Fatal injection: a survey of modern code injection attack countermeasures

View article
PeerJ Computer Science
Also known in statistics as type I and type Ii errors (Peck & Devore, 2010).

Main article text

 

Introduction and Covered Area

  • Flexibility: We check if an approach can be adjusted in order to detect different code injection attack categories.

  • Effectiveness Tests: As long as we examine security mechanisms that detect either attacks or defects, we want to see if researchers have measured the effectiveness of their proposed mechanisms in terms of false positive and negative rates.

  • Implementation independence: We check if the mechanisms depend either on the characteristics of the programming language that was used to develop them or on the implementation details of the protecting entity.

  • Computational Overhead: Finally, we examine if a mechanisms imposes a cost due to its use, as it may introduce an amount of extra computation on an application.

Code Injection Attacks

 
 
(define (add x y) (+ x y))    
  • They can occur in different layers, such as databases, libraries, native code and the browser.

  • They span a wide range of security issues, such as viewing sensitive information, editing of personal data, or even stopping the execution of a system.

Countermeasures

  • Static Analysis involves the inspection of either source or binary code to find software bugs that could lead to a code injection attack without actually executing the program.

  • Dynamic Detection observes the behavior of a running system in order to detect and prevent a code injection attack.

Static analysis

Simple pattern matching

Lexical analysis

Data-flow analysis

 
 
uName = request.getParameter("username"); 
String  query =  null; 
 i f  (uName  !=  null) { 
       query = "SELECT *"+ 
       "FROM table WHERE uname = ' "+uName+" '"; 
       rs = stmt.executeQuery(query); 
} else  { 
   ... 
}    

Model checking

Symbolic execution

Type system extensions

Dynamic detection

Runtime tainting

 
 
#!/ usr / bin / perl 
my  $name = $cgi−>param("foo"); 
... 
$dbh−>TaintIn = 1; 
$dbh−>execute("SELECT* 
              FROM users 
              WHERE name = '$foo';");    

Instruction set randomization

Policy enforcement

Whitelisting

Analysis and Discussion

Flexibility

Effectiveness tests

Implementation independence

Computational overhead

A note on usability

Emerging Challenges

 
 
<?php 
$username =  $ _POST['username']; 
$db−>execute("print('Hello, $username!');"); 
?>    

Conclusions

Additional Information and Declarations

Competing Interests

The authors declare there are no competing interests.

Author Contributions

Dimitris Mitropoulos analyzed the data, wrote the paper, prepared figures and/or tables, reviewed drafts of the paper.

Diomidis Spinellis wrote the paper, reviewed drafts of the paper.

Data Availability

The following information was supplied regarding data availability:

The research in this article did not generate, collect or analyse any raw data or code.

Funding

This work was funded under Action 2 of the Athens University of Economics and Business Research Center Program for Excellence and Extroversion of the academic year 2016/2017 (EP-2606-01: The “Meta-Life” of JavaScript). The funders had no role in study design, data collection and analysis, decision to publish, or preparation of the manuscript.

16 Citations 6,912 Views 1,724 Downloads