SQLrand: Preventing SQL Injection Attacks

SQLrand: Preventing SQL Injection Attacks (2004)

Cached

Download Links

[www1.cs.columbia.edu]
[www.cs.purdue.edu]

Other Repositories/Bibliography

DBLP

by Stephen W. Boyd , Angelos D. Keromytis

Venue:	In Proceedings of the 2nd Applied Cryptography and Network Security (ACNS) Conference
Citations:	68 - 4 self

BibTeX

@INPROCEEDINGS{Boyd04sqlrand:preventing,
    author = {Stephen W. Boyd and Angelos D. Keromytis},
    title = {SQLrand: Preventing SQL Injection Attacks},
    booktitle = {In Proceedings of the 2nd Applied Cryptography and Network Security (ACNS) Conference},
    year = {2004},
    pages = {292--302}
}

Years of Citing Articles

Bookmark

OpenURL

Abstract

We present a practical protection mechanism against SQL injection attacks. Such attacks target databases that are accessible through a web frontend, and take advantage of flaws in the input validation logic of Web components such as CGI scripts. We apply the concept of instruction-set randomization to SQL, creating instances of the language that are unpredictable to the attacker.

Citations

407	Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks - Cowan, Pu, et al.
340	A Secure Environment for Untrusted Helper Applications - Goldberg, Wagner, et al. - 1996
322	Flow-sensitive type qualifiers - Foster, Terauchi, et al. - 2002
314	A first step towards automated detection of buffer overrun vulnerabilities - Wagner, Foster, et al. - 2000
217	Improving host security with system call policies - Provos - 2003
202	Integrating Flexible Support for Security Policies into the Linux Operating System - LOSCOCCO, SMALLEY
182	Detecting format string vulnerabilities with type qualifiers - SHANKAR, TALWAR, et al. - 2001
162	Address obfuscation: an efficient approach to combat a broad range of memory error exploits - Bhatkar, Varney, et al. - 2003
158	Statically detecting likely buffer overflow vulnerabilities - Larochelle, Evans - 2001
142	Smashing the stack for fun and profit - One - 1996
140	Building diverse computer systems - Forrest, Somayaji, et al. - 1997
140	Countering code-injection attacks with instruction-set randomization - Kc, Keromytis, et al. - 2003
121	Hardening COTS software with generic software wrappers - Fraser, Badger, et al. - 1999
114	PointGuard: protecting pointers from buffer overflow vulnerabilities - Cowan, Beattie, et al. - 2003
110	Obfuscation of executable code to improve resistance to static disassembly - Linn, Debray - 2003
100	Cssv: Towards a realistic tool for statically detecting all buffer overflows - Dor, Rodeh, et al. - 2003
88	Randomized Instruction Set Emulation to Disrupt Binary Code Inject Attacks - Barrantes, Ackley, et al. - 2003
86	Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools - Garfinkel - 2003
83	SLIC: An Extensibility System for Commodity Operating Systems - Ghormley, Petrou, et al. - 1998
64	MAPbox: using parameterized behavior classes to confine untrusted applications - Acharya, Raje - 2000
49	Confining root programs with Domain and Type Enforcement (DTE - Walker, Sterne, et al. - 1996
47	TRON: process-specific file protection for the UNIX operating system - Berman, Bourassa, et al. - 1995
47	High coverage detection of input-related security faults - Larson, Austin - 2003
41	Flexible Containment Mechanism for Executing Untrusted Code - Peterson, Bishop, et al. - 2002
38	Type-assisted dynamic buffer overflow detection - Lee, Chapin - 2000
35	Report: "Consh: Confined Execution Environment for Internet Computations - Alexandrov, Kmiec, et al. - 1998
32	Using kernel hypervisors to secure applications - Mitchem, Lu, et al. - 1997
27	Trustedbsd: Adding trusted operating system features to freebsd - WATSON
26	Sandboxing Applications - Prevelakis, Spinellis - 2001
25	Mediating Connectors: A NonBypassable Process Wrapping Technology - Balzer, Goldman - 1999
17	Security of Web Browser Scripting Languages: Vulnerabilities, Attacks, and Remedies - Anupam, Mayer - 1998
15	and w00w00 Security Team: w00w00 on heap overflows. http://www.w00w00.org/files/articles/heaptut.txt - Conover - 1999
13	SubDomain: Parsimonious security for server appliances - Cowan, Beattie, et al. - 2000
11	The cracker patch choice: An analysis of post hoc security techniques - Cowan, Hinton, et al. - 2000
4	Web Application Disassembly wth ODBC Error Messages. http://www.nextgenss.com/papers/webappdis.doc - Litchfield