Countering code injection attacks: a unified approach

Dimitris Mitropoulos; Vassilios Karakoidas; Panagiotis Louridas; Diomidis Spinellis

doi:10.1108/09685221111153555

Login

Welcome:
Guest

Search for:

Browse:

Product Information:

Resources:

Information Management & Computer Security

ISSN: 0968-5227

Online from: 1993

Subject Area: Information and Knowledge Management

Content: Latest Issue | Latest Issue RSS | Previous Issues

Options: To add Favourites and Table of Contents Alerts please take a Emerald profile

Countering code injection attacks: a unified approach

Document Information:
Title:	Countering code injection attacks: a unified approach
Author(s):	Dimitris Mitropoulos, (Department of Management Science and Technology, Athens University of Economics and Business, Athens, Greece), Vassilios Karakoidas, (Department of Management Science and Technology, Athens University of Economics and Business, Athens, Greece), Panagiotis Louridas, (Department of Management Science and Technology, Athens University of Economics and Business, Athens, Greece), Diomidis Spinellis, (Department of Management Science and Technology, Athens University of Economics and Business, Athens, Greece)
Citation:	Dimitris Mitropoulos, Vassilios Karakoidas, Panagiotis Louridas, Diomidis Spinellis, (2011) "Countering code injection attacks: a unified approach", Information Management & Computer Security, Vol. 19 Iss: 3, pp.177 - 194
Keywords:	Computer crime, Computer security, Data security, Information security, Internet security, Security
Article type:	Research paper
DOI:	10.1108/09685221111153555 (Permanent URL)
Publisher:	Emerald Group Publishing Limited
Acknowledgements:	The authors would like to thank Chuan Yue and Haining Wang for sharing with them details of their SpiderMonkey instrumentation efforts. The authors would also like to thank Konstantinos Stroggylos, Georgios Gousios and Titika Konstantinopoulou for their insightful comments during the writing of this paper. This research has been co-financed by the European Union (European Social Fund – ESF) and Greek national funds through the Operational Program “Education and Lifelong Learning” of the National Strategic Reference Framework – Research Funding Program: Heracleitus II. Investing in knowledge society through the ESF.
Abstract:	Purpose – The purpose of this paper is to propose a generic approach that prevents a specific class of code injection attacks (CIAs) in a novel way. Design/methodology/approach – To defend against CIAs this approach involves detecting attacks by using location-specific signatures to validate code statements. The signatures are unique identifiers that represent specific characteristics of a statement's execution. The key property that differentiates the scheme presented in this paper is that these characteristics do not depend entirely on the code statement, but also take into account elements from its execution context. Findings – The approach was applied successfully to defend against attacks targeting structured query language (SQL), XML Path Language and JavaScript with positive results. Originality/value – Despite many countermeasures that have been proposed the number of CIAs has been increasing. Malicious users seem to find new ways to introduce compromised embedded executable code to applications by using a variety of languages and techniques. Hence, a generic approach that defends against such attacks would be a useful countermeasure. This approach can defend attacks that involve both domain-specific languages (e.g. SQL) and general purpose languages (e.g. JavaScript) and can be used both against client-side and server-side attacks.