Abstract
We present the first sound program source transformation approach for automatically transforming the code of a legacy web application to employ PREPARE statements in place of unsafe SQL queries. Our approach therefore opens the way for eradicating the SQL injection threat vector from legacy web applications.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
JDBC: Using a prepared statements, http://java.sun.com/docs/books/tutorial/jdbc/basics/prepared.html
Symantec Internet Security Threat Report, vol. XI. Technical report, Symantec (March 2007)
Balzarotti, D., Cova, M., Felmetsger, V., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Saner: Composing static and dynamic analysis to validate sanitization in web applications. In: IEEE Symposium on Security and Privacy, Oakland, California, pp. 387–401 (2008)
Bandhakavi, S., Bisht, P., Madhusudan, P., Venkatakrishnan, V.N.: Candid: preventing sql injection attacks using dynamic candidate evaluations. In: ACM Conference on Computer and Communications Security, Alexandria, Virginia, USA, pp. 12–24 (2007)
Boyd, S.W., Keromytis, A.D.: SQLrand: Preventing SQL Injection Attacks. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 292–302. Springer, Heidelberg (2004)
Buehrer, G., Weide, B.W., Sivilotti, P.A.G.: Using parse tree validation to prevent sql injection attacks. In: 5th International Workshop on Software Engineering and Middleware, Lisbon, Portugal, pp. 106–113 (2005)
Cytron, R., Ferrante, J., Rosen, B.K., Wegman, M.N., Zadeck, F.K.: Efficiently computing static single assignment form and the control dependence graph. ACM Transactions on Programming Languages and Systems 13(4), 451–490 (1991)
Dysart, F., Sherriff, M.: Automated fix generator for sql injection attacks. In: ISSRE 2008: Proceedings of the 2008 19th International Symposium on Software Reliability Engineering, Seattle, WA, pp. 311–312 (2008)
Flak, H.: MYSQL prepared statements, http://dev.mysql.com/tech-resources/articles/4.1/prepared-statements.html
Fu, X., Lu, X., Peltsverger, B., Chen, S., Qian, K., Tao, L.: A static analysis framework for detecting sql injection vulnerabilities. In: International Computer Software and Applications Conference, Beijing, China, pp. 87–96 (2007)
Halfond, W.G.J., Orso, A.: AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks. In: IEEE/ACM international Conference on Automated Software Engineering, Long Beach, CA, USA, pp. 174–183 (2005)
Halfond, W.G.J., Orso, A., Manolios, P.: Using positive tainting and syntax-aware evaluation to counter sql injection attacks. In: ACM SIGSOFT International Symposium on Foundations of Software Engineering, Portland, Oregon, USA, pp. 175–185 (2006)
Horwitz, S., Reps, T., Binkley, D.: Interprocedural slicing using dependence graphs. In: ACM SIGPLAN 1988 Conference on Programming Language Design and Implementation, Atlanta, Georgia, pp. 35–46 (1988)
Howard, M., Leblanc, D.: Writing Secure Code. Microsoft Press, Redmond (2001)
Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In: IEEE Symposium on Security and Privacy, Oakland, California, pp. 258–263 (2006)
Jovanovic, N., Kruegel, C., Kirda, E.: Precise alias analysis for static detection of web application vulnerabilities. In: PLAS 2006: Proceedings of the 2006 Workshop on Programming Languages and Analysis for Security, Ottawa, Ontario, Canada, pp. 27–36 (2006)
Kieyzun, A., Guo, P.J., Jayaraman, K., Ernst, M.D.: Automatic creation of sql injection and cross-site scripting attacks. In: IEEE International Conference on Software Engineering, Vancouver, Canada, pp. 199–209 (2009)
King, J.C.: Symbolic execution and program testing. Communications of the ACM 19(7), 385–394 (1976)
Kosuga, Y., Kono, K., Hanaoka, M., Hishiyama, M., Takahama, Y.: Sania: Syntactic and semantic analysis for automated testing against sql injection. In: Computer Security Applications Conference, Annual, pp. 107–117 (2007)
Liu, A., Yuan, Y., Wijesekera, D., Stavrou, A.: Sqlprob: a proxy-based architecture towards preventing sql injection attacks. In: ACM Symposium on Applied Computing, Honolulu, Hawaii, pp. 2054–2061. ACM, New York (2009)
Livshits, V.B., Lam, M.S.: Finding security vulnerabilities in java applications with static analysis. In: USENIX Security Symposium, Baltimore, MD, p. 18 (2005)
Minamide, Y.: Static approximation of dynamically generated web pages. In: International Conference on World Wide Web, Chiba, Japan, pp. 432–441 (2005)
Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., Evans, D.: Automatically hardening web applications using precise tainting. In: IFIP International Information Security Conference, Chiba, Japan, pp. 295–308 (2005)
OWASP. The ten most critical web application security vulnerabilities, http://www.owasp.org
Pietraszek, T., Berghe, C.V.: Defending Against Injection Attacks through Context-Sensitive String Evaluation. In: Recent Advances in Intrusion Detection, Seattle, Washington (September 2005)
Rietta, F.S.: Application layer intrusion detection for sql injection. In: Annual Southeast Regional Conference, Melbourne, Florida, pp. 531–536. ACM, New York (2006)
Sekar, R.: An efficient black-box technique for defeating web application attacks. In: Network and Distributed Systems Symposium, San Diego, CA (2009)
Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. In: ACM Symposium on Principles of Programming Languages, Charleston, South Carolina, USA, pp. 372–382 (2006)
Thomas, S., Williams, L., Xie, T.: On automated prepared statement generation to remove sql injection vulnerabilities. Inf. Softw. Technol. 51(3), 589–598 (2009)
Tripp, O., Pistoia, M., Fink, S.J., Sridharan, M., Weisman, O.: Taj: effective taint analysis of web applications. In: PLDI 2009: Proceedings of the 2009 ACM SIGPLAN Conference on Programming Language Design and Implementation, Dublin, Ireland, pp. 87–97 (2009)
Valeur, F., Mutz, D., Vigna, G.: A Learning-Based Approach to the Detection of SQL Attacks. In: Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA), Vienna, Austria, pp. 123–140 (July 2005)
Wassermann, G., Su, Z.: Sound and precise analysis of web applications for injection vulnerabilities. In: ACM SIGPLAN Conference on Programming Language Design and Implementation, San Diego, California, USA, pp. 32–41 (2007)
Xie, Y., Aiken, A.: Static detection of security vulnerabilities in scripting languages. In: USENIX-SS 2006: Proceedings of the 15th Conference on USENIX Security Symposium, Vancouver, BC, Canada (2006)
Xu, W., Bhatkar, S., Sekar, R.: Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks. In: USENIX-SS 2006: Proceedings of the 15th Conference on USENIX Security Symposium, Vancouver, BC, Canada (2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Bisht, P., Sistla, A.P., Venkatakrishnan, V.N. (2010). Automatically Preparing Safe SQL Queries. In: Sion, R. (eds) Financial Cryptography and Data Security. FC 2010. Lecture Notes in Computer Science, vol 6052. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-14577-3_21
Download citation
DOI: https://doi.org/10.1007/978-3-642-14577-3_21
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-14576-6
Online ISBN: 978-3-642-14577-3
eBook Packages: Computer ScienceComputer Science (R0)