Abstract Code Injection - A Semantic Approach Based on Abstract Non-Interference

Code injection attacks have been the most critical security risks for almost a decade. These attacks are due to an interference between an untrusted input (potentially controlled by an attacker) and the execution of a string-to-code statement, interpreting as code its parameter. In this paper, we provide a semantic-based model for code injection parametric on what the programmer considers safe behaviors. In particular, we provide a general (abstract) non-interference-based framework for abstract code injection policies, i.e., policies characterizing safety against code injection w.r.t. a given specification of safe behaviors. We expect the new semantic perspective on code injection to provide a deeper knowledge on the nature itself of this security threat. Moreover, we devise a mechanism for enforcing (abstract) code injection policies, soundly detecting attacks, i.e., avoiding false negatives.

[1]  Peter Sestoft,et al.  An experiment in partial evaluation: the generation of a compiler generator , 1985, SIGP.

[2]  Wei Xu,et al.  Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks , 2006, USENIX Security Symposium.

[3]  Flemming Nielson,et al.  Principles of Program Analysis , 1999, Springer Berlin Heidelberg.

[4]  Keith D. Cooper,et al.  Engineering a Compiler , 2003 .

[5]  Mark N. Wegman,et al.  Efficiently computing static single assignment form and the control dependence graph , 1991, TOPL.

[6]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[7]  Alessandro Orso,et al.  AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks , 2005, ASE.

[8]  Zhendong Su,et al.  An Analysis Framework for Security in Web Applications , 2004 .

[9]  V. N. Venkatakrishnan,et al.  CANDID: preventing sql injection attacks using dynamic candidate evaluations , 2007, CCS '07.

[10]  Jay Ligatti,et al.  Defining code-injection attacks , 2012, POPL '12.

[11]  Roberto Giacobazzi,et al.  Abstract non-interference: parameterizing non-interference by abstract interpretation , 2004, POPL.

[12]  Alessandro Orso,et al.  Using positive tainting and syntax-aware evaluation to counter SQL injection attacks , 2006, SIGSOFT '06/FSE-14.

[13]  Chris Anley,et al.  Advanced SQL Injection In SQL Server Applications , 2002 .

[14]  SQL Injection Signatures Evasion , 2004 .

[15]  Bruce W. Weide,et al.  Using parse tree validation to prevent SQL injection attacks , 2005, SEM '05.

[16]  Anindya Banerjee,et al.  Modelling declassification policies using abstract domain completeness , 2011, Math. Struct. Comput. Sci..

[17]  Zhendong Su,et al.  The essence of command injection attacks in web applications , 2006, POPL '06.

[18]  Isabella Mastroeni,et al.  Abstract interpretation-based approaches to Security - A Survey on Abstract Non-Interference and its Challenging Applications , 2013, Festschrift for Dave Schmidt.

[19]  Isabella Mastroeni,et al.  On the Rôle of Abstract Non-interference in Language-Based Security , 2005, APLAS.

[20]  Fred B. Schneider,et al.  Enforceable security policies , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[21]  Stuart McDonald SQL Injection: Modes of attack, defence, and why it matters , 2002 .

[22]  Anh Nguyen-Tuong,et al.  Automatically Hardening Web Applications Using Precise Tainting , 2005, SEC.

[23]  PageKicker Robot Phil OWASP Top 10: The Top 10 Most Critical Web Application Security Threats Enhanced with Text Analytics and Content by PageKicker Robot Phil 73 , 2014 .

[24]  Samik Basu,et al.  Detecting Cross-Site Scripting Vulnerability Using Concolic Testing , 2013, 2013 10th International Conference on Information Technology: New Generations.

[25]  Damiano Zanardini,et al.  Abstract Program Slicing , 2016, ACM Trans. Comput. Log..

[26]  Patrick Cousot,et al.  Constructive design of a hierarchy of semantics of a transition system by abstract interpretation , 2002, MFPS.

[27]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..