Secure code generation for web applications

Authors:
Martin Johns;Christian Beyerlein;Rosemaria Giesecke;Joachim Posegga
Affiliations:
SAP Research – CEC Karlsruhe;Department of Informatics, SVS, University of Hamburg;SAP Research – CEC Karlsruhe;Faculty for Informatics and Mathematics, ISL, University of Passau
Venue:
ESSoS'10 Proceedings of the Second international conference on Engineering Secure Software and Systems
Year:
2010

Citing 12
Cited 4

Securing web application code by static analysis and runtime protection

Proceedings of the 13th international conference on World Wide Web
SQL DOM: compile time checking of dynamic SQL statements

Proceedings of the 27th international conference on Software engineering
The essence of command injection attacks in web applications

Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper)

SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
LINQ: reconciling object, relations and XML in the .NET framework

Proceedings of the 2006 ACM SIGMOD international conference on Management of data
Using positive tainting and syntax-aware evaluation to counter SQL injection attacks

Proceedings of the 14th ACM SIGSOFT international symposium on Foundations of software engineering
SMask: preventing injection attacks in web applications by approximating automatic data/code separation

Proceedings of the 2007 ACM symposium on Applied computing
Finding security vulnerabilities in java applications with static analysis

SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks

USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Static detection of cross-site scripting vulnerabilities

Proceedings of the 30th international conference on Software engineering
Dartmouth internet security testbed (DIST: building a campus-wide wireless testbed

CSET'09 Proceedings of the 2nd conference on Cyber security experimentation and test
Defending against injection attacks through context-sensitive string evaluation

RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection

SessionShield: lightweight protection against session hijacking

ESSoS'11 Proceedings of the Third international conference on Engineering secure software and systems
Quo vadis? a study of the evolution of input validation vulnerabilities in web applications

FC'11 Proceedings of the 15th international conference on Financial Cryptography and Data Security
An empirical analysis of input validation mechanisms in web applications and languages

Proceedings of the 27th Annual ACM Symposium on Applied Computing
PreparedJS: secure script-templates for javascript

DIMVA'13 Proceedings of the 10th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment

Quantified Score

Hi-index	0.00

Visualization

Abstract

A large percentage of recent security problems, such as Cross-site Scripting or SQL injection, is caused by string-based code injection vulnerabilities. These vulnerabilities exist because of implicit code creation through string serialization. Based on an analysis of the vulnerability class' underlying mechanisms, we propose a general approach to outfit modern programming languages with mandatory means for explicit and secure code generation which provide strict separation between data and code. Using an exemplified implementation for the languages Java and HTML/JavaScript respectively, we show how our approach can be realized and enforced.