Secure Code Generation for Web Applications

A large percentage of recent security problems, such as Cross-site Scripting or SQL injection, is caused by string-based code injection vulnerabilities. These vulnerabilities exist because of implicit code creation through string serialization. Based on an analysis of the vulnerability class' underlying mechanisms, we propose a general approach to outfit modern programming languages with mandatory means for explicit and secure code generation which provide strict separation between data and code. Using an exemplified implementation for the languages Java and HTML/JavaScript respectively, we show how our approach can be realized and enforced.

[1]  Alessandro Orso,et al.  Using positive tainting and syntax-aware evaluation to counter SQL injection attacks , 2006, SIGSOFT '06/FSE-14.

[2]  R.A. McClure,et al.  SQL DOM: compile time checking of dynamic SQL statements , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[3]  Christopher Krügel,et al.  Pixy: a static analysis tool for detecting Web application vulnerabilities , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[4]  Zhendong Su,et al.  The essence of command injection attacks in web applications , 2006, POPL '06.

[5]  Zhendong Su,et al.  Static detection of cross-site scripting vulnerabilities , 2008, 2008 ACM/IEEE 30th International Conference on Software Engineering.

[6]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[7]  Giovanni Vigna,et al.  Static Enforcement of Web Application Integrity Through Strong Typing , 2009, USENIX Security Symposium.

[8]  Benjamin Livshits,et al.  Vulnerabilities in Java Applications with Static Analysis , 2005 .

[9]  Wei Xu,et al.  Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks , 2006, USENIX Security Symposium.

[10]  Tadeusz Pietraszek,et al.  Defending Against Injection Attacks Through Context-Sensitive String Evaluation , 2005, RAID.

[11]  Gunter Ollmann Second - order code injection attacks , 2004 .

[12]  Brian Beckman,et al.  LINQ: reconciling object, relations and XML in the .NET framework , 2006, SIGMOD Conference.

[13]  Martin Johns,et al.  SMask: preventing injection attacks in web applications by approximating automatic data/code separation , 2007, SAC '07.

[14]  Wolfram Schulte,et al.  Unifying Tables, Objects and Documents , 2003 .

[15]  Matthew B. Dwyer,et al.  Proceedings of the 30th international conference on Software engineering , 2008, ICSE 2008.

[16]  Anh Nguyen-Tuong,et al.  Automatically Hardening Web Applications Using Precise Tainting , 2005, SEC.