Access the full text.
Sign up today, get DeepDyve free for 14 days.
Martin Bravenboer, E. Dolstra, E. Visser (2007)
Preventing injection attacks with syntax embeddingsSci. Comput. Program., 75
Stephen Boyd, A. Keromytis (2004)
SQLrand: Preventing SQL Injection Attacks
Nuno Seixas, J. Fonseca, M. Vieira, H. Madeira (2009)
Looking at Web Security Vulnerabilities from the Programming Language Perspective: A Field Study2009 20th International Symposium on Software Reliability Engineering
Dorothy Denning (1987)
An Intrusion-Detection ModelIEEE Transactions on Software Engineering, SE-13
Martin Johns, C. Beyerlein (2007)
SMask: preventing injection attacks in web applications by approximating automatic data/code separation
J. Grégoire, Koen Buyens, Bart Win, R. Scandariato, W. Joosen (2007)
On the Secure Software Development Process: CLASP and SDL ComparedThird International Workshop on Software Engineering for Secure Systems (SESS'07: ICSE Workshops 2007)
Dimitris Mitropoulos, Vassilios Karakoidas, D. Spinellis (2009)
Fortifying Applications Against Xpath Injection Attacks
William Halfond, Jeremy Viegas, A. Orso (2006)
A Classification of SQL-Injection Attacks and Countermeasures
Xinran Wang, C. Pan, Peng Liu, Sencun Zhu (2006)
SigFree: A Signature-Free Buffer Overflow Attack BlockerIEEE Transactions on Dependable and Secure Computing, 7
Aurélien Francillon, C. Castelluccia (2008)
Code injection attacks on harvard-architecture devicesProceedings of the 15th ACM conference on Computer and communications security
E. Barrantes, D. Ackley, S. Forrest, T. Palmer, D. Stefanovic, D. Zovi
Randomized instruction set emulation to disrupt binary code injection attacks
E. Barrantes, D. Ackley, Stephanie Forrest, Todd Palmer, D. Stefanovic, D. Zovi (2003)
Intrusion detection: Randomized instruction set emulation to disrupt binary code injection attacks
K. Chen, D. Wagner (2007)
Large-scale analysis of format string vulnerabilities in Debian Linux
D. Denning (1986)
An Intrusion-Detection Model1986 IEEE Symposium on Security and Privacy
Vivek Haldar, Deepak Chandra, M. Franz (2005)
Dynamic taint propagation for Java21st Annual Computer Security Applications Conference (ACSAC'05)
Michael Fagan (1976)
Design and Code Inspections to Reduce Errors in Program DevelopmentIBM Syst. J., 38
B. Livshits, Ú. Erlingsson (2007)
Using web application construction frameworks to protect against code injection attacks
W. Xu, S. Bhatkar, R. Sekar (2006)
Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks
CERT
CERT vulnerability note VU282403
Michael Martin, B. Livshits, M. Lam (2005)
Finding application errors and security flaws using PQL: a program query language
Russell McClure, Ingolf Krüger (2005)
SQL DOM: compile time checking of dynamic SQL statementsProceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005.
Gary Wassermann, Z. Su (2007)
Sound and precise analysis of web applications for injection vulnerabilities
John Wilander, Mariam Kamkar (2002)
A Comparison of Publicly Available Tools for Static Intrusion Prevention
Mason Brown, A. Paller (2008)
Secure software development: Why the development world awoke to the challengeInf. Secur. Tech. Rep., 13
Gary Wassermann, Z. Su (2004)
An Analysis Framework for Security in Web Applications
Z. Su, Gary Wassermann (2006)
The essence of command injection attacks in web applications
N. Jovanovic, C. Kruegel, E. Kirda
Pixy: a static analysis tool for detecting web application vulnerabilities (short paper)
Crispin Cowan (2003)
Software Security for Open-Source SystemsIEEE Secur. Priv., 1
R. Seacord (2006)
Secure coding in C and C++ of strings and integersIEEE Security & Privacy Magazine, 4
Brian Chess, G. McGraw (2004)
Static Analysis for SecurityIEEE Secur. Priv., 2
(2005)
Secure coding in C and C
Fredrik Valeur, D. Mutz, G. Vigna (2005)
A Learning-Based Approach to the Detection of SQL Attacks
Manuel Egele, Peter Würzinger, Christopher Krügel, E. Kirda (2009)
Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks
A. Aggarwal, P. Jalote (2006)
Integrating Static and Dynamic Analysis for Detecting Vulnerabilities30th Annual International Computer Software and Applications Conference (COMPSAC'06), 1
G. McGraw (2012)
Software Security - Building Security InDatenschutz und Datensicherheit, 36
David Evans, David Larochelle (2002)
Improving Security Using Extensible Lightweight Static AnalysisIEEE Softw., 19
Ravi Chugh, Jeffrey Meister, Ranjit Jhala, Sorin Lerner (2009)
Staged information flow for javascript
J. Viega, J. Bloch, Tadayoshi Kohno, G. McGraw (2002)
Token-based scanning of source code for security problemsACM Trans. Inf. Syst. Secur., 5
W. Cook, S. Rai (2005)
Safe query objects: statically typed objects as remotely executable queriesProceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005.
