research-article

Type-specific languages to fight injection attacks

Authors:

Jonathan AldrichAuthors Info & Claims

HotSoS '14: Proceedings of the 2014 Symposium and Bootcamp on the Science of Security

Article No.: 18, Pages 1 - 2

https://doi.org/10.1145/2600176.2600194

Published: 08 April 2014 Publication History

Get Access

Abstract

Injection vulnerabilities have topped rankings of the most critical web application vulnerabilities for several years [1, 2]. They can occur anywhere where user input may be erroneously executed as code. The injected input is typically aimed at gaining unauthorized access to the system or to private information within it, corrupting the system's data, or disturbing system availability. Injection vulnerabilities are tedious and difficult to prevent.

References

[1]

CWE/SANS. http://cwe.mitre.org/top25/#Listing.

Google Scholar

[2]

OWASP Top Ten Project. https://www.owasp.org/index.php/Category: ___ OWASP_Top_Ten_Project.

Google Scholar

[3]

M. Bravenboer, E. Dolstra, and E. Visser. Preventing injection attacks with syntax embeddings. In GPCE, 2007.

Digital Library

Google Scholar

[4]

B. Chess and J. West. Dynamic taint propagation: Finding vulnerabilities without attacking. Information Security Tech. Report, 2008.

Digital Library

Google Scholar

[5]

A. Chlipala. Ur: statically-typed metaprogramming with type-level record computation. In PLDI, 2010.

Digital Library

Google Scholar

[6]

S. Chong, J. Liu, A. C. Myers, X. Qi, K. Vikram, L. Zheng, and X. Zheng. Secure web applications via automatic partitioning. In SOSP, 2007.

Digital Library

Google Scholar

[7]

B. J. Corcoran, N. Swamy, and M. Hicks. Cross-tier, Labeld-based Secuirty Enforcement for Web Applications. In ACM SIGMOD, 2009.

Digital Library

Google Scholar

[8]

S. Erdweg, T. Rendel, C. Kästner, and K. Ostermann. SugarJ: library-based language extensibility. In OOPSLA, 2011.

Digital Library

Google Scholar

[9]

S. Erdweg and F. Rieger. A Framework for Extensible Languages. In GPCE, 2013.

Digital Library

Google Scholar

[10]

S. Hussein, P. Meredith, and G. Roşlu. Security-policy monitoring and enforcement with javamop. In PLAS, 2012.

Digital Library

Google Scholar

[11]

B. Livshits and S. Chong. Towards Fully Automatic Placement of Security Sanitizers and Declassifiers. In POPL, 2013.

Digital Library

Google Scholar

[12]

L. Nistor, D. Kurilova, S. Balzer, B. Chung, A. Potanin, and J. Aldrich. Wyvern: A Simple, Typed, and Pure Object-oriented Language. In MASPEGHI, 2013.

Digital Library

Google Scholar

[13]

C. Omar, D. Kurilova, L. Nistor, B. Chung, A. Potanin, and J. Aldrich. Safely composable type-specific languages. To appear, ECOOP, 2014.

Digital Library

Google Scholar

[14]

P. Saxena, D. Molnar, and B. Livshits. Scriptgard: automatic context-sensitive sanitization for large-scale legacy web applications. In ACM CCS, 2011.

Digital Library

Google Scholar

Cited By

View all

Poll E(2018)LangSec Revisited: Input Security Flaws of the Second Kind2018 IEEE Security and Privacy Workshops (SPW)10.1109/SPW.2018.00051(329-334)Online publication date: May-2018
https://doi.org/10.1109/SPW.2018.00051
Kurilova DPotanin AAldrich JSunshine JLaToza TAnslow C(2014)WyvernProceedings of the 5th Workshop on Evaluation and Usability of Programming Languages and Tools10.1145/2688204.2688216(57-58)Online publication date: 21-Oct-2014
https://dl.acm.org/doi/10.1145/2688204.2688216

Index Terms

Type-specific languages to fight injection attacks

Recommendations

Defining code-injection attacks
POPL '12: Proceedings of the 39th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages

This paper shows that existing definitions of code-injection attacks (e.g., SQL-injection attacks) are flawed. The flaws make it possible for attackers to circumvent existing mechanisms, by supplying code-injecting inputs that are not recognized as ...
Defining code-injection attacks
POPL '12

This paper shows that existing definitions of code-injection attacks (e.g., SQL-injection attacks) are flawed. The flaws make it possible for attackers to circumvent existing mechanisms, by supplying code-injecting inputs that are not recognized as ...
Off-Path TCP Injection Attacks

We present practical off-path TCP injection attacks for connections between current, nonbuggy browsers and Web servers. The attacks allow Web-cache poisoning with malicious objects such as spoofed Web pages and scripts; these objects can be cached for a ...

Comments

Information & Contributors

Information

Published In

HotSoS '14: Proceedings of the 2014 Symposium and Bootcamp on the Science of Security

April 2014

184 pages

ISBN:9781450329071

DOI:10.1145/2600176

General Chair:
Laurie A. Williams
North Carolina State University
,
Program Chairs:
David M. Nicol
University of Illinois, Urbana-Champaign
,
Munindar P. Singh
North Carolina State University

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 08 April 2014

Check for updates

Qualifiers

Research-article

Conference

HotSoS '14

Sponsor:

No. Carolina State Univeresity

HotSoS '14: Symposium and Bootcamp on the Science of Security

April 8 - 9, 2014

North Carolina, Raleigh, USA

Acceptance Rates

HotSoS '14 Paper Acceptance Rate 12 of 21 submissions, 57%;

Overall Acceptance Rate 34 of 60 submissions, 57%

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
60
Total Downloads

Downloads (Last 12 months)5
Downloads (Last 6 weeks)0

Reflects downloads up to 06 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Poll E(2018)LangSec Revisited: Input Security Flaws of the Second Kind2018 IEEE Security and Privacy Workshops (SPW)10.1109/SPW.2018.00051(329-334)Online publication date: May-2018
https://doi.org/10.1109/SPW.2018.00051
Kurilova DPotanin AAldrich JSunshine JLaToza TAnslow C(2014)WyvernProceedings of the 5th Workshop on Evaluation and Usability of Programming Languages and Tools10.1145/2688204.2688216(57-58)Online publication date: 21-Oct-2014
https://dl.acm.org/doi/10.1145/2688204.2688216

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Defining code-injection attacks

Defining code-injection attacks

Off-Path TCP Injection Attacks