Design of a safe string library for C
Software—Practice & Experience
A refactoring tool for Smalltalk
Theory and Practice of Object Systems - Special issue object-oriented software evolution and re-engineering
Refactoring: improving the design of existing code
Refactoring: improving the design of existing code
Building secure software: how to avoid security problems the right way
Building secure software: how to avoid security problems the right way
Core J2EE Patterns: Best Practices and Design Strategies
Core J2EE Patterns: Best Practices and Design Strategies
Stratego: A Language for Program Transformation Based on Rewriting Strategies
RTA '01 Proceedings of the 12th International Conference on Rewriting Techniques and Applications
CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs
CC '02 Proceedings of the 11th International Conference on Compiler Construction
ITS4: A static vulnerability scanner for C and C++ code
ACSAC '00 Proceedings of the 16th Annual Computer Security Applications Conference
Using Program Transformation to Secure C Programs Against Buffer Overflows
WCRE '03 Proceedings of the 10th Working Conference on Reverse Engineering
Refactoring to Patterns
The essence of command injection attacks in web applications
Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Preventing SQL injection attacks using AMNESIA
Proceedings of the 28th international conference on Software engineering
Precise alias analysis for static detection of web application vulnerabilities
Proceedings of the 2006 workshop on Programming languages and analysis for security
Using positive tainting and syntax-aware evaluation to counter SQL injection attacks
Proceedings of the 14th ACM SIGSOFT international symposium on Foundations of software engineering
Using Automated Fix Generation to Secure SQL Statements
ICSEW '07 Proceedings of the 29th International Conference on Software Engineering Workshops
StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks
SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
strlcpy and strlcat: consistent, safe, string copy and concatenation
ATEC '99 Proceedings of the annual conference on USENIX Annual Technical Conference
Proceedings of the 22nd annual ACM SIGPLAN conference on Object-oriented programming systems and applications
CANDID: preventing sql injection attacks using dynamic candidate evaluations
Proceedings of the 14th ACM conference on Computer and communications security
Security oriented program transformations (or how to add security on demand)
Companion to the 23rd ACM SIGPLAN conference on Object-oriented programming systems languages and applications
Evolution of the MTA architecture: the impact of security
Software—Practice & Experience
Software development is program transformation
Proceedings of the FSE/SDP workshop on Future of software engineering research
Idea: interactive support for secure software development
ESSoS'11 Proceedings of the Third international conference on Engineering secure software and systems
Code-motion for API migration: fixing SQL injection vulnerabilities in Java
Proceedings of the 4th Workshop on Refactoring Tools
An 'explicit type enforcement' program transformation tool for preventing integer vulnerabiliites
Proceedings of the ACM international conference companion on Object oriented programming systems languages and applications companion
ASIDE: IDE support for web application security
Proceedings of the 27th Annual Computer Security Applications Conference
SQL injection attack mechanisms and prevention techniques
ADCONS'11 Proceedings of the 2011 international conference on Advanced Computing, Networking and Security
Program transformations to fix C integers
Proceedings of the 2013 International Conference on Software Engineering
Hi-index | 0.00 |
Injection attacks and their defense require a lot of creativity from attackers and secure system developers. Unfortunately, as attackers rely increasingly on systematic approaches to find and exploit a vulnerability, developers follow the traditional way of writing ad hoc checks in source code. This paper shows that security engineering to prevent injection attacks need not be ad hoc. It shows that protection can be introduced at different layers of a system by systematically applying general purpose security-oriented program transformations. These program transformations are automated so that they can be applied to new systems at design and implementation stages, and to existing ones during maintenance.