A black-box, code-injection prevention mechanism for COTS applications

Abstract

Web application vulnerabilities such as SQL injection and cross-site scripting vulnerabilities account for a large number of all reported vulnerabilities, while recent trends show that such vulnerabilities are on the rise. Successful attacks targeting injection vulnerabilities allow an attacker to execute arbitrary code with the privileges of the web application, which raises several confidentiality and integrity concerns. Current defensive mechanisms generally require either: (a) source code access which is not always easily available, (b) binary instrumentation with generally high performance overheads, or (c) detectors with high false positives. Web development frame works tackle these vulnerabilities by providing developers with tools to build-in the necessary protection at development time. However, applications written for older frameworks as well as already deployed applications cannot benefit from these tools. The aim of this project is to build an efficient, black-box defensive mechanism which protects web applications with existing injection vulnerabilities from being exploited. Information flow techniques are utilised to identify untrusted information flows in order to reduce the false positive rate. A policy framework restricts these information flows and identifies attacks. Results show that this technique can achieve a very small false negative and false positive rate if the correct policies are used. A single false negative which could be interpreted as an attack in older browsers was identified. A small number of false positives occurred when executing benign requests designed to look similar to SQL injection attacks. Overall runtime overheads vary greatly depending on whether support for detecting stored cross-site scripting attacks is enabled.