Type-Based Enforcement of Secure Programming Guidelines — Code Injection Prevention at SAP

  • Robert Grabowski
  • Martin Hofmann
  • Keqin Li
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7140)


Code injection and cross-site scripting belong to the most common security vulnerabilities in modern software, usually caused by incorrect string processing. These exploits are often addressed by formulating programming guidelines or “best practices”.

In this paper, we study the concrete example of a guideline used at SAP for the handling of untrusted, potentially executable strings that are embedded in the output of a Java servlet. To verify adherence to the guideline, we present a type system for a Java-like language that is extended with refined string types, output effects, and polymorphic method types.

The practical suitability of the system is demonstrated by an implementation of a corresponding string type verifier and context-sensitive inference for real Java programs.


Type System Typing Judgement Output Trace External Method Extended Paper 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Open Web Application Security Project: The OWASP Application Security Verification Standard Project,
  2. 2.
    Wiegenstein, A.: A short story about Cross Site Scripting SAP Blog,
  3. 3.
    Hildenbrand, P.: Guard your web applications against XSS attacks: Output encoding functionality from SAP. SAP Insider 8(2) (2007)Google Scholar
  4. 4.
    Open Web Application Security Project: The OWASP ten most critical web application security risks,
  5. 5.
    Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In: 2006 IEEE Symp. on Security and Privacy (SP 2006), pp. 258–263. IEEE Computer Society, Washington, DC, USA (2006)Google Scholar
  6. 6.
    Wikipedia: Cross-site scripting (2011), (online accessed March 14, 2011)
  7. 7.
    Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. In: 33rd Symposium on Principles of Programming Languages (POPL 2006), Charleston, SC, pp. 372–382. ACM Press, New York (2006)Google Scholar
  8. 8.
    Crégut, P., Alvarado, C.: Improving the Security of Downloadable Java Applications With Static Analysis. Electr. Notes Theor. Comp. Sci. 141(1), 129–144 (2005)CrossRefGoogle Scholar
  9. 9.
    Wassermann, G., Su, Z.: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities. In: Conf. on Prog. Lang. Design and Implementation (PLDI 2007), San Diego, CA. ACM Press, New York (2007)Google Scholar
  10. 10.
    Livshits, V.B., Lam, M.S.: Finding security vulnerabilities in Java applications with static analysis. In: 14th USENIX Security Symposium (SSYM 2005), p. 18. USENIX Association, Berkeley (2005)Google Scholar
  11. 11.
    Pierce, B.C.: Types and Programming Languages. MIT Press (2002)Google Scholar
  12. 12.
    Nielson, F., Nielson, H.R., Hankin, C.: Principles of Program Analysis. Springer, Heidelberg (1999)zbMATHGoogle Scholar
  13. 13.
    SAP AG: SAP NetWeaver 7.0 Knowledge Center,
  14. 14.
    Hofmann, M.O., Jost, S.: Type-Based Amortised Heap-Space Analysis. In: Sestoft, P. (ed.) ESOP 2006. LNCS, vol. 3924, pp. 22–37. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  15. 15.
    Igarashi, A., Pierce, B., Wadler, P.: Featherweight Java: A minimal core calculus for Java and GJ. In: 1999 Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA 1999). ACM (1999)Google Scholar
  16. 16.
    Beringer, L., Grabowski, R., Hofmann, M.: Verifying Pointer and String Analyses with Region Type Systems. In: Clarke, E.M., Voronkov, A. (eds.) LPAR-16 2010. LNCS, vol. 6355, pp. 82–102. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  17. 17.
    Shivers, O.: Control-Flow Analysis of Higher-Order Languages, or Taming Lambda. PhD thesis. Carnegie Mellon University, Pittsburgh, PA, USA (1991)Google Scholar
  18. 18.
    Emami, M., Ghiya, R., Hendren, L.J.: Context-sensitive interprocedural points-to analysis in the presence of function pointers. In: Conf. on Programming language design and implementation (PLDI 1994), pp. 242–256. ACM, New York (1994)CrossRefGoogle Scholar
  19. 19.
    Whaley, J., Lam, M.S.: Cloning-based context-sensitive pointer alias analysis using binary decision diagrams. SIGPLAN Not. 39(6), 131–144 (2004)CrossRefGoogle Scholar
  20. 20.
    Grabowski, R.: Type-Based Java String Analysis (2011),
  21. 21.
    Tse, S., Zdancewic, S.: Fjavac: a functional Java compile (2006),
  22. 22.
    Nielson, F., Nielson, H.R., Seidl, H.: A succinct solver for alfp. Nordic J. of Computing 9, 335–372 (2002)MathSciNetzbMATHGoogle Scholar
  23. 23.
    Weinberger, J., Saxena, P., Akhawe, D., Finifter, M., Shin, R., Song, D.: A Systematic Analysis of XSS Sanitization in Web Application Frameworks. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 150–171. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  24. 24.
    Christensen, A.S., Møller, A., Schwartzbach, M.I.: Precise Analysis of String Expressions. In: Cousot, R. (ed.) SAS 2003. LNCS, vol. 2694, pp. 1–18. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  25. 25.
    Annamaa, A., Breslav, A., Kabanov, J., Vene, V.: An Interactive Tool for Analyzing Embedded SQL Queries. In: Ueda, K. (ed.) APLAS 2010. LNCS, vol. 6461, pp. 131–138. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  26. 26.
    Tabuchi, N., Sumii, E., Yonezawa, A.: Regular expression types for strings in a text processing language. Electr. Notes Theor. Comput. Sci. 75 (2002)Google Scholar
  27. 27.
    Bartoletti, M., Degano, P., Ferrari, G.L., Zunino, R.: Local policies for resource usage analysis. ACM Trans. Program. Lang. Syst. 31, 23:1–23:43 (2009)Google Scholar
  28. 28.
    Skalka, C., Smith, S.: History effects and verification. In: Asian Programming Languages Symposium (November 2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Robert Grabowski
    • 1
  • Martin Hofmann
    • 1
  • Keqin Li
    • 2
  1. 1.Institut für InformatikLudwig-Maximilians-UniversitätMünchenGermany
  2. 2.SAP Research, FranceMougins CedexFrance

Personalised recommendations