The Automatic Defense Mechanism for Malicious Injection Attack

Injection attack is a technique to inject codes into a computer program or system by taking advantage of the unchecked assumptions the system makes about its inputs. The purpose of the injected code is typically to bypass or modify the originally intended functionality of the program. It is popular in system hacking or cracking to gain information, privilege escalation or unauthorized access to a system. Many application's security vulnerabilities result from generic injection problems. Examples of such vulnerabilities are SQL injection, shell injection and script injection (cross site scripting). Some applications attempt to protect themselves by filtering malicious input data, but it may not be viable to modify the source of such components (either because the code was shipped in binary form or because the license agreement is prohibitive). We have tried to develop a defense mechanism that can automatically produce a proper input validation function on security gateway to filter malicious injection. The security gateway is allocated in front of application server to eliminate malicious injection vulnerabilities. To verify the efficiency of the tool, we pick the Websites made up of some Web applications that often contain third-party vulnerable components shipped in binary form. Among these experiments, our defense mechanism has proved their efficiency to avoid malicious injection attack.

[1]  D. T. Lee,et al.  Verifying Web applications using bounded model checking , 2004, International Conference on Dependable Systems and Networks, 2004.

[2]  Jin-Cherng Lin,et al.  An Automatic Revised Tool for Anti-Malicious Injection , 2006, The Sixth IEEE International Conference on Computer and Information Technology (CIT'06).

[3]  Christopher Krügel,et al.  Pixy: a static analysis tool for detecting Web application vulnerabilities , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[4]  D. T. Lee,et al.  A testing framework for Web application security assessment , 2005, Comput. Networks.

[5]  Shih-Kun Huang,et al.  Web application security assessment by fault injection and behavior monitoring , 2003, WWW '03.

[6]  John W. Lockwood,et al.  Deep packet inspection using parallel bloom filters , 2004, IEEE Micro.

[7]  Richard Sharp,et al.  Abstracting application-level web security , 2002, WWW.

[8]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.