Towards Practical Prevention of Code Injection Vulnerabilities on the Programming Language Level
نویسنده
چکیده
A large percentage of today’s security problems is caused by code injection vulnerabilities. Many of these vulnerabilities exist because of implicit code generation through string serialization. Based on an analysis of the underlying mechanisms, we propose a general model to outfit modern programming languages with means for explicit and secure code generation. Further, we identify the model’s key components: the language integration, the Foreign Language Encapsulation Type, and the abstraction layer. For each of these components we discuss several potential implementation strategies. Zusammenfassung: Ein großer Prozentsatz der momentan auftretenden Code-Injection-Verwundbarkeiten existiert aufgrund der üblichen Praxis, dynamisch generierten Code mittels String-Konkatenation zu erzeugen. Basierend auf einer Analyse der grundlegenden Ursachen, die für diese Verwundbarkeitsklasse verantwortlich sind, beschreiben wir ein generelles Modell, das es erlaubt, auf sichere und explizite Art dynamisch Code zu erzeugen. Darauf folgend identifizieren und beschreiben wir die Haupt-Komponenten unseres Ansatzes: die Language Integration, den Foreign Language Encapsulation Type und den Abstraction Layer. Für jede dieser Komponenten diskutieren wir verschiedene Implementierungsstrategien.
منابع مشابه
Algebraic Matching of Vulnerabilities in a Low-Level Code
This paper explores the algebraic matching approach for detection of vulnerabilities in binary codes. The algebraic programming system is used for implementing this method. It is anticipated that models of vulnerabilities and programs to be verified are presented as behavior algebra and action language specifications. The methods of algebraic matching are based on rewriting rules and techniques...
متن کاملCode Injection Vulnerabilities in Web Applications: Exemplified at Cross-site Scripting
The majority of all security problems in today’s Web applications is caused by stringbased code injection, with Cross-site Scripting (XSS) being the dominant representative of this vulnerability class. This thesis discusses XSS and suggests defense mechanisms. We do so in three stages: First, we conduct a thorough analysis of JavaScript’s capabilities and explain how these capabilities are util...
متن کاملType-Based Enforcement of Secure Programming Guidelines - Code Injection Prevention at SAP
Code injection and cross-site scripting belong to the most common security vulnerabilities in modern software, usually caused by incorrect string processing. These exploits are often addressed by formulating programming guidelines or “best practices”. In this paper, we study the concrete example of a guideline used at SAP for the handling of untrusted, potentially executable strings that are em...
متن کاملEliminating SQL Injection and Cross Site Scripting Using Aspect Oriented Programming
Security vulnerabilities in the web applications that we use to shop, bank, and socialize online expose us to exploits that cost billions of dollars each year. This paper describes the design and implementation of AspectShield, a system designed to mitigate the most common web application vulnerabilities without requiring costly and potentially dangerous modifications to the source code of vuln...
متن کاملDynamic Taint Tracking in Managed Runtimes
This paper provides a taxonomy of runtime taint tracking approaches for managed code, such as code written in Java, C#, PHP, Perl, or Ruby. It covers main applications of data tainting such as preventing web application vulnerabilities including crosssite scripting and SQL injection attacks, along with disallowing privacy-sensitive data leaks. In addition to giving an overview of related litera...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
دوره شماره
صفحات -
تاریخ انتشار 2007