Sciweavers

Share
RAID
2005
Springer

Defending Against Injection Attacks Through Context-Sensitive String Evaluation

11 years 6 months ago
Defending Against Injection Attacks Through Context-Sensitive String Evaluation
Abstract. Injection vulnerabilities pose a major threat to applicationlevel security. Some of the more common types are SQL injection, crosssite scripting and shell injection vulnerabilities. Existing methods for defending against injection attacks, that is, attacks exploiting these vulnerabilities, rely heavily on the application developers and are therefore error-prone. In this paper we introduce CSSE, a method to detect and prevent injection attacks. CSSE works by addressing the root cause why such attacks can succeed, namely the ad-hoc serialization of user-provided input. It provides a platform-enforced separation of channels, using a combination of assignment of metadata to user-provided input, metadata-preserving string operations and context-sensitive string evaluation. CSSE requires neither application developer interaction nor application source code modifications. Since only changes to the underlying platform are needed, it effectively shifts the burden of implementing cou...
Tadeusz Pietraszek, Chris Vanden Berghe
Added 28 Jun 2010
Updated 28 Jun 2010
Type Conference
Year 2005
Where RAID
Authors Tadeusz Pietraszek, Chris Vanden Berghe
Comments (0)
books