Zurich Research Laboratory
MATH & COMPUTER SCIENCE
Business optimization
Business process transformation
Systems management
Cryptography
Secure systems
Governance & security management
	Governance & compliance
	Intrusion & malware detection
		Billy Goat worm detection system
		Context-sensitive string evaluation
		E/M fraud
		Exorcist

Contact
	Andreas Wespi

Context-sensitive string evaluation

Project overview

Injection vulnerabilities pose a major threat to application-level security. Some of the more common types are SQL injection, cross-site scripting and shell injection vulnerabilities. Existing methods for defending against injection attacks, i.e. attacks that exploit these vulnerabilities, rely heavily on the application developers and are therefore error-prone.

Context Sensitive String Evaluation (CSSE) is a method to detect and prevent injection attacks. CSSE works by addressing the root cause of how such attacks can succeed, namely the ad-hoc serialization of user-provided input. It provides a platform-enforced separation of channels, using a combination of assignment of metadata to user-provided input, metadata-preserving string operations and context-sensitive string evaluation.

CSSE uses an instrumented execution environment (such as PHP or Java) to track variables during program execution, and, by assigning metadata, is able to detect and prevent injection attacks.

CSSE requires neither application developer interaction nor application source code modifications. Since only changes to the underlying platform are needed, it effectively shifts the burden of implementing countermeasures against injection attacks from the many application developers to the small pool of security-savvy platform developers. Our method is effective against most types of injection attacks, and we show that it is also less error-prone than other solutions proposed so far.

Currently, two prototype implementations are available:

PHP instrumented PHP scripting engine (v. 5.0.2). We have developed a prototype CSSE implementation for PHP, a platform that is particularly prone to these vulnerabilities. We used our prototype with phpBB, a well-known bulletin-board application, to validate our method. CSSE detected and prevented all the SQL injection attacks we could reproduce and incurred only reasonable run-time overhead. This implementation is described in the paper below.

Java — an implementation using AspectJ, modifying the behavior of classes in javax.servlet.* and javax.sql.* packages. There is also an extension of this implementation which works with JSPs.

Selected publications

[1]	Tadeusz Pietraszek, Chris Vanden Berghe. Defending against Injection Attacks through Context-Sensitive String Evaluation. Accepted to RAID 2005 (to appear) PDF.