Glenn Wurster, P. Oorschot (2009)
The developer is the enemy
Susanta Nanda, L. Lam, T. Chiueh (2007)
Dynamic multi-process information flow tracking for web application security
M. Howard, D. LeBlanc
Writing Secure Code
Wei Hu, Jason Hiser, Daniel Williams, Adrian Filipi, J. Davidson, David Evans, J. Knight, A. Nguyen-Tuong, Jonathan Rowanhill (2006)
Secure and practical defense against code-injection attacks using software dynamic translation
Ken Frazer (2002)
Building secure software: how to avoid security problems the right wayACM SIGSOFT Softw. Eng. Notes, 27
Dimitris Mitropoulos, D. Spinellis (2009)
SDriver: Location-specific signatures prevent SQL injection attacksComput. Secur., 28
William Halfond, A. Orso (2005)
AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacksProceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering
G. Buehrer, B. Weide, P. Sivilotti (2005)
Using parse tree validation to prevent SQL injection attacks
Sin Lee, Wai Low, Peisheng. Wong (2002)
Learning Fingerprints for a Database Intrusion Detection System
C. Anley (2002)
Advanced SQL Injection In SQL Server Applications
H. Shahriar, Mohammad Zulkernine (2009)
MUTEC: Mutation-based testing of Cross Site Scripting2009 ICSE Workshop on Software Engineering for Secure Systems
M. Theoharidou, D. Gritzalis (2007)
Common Body of Knowledge for Information SecurityIEEE Security & Privacy, 5
M. Mernik, J. Heering, A. Sloane (2005)
When and how to develop domain-specific languagesACM Comput. Surv., 37
Dachuan Yu, Ajay Chander, N. Islam, Igor Serikov (2007)
JavaScript instrumentation for browser security
William Halfond, A. Orso (2005)
Combining static analysis and runtime monitoring to counter SQL-injection attacksACM SIGSOFT Software Engineering Notes, 30
A. Keromytis (2011)
Buffer Overflow Attacks
K. Lhee, S. Chapin (2003)
Buffer overflow and format string overflow vulnerabilitiesSoftware: Practice and Experience, 33
William Halfond, A. Orso (2006)
Preventing SQL injection attacks using AMNESIAProceedings of the 28th international conference on Software engineering
Yasuhiko Minamide (2005)
Static approximation of dynamically generated Web pages
Brian Chess, Jacob West (2007)
Secure Programming with Static Analysis
C. Yue, Haining Wang (2009)
Characterizing insecure javascript practices on the web
Gaurav Kc, A. Keromytis, V. Prevelakis (2003)
Countering code-injection attacks with instruction-set randomization
N. Jovanović, Christopher Krügel, E. Kirda (2006)
Pixy: a static analysis tool for detecting Web application vulnerabilities2006 IEEE Symposium on Security and Privacy (S&P'06)
Purpose – The purpose of this paper is to propose a generic approach that prevents a specific class of code injection attacks (CIAs) in a novel way. Design/methodology/approach – To defend against CIAs this approach involves detecting attacks by using location‐specific signatures to validate code statements. The signatures are unique identifiers that represent specific characteristics of a statement's execution. The key property that differentiates the scheme presented in this paper is that these characteristics do not depend entirely on the code statement, but also take into account elements from its execution context. Findings – The approach was applied successfully to defend against attacks targeting structured query language (SQL), XML Path Language and JavaScript with positive results. Originality/value – Despite many countermeasures that have been proposed the number of CIAs has been increasing. Malicious users seem to find new ways to introduce compromised embedded executable code to applications by using a variety of languages and techniques. Hence, a generic approach that defends against such attacks would be a useful countermeasure. This approach can defend attacks that involve both domain‐specific languages (e.g. SQL) and general purpose languages (e.g. JavaScript) and can be used both against client‐side and server‐side attacks.
Information Management & Computer Security – Emerald Publishing
Published: Jul 19, 2011
Keywords: Information security; Internet security; Security; Computer security; Data security; Computer crime
Read and print from thousands of top scholarly journals.
Already have an account? Log in
Bookmark this article. You can see your Bookmarks on your DeepDyve Library.
To save an article, log in first, or sign up for a DeepDyve account if you don’t already have one.
Copy and paste the desired citation format or use the link below to download a file formatted for EndNote
Access the full text.
Sign up today, get DeepDyve free for 14 days.
All DeepDyve websites use cookies to improve your online experience. They were placed on your computer when you launched this website. You can change your cookie settings through your browser.