Preventing injection attacks with syntax embeddings |
| |
| Authors: | Martin Bravenboer Eelco Dolstra |
| |
| Affiliation: | a Department of Computer Science, University of Massachusetts Amherst, 140 Governors Drive, Amherst, MA 01003, USA
b Department of Software Technology, Delft University of Technology, Mekelweg 4, 2628 CD Delft, The Netherlands |
| |
| Abstract: | Software written in one language often needs to construct sentences in another language, such as SQL queries, XML output, or shell command invocations. This is almost always done using unhygienic string manipulation, the concatenation of constants and client-supplied strings. A client can then supply specially crafted input that causes the constructed sentence to be interpreted in an unintended way, leading to an injection attack. We describe a more natural style of programming that yields code that is impervious to injections by construction. Our approach embeds the grammars of the guest languages (e.g. SQL) into that of the host language (e.g. Java) and automatically generates code that maps the embedded language to constructs in the host language that reconstruct the embedded sentences, adding escaping functions where appropriate. This approach is generic, meaning that it can be applied with relative ease to any combination of context-free host and guest languages. |
| |
| Keywords: | Injection attacks Security Syntax embedding Program generation Program transformation Concrete object syntax |
| 本文献已被 ScienceDirect 等数据库收录! |
|
