Domain specific embedded compilers
Proceedings of the 2nd conference on Domain-specific languages
Meta-programming with Concrete Object Syntax
GPCE '02 Proceedings of the 1st ACM SIGPLAN/SIGSOFT conference on Generative Programming and Component Engineering
JTS: Tools for Implementing Domain-Specific Languages
ICSR '98 Proceedings of the 5th International Conference on Software Reuse
Securing web application code by static analysis and runtime protection
Proceedings of the 13th international conference on World Wide Web
Static Checking of Dynamically Generated Queries in Database Applications
Proceedings of the 26th International Conference on Software Engineering
JDBC Checker: A Static Analysis Tool for SQL/JDBC Applications
Proceedings of the 26th International Conference on Software Engineering
OOPSLA '04 Proceedings of the 19th annual ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications
SQL DOM: compile time checking of dynamic SQL statements
Proceedings of the 27th international conference on Software engineering
Safe query objects: statically typed objects as remotely executable queries
Proceedings of the 27th international conference on Software engineering
AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks
Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering
Using parse tree validation to prevent SQL injection attacks
SEM '05 Proceedings of the 5th international workshop on Software engineering and middleware
The essence of command injection attacks in web applications
Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Declarative, formal, and extensible syntax definition for aspectJ
Proceedings of the 21st annual ACM SIGPLAN conference on Object-oriented programming systems, languages, and applications
Introduction to Automata Theory, Languages, and Computation (3rd Edition)
Introduction to Automata Theory, Languages, and Computation (3rd Edition)
Using positive tainting and syntax-aware evaluation to counter SQL injection attacks
Proceedings of the 14th ACM SIGSOFT international symposium on Foundations of software engineering
Finding security vulnerabilities in java applications with static analysis
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Static detection of security vulnerabilities in scripting languages
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Precise analysis of string expressions
SAS'03 Proceedings of the 10th international conference on Static analysis
The essence of data access in Cω: the power is in the dot!
ECOOP'05 Proceedings of the 19th European conference on Object-Oriented Programming
Generalized type-based disambiguation of meta programs with concrete object syntax
GPCE'05 Proceedings of the 4th international conference on Generative Programming and Component Engineering
Designing Syntax Embeddings and Assimilations for Language Libraries
Models in Software Engineering
Mixing source and bytecode: a case for compilation by normalization
Proceedings of the 23rd ACM SIGPLAN conference on Object-oriented programming systems languages and applications
WebDSL: A Case Study in Domain-Specific Language Engineering
Generative and Transformational Techniques in Software Engineering II
Software Language Engineering
A Formal Way from Text to Code Templates
FASE '09 Proceedings of the 12th International Conference on Fundamental Approaches to Software Engineering: Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2009
Verifiable composition of deterministic grammars
Proceedings of the 2009 ACM SIGPLAN conference on Programming language design and implementation
Proceedings of the 24th ACM SIGPLAN conference on Object oriented programming systems languages and applications
Domain-Specific Languages for Composable Editor Plugins
Electronic Notes in Theoretical Computer Science (ENTCS)
Pure and declarative syntax definition: paradise lost and regained
Proceedings of the ACM international conference on Object oriented programming systems languages and applications
Static consistency checking of web applications with WebDSL
Journal of Symbolic Computation
Natural and Flexible Error Recovery for Generated Modular Language Environments
ACM Transactions on Programming Languages and Systems (TOPLAS)
| Hi-index | 0.00 |
Software written in one language often needs to construct sentences in another language, such as SQL queries, XML output, or shell command invocations. This is almost always done using unhygienic string manipulation, the concatenation of constants and client-supplied strings. A client can then supply specially crafted input that causes the constructed sentence to be interpreted in an unintended way, leading to an injection attack. We describe a more natural style of programming that yields code that is impervious to injections by construction. Our approach embeds the grammars of the guest languages (e.g., SQL) into that of the host language (e.g., Java) and automatically generates code that maps the embedded language to constructs in the host language that reconstruct the embedded sentences, adding escaping functions where appropriate. This approach is generic, meaning that it can be applied with relative ease to any combination of host and guest languages.