OOPSLA/ECOOP '90 Proceedings of the European conference on object-oriented programming on Object-oriented programming systems, languages, and applications
A practical method for constructing efficient LALR(K) parsers with automatic error recovery
A practical method for constructing efficient LALR(K) parsers with automatic error recovery
Domain specific embedded compilers
Proceedings of the 2nd conference on Domain-specific languages
Meta-programming with Concrete Object Syntax
GPCE '02 Proceedings of the 1st ACM SIGPLAN/SIGSOFT conference on Generative Programming and Component Engineering
JTS: Tools for Implementing Domain-Specific Languages
ICSR '98 Proceedings of the 5th International Conference on Software Reuse
Generating LR syntax error messages from examples
ACM Transactions on Programming Languages and Systems (TOPLAS)
Securing web application code by static analysis and runtime protection
Proceedings of the 13th international conference on World Wide Web
Static Checking of Dynamically Generated Queries in Database Applications
Proceedings of the 26th International Conference on Software Engineering
JDBC Checker: A Static Analysis Tool for SQL/JDBC Applications
Proceedings of the 26th International Conference on Software Engineering
OOPSLA '04 Proceedings of the 19th annual ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications
SQL DOM: compile time checking of dynamic SQL statements
Proceedings of the 27th international conference on Software engineering
Safe query objects: statically typed objects as remotely executable queries
Proceedings of the 27th international conference on Software engineering
AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks
Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering
Using parse tree validation to prevent SQL injection attacks
SEM '05 Proceedings of the 5th international workshop on Software engineering and middleware
The essence of command injection attacks in web applications
Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Declarative, formal, and extensible syntax definition for aspectJ
Proceedings of the 21st annual ACM SIGPLAN conference on Object-oriented programming systems, languages, and applications
Introduction to Automata Theory, Languages, and Computation (3rd Edition)
Introduction to Automata Theory, Languages, and Computation (3rd Edition)
Using positive tainting and syntax-aware evaluation to counter SQL injection attacks
Proceedings of the 14th ACM SIGSOFT international symposium on Foundations of software engineering
Finding security vulnerabilities in java applications with static analysis
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Static detection of security vulnerabilities in scripting languages
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
The jastadd extensible java compiler
Proceedings of the 22nd annual ACM SIGPLAN conference on Object-oriented programming systems and applications
Grammar Engineering Support for Precedence Rule Recovery and Compatibility Checking
Electronic Notes in Theoretical Computer Science (ENTCS)
Stratego/XT 0.17. A language and toolset for program transformation
Science of Computer Programming
Precise analysis of string expressions
SAS'03 Proceedings of the 10th international conference on Static analysis
Polyglot: an extensible compiler framework for Java
CC'03 Proceedings of the 12th international conference on Compiler construction
The essence of data access in Cω: the power is in the dot!
ECOOP'05 Proceedings of the 19th European conference on Object-Oriented Programming
Generalized type-based disambiguation of meta programs with concrete object syntax
GPCE'05 Proceedings of the 4th international conference on Generative Programming and Component Engineering
SugarJ: library-based syntactic language extensibility
Proceedings of the 2011 ACM international conference on Object oriented programming systems languages and applications
Defining code-injection attacks
POPL '12 Proceedings of the 39th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Natural and Flexible Error Recovery for Generated Modular Language Environments
ACM Transactions on Programming Languages and Systems (TOPLAS)
Language composition untangled
Proceedings of the Twelfth Workshop on Language Descriptions, Tools, and Applications
An object-oriented approach to language compositions for software language engineering
Journal of Systems and Software
Hi-index | 0.00 |
Software written in one language often needs to construct sentences in another language, such as SQL queries, XML output, or shell command invocations. This is almost always done using unhygienic string manipulation, the concatenation of constants and client-supplied strings. A client can then supply specially crafted input that causes the constructed sentence to be interpreted in an unintended way, leading to an injection attack. We describe a more natural style of programming that yields code that is impervious to injections by construction. Our approach embeds the grammars of the guest languages (e.g. SQL) into that of the host language (e.g. Java) and automatically generates code that maps the embedded language to constructs in the host language that reconstruct the embedded sentences, adding escaping functions where appropriate. This approach is generic, meaning that it can be applied with relative ease to any combination of context-free host and guest languages.