Countering code injection attacks: a unified approach

Dimitris Mitropoulos (Department of Management Science and Technology, Athens University of Economics and Business, Athens, Greece)
Vassilios Karakoidas (Department of Management Science and Technology, Athens University of Economics and Business, Athens, Greece)
Panagiotis Louridas (Department of Management Science and Technology, Athens University of Economics and Business, Athens, Greece)
Diomidis Spinellis (Department of Management Science and Technology, Athens University of Economics and Business, Athens, Greece)

Information Management & Computer Security

ISSN: 0968-5227

Publication date: 19 July 2011

Abstract

Purpose

The purpose of this paper is to propose a generic approach that prevents a specific class of code injection attacks (CIAs) in a novel way.

Design/methodology/approach

To defend against CIAs this approach involves detecting attacks by using location‐specific signatures to validate code statements. The signatures are unique identifiers that represent specific characteristics of a statement's execution. The key property that differentiates the scheme presented in this paper is that these characteristics do not depend entirely on the code statement, but also take into account elements from its execution context.

Findings

The approach was applied successfully to defend against attacks targeting structured query language (SQL), XML Path Language and JavaScript with positive results.

Originality/value

Despite many countermeasures that have been proposed the number of CIAs has been increasing. Malicious users seem to find new ways to introduce compromised embedded executable code to applications by using a variety of languages and techniques. Hence, a generic approach that defends against such attacks would be a useful countermeasure. This approach can defend attacks that involve both domain‐specific languages (e.g. SQL) and general purpose languages (e.g. JavaScript) and can be used both against client‐side and server‐side attacks.

Keywords

Citation

Mitropoulos, D., Karakoidas, V., Louridas, P. and Spinellis, D. (2011), "Countering code injection attacks: a unified approach", Information Management & Computer Security, Vol. 19 No. 3, pp. 177-194. https://doi.org/10.1108/09685221111153555

Download as .RIS

Publisher

:

Emerald Group Publishing Limited

Copyright © 2011, Emerald Group Publishing Limited

Please note you might not have access to this content

You may be able to access this content by login via Shibboleth, Open Athens or with your Emerald account.
If you would like to contact us about accessing this content, click the button and fill out the form.
To rent this content from Deepdyve, please click the button.