ECOOP '01 Proceedings of the 15th European Conference on Object-Oriented Programming
The inlined reference monitor approach to security policy enforcement
The inlined reference monitor approach to security policy enforcement
ACM SIGPLAN Notices
AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks
Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering
Using parse tree validation to prevent SQL injection attacks
SEM '05 Proceedings of the 5th international workshop on Software engineering and middleware
Using positive tainting and syntax-aware evaluation to counter SQL injection attacks
Proceedings of the 14th ACM SIGSOFT international symposium on Foundations of software engineering
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks
Proceedings of the 39th Annual IEEE/ACM International Symposium on Microarchitecture
Mop: an efficient and generic runtime verification framework
Proceedings of the 22nd annual ACM SIGPLAN conference on Object-oriented programming systems and applications
Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications
SP '08 Proceedings of the 2008 IEEE Symposium on Security and Privacy
Static Program Analysis for Java Card Applets
CARDIS '08 Proceedings of the 8th IFIP WG 8.8/11.2 international conference on Smart Card Research and Advanced Applications
Efficient and extensible security enforcement using dynamic data flow analysis
Proceedings of the 15th ACM conference on Computer and communications security
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
Test-Driving Static Analysis Tools in Search of C Code Vulnerabilities
COMPSACW '11 Proceedings of the 2011 IEEE 35th Annual Computer Software and Applications Conference Workshops
Defending against injection attacks through context-sensitive string evaluation
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Security-policy monitoring and enforcement with JavaMOP
Proceedings of the 7th Workshop on Programming Languages and Analysis for Security
TreeDroid: a tree automaton based approach to enforcing data processing policies
Proceedings of the 2012 ACM conference on Computer and communications security
ANDROMEDA: accurate and scalable security analysis of web applications
FASE'13 Proceedings of the 16th international conference on Fundamental Approaches to Software Engineering
Runtime verification based on register automata
TACAS'13 Proceedings of the 19th international conference on Tools and Algorithms for the Construction and Analysis of Systems
| Hi-index | 0.00 |
Improper input validation in Web Applications undermines their security and this may have disastrous consequences for the users. Input data can or cannot be harmful depending on how they are used with regard to the interactions with the clients and the accessed sensitive resources (e.g. databases and files). Existing application frameworks cannot guarantee safe input sanitization with respect to all vulnerabilities. Also, when legacy code is incorporated that was not originally written for the Web, its security hardening is costly and error-prone. We propose a reference monitor inlining approach that treats input injection vulnerabilities as a cross-cutting concern. Our monitors enforce high-level security policies for taint propagation control, by weaving checks and repair actions into the untrusted code. Taint policies are specified into JavaMOP, a programming framework for generating runtime monitors, which are weaved into the application through the automated Aspect Oriented Programming process. When monitor design is guided by preliminary static taint analysis, the incurred overhead can be reduced. Further improvements are feasible through JavaMOP's optimizations. As a proof of concept, we present the design and experimental validation of inlined monitors against SQL injection and cross-site scripting attacks.