AutoRand: Automatic Keyword Randomization to Prevent Injection Attacks

  • Jeff PerkinsEmail author
  • Jordan Eikenberry
  • Alessandro Coglio
  • Daniel Willenson
  • Stelios Sidiroglou-Douskos
  • Martin Rinard
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9721)


AutoRand automatically transforms Java applications to use SQL keyword randomization to defend against SQL injection vulnerabilities. AutoRand is completely automatic. Unlike previous approaches it requires no manual modifications to existing code and does not require source (it works directly on Java bytecode). It can thus easily be applied to the large numbers of existing potentially insecure applications without developer assistance. Our key technical innovation is augmented strings. Augmented strings allow extra information (such as random keys) to be embedded within a string. AutoRand transforms string operations so that the extra information is transparent to the program, but is always propagated with each string operation. AutoRand checks each keyword at SQL statements for the random key. Experimental results on large, production Java applications and malicious inputs provided by an independent evaluation team hired by an agency of the United States government showed that AutoRand successfully blocked all SQL injection attacks and preserved transparent execution for benign inputs, all with low overhead.



We thank the MITRE Corporation test and evaluation team for creating an automatic and thorough testing apparatus. We thank Stephen Fitzpatrick and Eric McCarthy of Kestrel Institute for their contributions to the project. We thank Michael Gordon of Aarno Labs for comments that greatly improved the manuscript.


  1. 1.
    Common Weakness Enumeration (CWE) 89: Improper neutralization of special elements used in an SQL command (‘SQL injection’).
  2. 2.
    SANS Institute, MITRE, et al.: CWE/SANS Top 25 Most Dangerous Software Errors, September 2011.
  3. 3.
    OWASP Foundation: OWASP Top Ten Project, June 2013.
  4. 4.
    Clarke, J.: SQL Injection Attacks and Defenses, 2nd edn. Syngress, Massachusetts (2012)Google Scholar
  5. 5.
    Code Curmudgeon: SQL injection hall of shame. Accessed 24 June 2014
  6. 6.
    Kc, G.S., Keromytis, A.D., Prevelakis, V.: Countering code-injection attacks with instruction-set randomization. In: CCS 2003, pp. 272–280 (2003)Google Scholar
  7. 7.
    Boyd, S.W., Keromytis, A.D.: SQLrand: preventing SQL injection attacks. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 292–302. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  8. 8.
    Halfond, W.G.J., Orso, A., Manolios, P.: Using positive tainting and syntax-aware evaluation to counter SQL injection attacks. In: SIGSOFT 2006/FSE-14 (2006)Google Scholar
  9. 9.
    Bisht, P., Madhusudan, P., Venkatakrishnan, V.N.: Candid: dynamic candidate evaluations for automatic prevention of SQL injection attacks. ACM Trans. Inf. Syst. Secur. 13(2), 14:1–14:39 (2010)CrossRefGoogle Scholar
  10. 10.
    Chin, E., Wagner, D.: Efficient character-level taint tracking for Java. In: Proceedings of the 2009 ACM Workshop on Secure Web Services (2009)Google Scholar
  11. 11.
    ISO/IEC 9075:2011 - Information technology - Database languages - SQLGoogle Scholar
  12. 12.
    Alkacon Software: OpenCms, May 2012.
  13. 13.
    Apache Foundation: Apache Tomcat, January 2012.
  14. 14.
    Veracode: SQL injection cheat sheet and tutorial. Accessed 1 August 2014
  15. 15.
    OWASP: SQL injection prevention cheat sheet. Accessed 1 Aug 2014
  16. 16.
    Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., Evans, D.: Automatically hardening web applications using precise tainting (2005)Google Scholar
  17. 17.
    Pietraszek, T., Berghe, C.V.: Defending against injection attacks through context-sensitive string evaluation (2006)Google Scholar
  18. 18.
    Son, S., McKinley, K.S., Shmatikov, V.: Diglossia: detecting code injection attacks with precision and efficiency. In: CCS 2013, pp. 1181–1192 (2013)Google Scholar
  19. 19.
    Buehrer, G., Weide, B.W., Sivilotti, P.A.G.: Using parse tree validation to prevent SQL injection attacks. In: SEM 2005 (2005)Google Scholar
  20. 20.
    Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. In: POPL 2006, pp. 372–382 (2006)Google Scholar
  21. 21.
    Bandhakavi, S., Bisht, P., Madhusudan, P., Venkatakrishnan, V.N.: Candid: preventing SQL injection attacks using dynamic candidate evaluations. In: CCS 2007 (2007)Google Scholar
  22. 22.
    Halfond, W.G.J., Orso, A.: Amnesia: analysis and monitoring for neutralizing SQL-injection attacks. In: ASE 2005, pp. 174–183 (2005)Google Scholar
  23. 23.
    Halder, R., Cortesi, A.: Obfuscation-based analysis of SQL injection attacks. In: ISCC 2010, pp. 931–938 (2010)Google Scholar
  24. 24.
    Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: a static analysis tool for detecting web application vulnerabilities (short paper). In: SP 2006 (2006)Google Scholar
  25. 25.
    Livshits, V.B., Lam, M.S.: Finding security vulnerabilities in Java applications with static analysis. In: SSYM 2005, p. 18 (2005)Google Scholar
  26. 26.
    Fu, X., Lu, X., Peltsverger, B., Chen, S., Qian, K., Tao, L.: A static analysis framework for detecting SQL injection vulnerabilities. In: COMPSAC 2007 (2007)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Jeff Perkins
    • 1
    Email author
  • Jordan Eikenberry
    • 1
  • Alessandro Coglio
    • 2
  • Daniel Willenson
    • 1
  • Stelios Sidiroglou-Douskos
    • 1
  • Martin Rinard
    • 1
  1. 1.MIT/CSAILCambridgeUSA
  2. 2.Kestrel InstitutePalo AltoUSA

Personalised recommendations