection attacks. In: IAS, pp. 35–40. Okinawa, Japan 2014Google Scholar
  19. 19.
    MITRE/SANS. Top 25 Most Dangerous Software Errors., September 2011
  20. 20.
    Mizuno, M.: A least fixed point approach to inter-procedural information flow control. In: NCSC, pp. 558–570 (1989)Google Scholar
  21. 21.
    Naghmeh, N.M., Sheykhkanloo, M.: Employing neural networks for the detection of SQL injection attack. In: SIN, pp. 318, Glasgow, Scotland, UK (2014)Google Scholar
  22. 22.
    Nikolić, D., Spoto, F.: Reachability analysis of program variables. ACM Trans. Program. Lang. Syst. 35(4), 14 (2013)Google Scholar
  23. 23.
    Payet, É., Spoto, F.: Magic-sets transformation for the analysis of java bytecode. In: Riis Nielson, H., Filé, G. (eds.) SAS 2007. LNCS, vol. 4634, pp. 452–467. Springer, Heidelberg (2007) CrossRefGoogle Scholar
  24. 24.
    Resp, T.W., Horwitz, S., Sagiv, S.: Precise interprocedural dataflow analysis via graph reachability. In: POPL 1995, pp. 49–61. San Francisco, California, USA, January 1995Google Scholar
  25. 25.
    Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Sel. Areas Commun. 21(1), 5–19 (2003)CrossRefGoogle Scholar
  26. 26.
    Sabelfeld, A., Sands, D.: A PER model of secure information flow in sequential programs. High. Order Symbolic Comput. 14(1), 59–91 (2001)zbMATHCrossRefGoogle Scholar
  27. 27.
    Secci, S., Spoto, F.: Pair-sharing analysis of object-oriented programs. In: Hankin, C., Siveroni, I. (eds.) SAS 2005. LNCS, vol. 3672, pp. 320–335. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  28. 28.
    Shahriar, H., Zulkernine, M.: Information-theoretic detection of SQL injection attacks. In: HASE, pp. 40–47. Omaha, NE, USA (2012)Google Scholar
  29. 29.
    Shar, L.K., Tan, K.: H. B. defeating SQL injection. IEEE Comput. 46(3), 69–77 (2013)CrossRefGoogle Scholar
  30. 30.
    Simic, B., Walden, J.: Eliminating SQL injection and cross site scripting using aspect oriented programming. In: Jürjens, J., Livshits, B., Scandariato, R. (eds.) ESSoS 2013. LNCS, vol. 7781, pp. 213–228. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  31. 31.
    Skalka, C., Smith, S.: Static enforcement of security with types. In: ICFP, pp. 254–267. ACM press (2000)Google Scholar
  32. 32.
    Spoto, F.: Nullness analysis in boolean form. In: SEFM, pp. 21–30. IEEE, Washington, DC, USA (2008)Google Scholar
  33. 33.
    Tripp, O., Pistoia, M., Fink, S.J., Sridharan, M., Weisman, O.: TAJ: effective taint analysis of web applications. SIGPLAN Not. 44(6), 87–97 (2009)CrossRefGoogle Scholar
  34. 34.
    Volpano, D., Smith, G., Irvine, C.: A sound type system for secure flow analysis. J. Comput. Secur. 4(2,3), 167–187 (1996)Google Scholar
  35. 35.
    Wu, T.-Y., Pan, J.-S., Chen, C.-M., Lin, C.-W.: Towards SQL injection attacks detection mechanism using parse tree. In: Sun, H., Yang, C.-Y., Lin, C.-W., Pan, J.-S., Snasel, V., Abraham, A. (eds.) Genetic and Evolutionary Computing. AISC, vol. 329, pp. 371–380. Springer, Heidelberg (2015) Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2015

Authors and Affiliations

  • Michael D. Ernst
    • 1
  • Alberto Lovato
    • 2
    Email author
  • Damiano Macedonio
    • 3
  • Ciprian Spiridon
    • 3
  • Fausto Spoto
    • 2
    • 3
  1. 1.University of WashingtonSeattleUSA
  2. 2.Dipartimento di InformaticaUniversità di VeronaVeronaItaly
  3. 3.Julia SrlVeronaItaly

Personalised recommendations