(Enter summary)
Abstract: We present a practical protection mechanism against SQL injection
attacks. Such attacks target databases that are accessible through a web frontend,
and take advantage of flaws in the input validation logic of Web components
such as CGI scripts. We apply the concept of instruction-set randomization to
SQL, creating instances of the language that are unpredictable to the attacker. (Update)
Cited by: More
Bridging the Gap Between Web Application Firewalls and - Web Applications Lieven
(Correct)
Enforcing Privacy in Web Applications - Ariel Futoransky Corelabs (2005)
(Correct)
A Unified Approach for Preventing Attacks Exploiting a.. - Xu, Bhatkar, Sekar
(Correct)
Active bibliography (related documents): More All
0.8: Countering Network Worms through Automatic Patch Generation - Sidiroglou, Keromytis (2003)
(Correct)
0.6: Using Execution Transactions To Recover From Buffer.. - Stelios Sidiroglou.. (2004)
(Correct)
0.6: Recursive Sandboxes: Extending Systrace to Empower Applications - Kurchuk, Keromytis
(Correct)
Similar documents based on text: More All
0.4: The Price of Safety in an Active Network - Alexander, Anagnostakis.. (1999)
(Correct)
0.3: gore: Routing-Assisted Defense against DDoS Attacks - Chou, Stavrou, Ioannidis..
(Correct)
0.3: Designing an Embedded Firewall/VPN Gateway - Vassilis Prevelakis And
(Correct)
Related documents from co-citation: More All
2: Detecting format string vulnerabilities with type qualifiers
- Shankar, Talwar et al. - 2001
2: Language-Based Information-Flow Security
- Sabelfeld, Myers - 2003
2: Securing web application code by static analysis and runtime protection (context) - Huang, Yu et al. - 2004
BibTeX entry: (Update)
Boyd, S., Keromytis, A.: SQLrand: Preventing SQL injection attacks. In Jakobsson, M., Yung, M., Zhou, J., eds.: Proceedings of the 2nd Applied Cryptography and Network Security (ACNS) Conference. Volume 3089 of Lecture Notes in Computer Science., Springer-Verlag (2004) 292--304. http://citeseer.ist.psu.edu/boyd04sqlrand.html More
@misc{ boyd04sqlrand,
author = "S. Boyd and A. Keromytis",
title = "SQLrand: Preventing SQL injection attacks",
text = "Boyd, S., Keromytis, A.: SQLrand: Preventing SQL injection attacks. In
Jakobsson, M., Yung, M., Zhou, J., eds.: Proceedings of the 2nd Applied
Cryptography and Network Security (ACNS) Conference. Volume 3089 of Lecture
Notes in Computer Science., Springer-Verlag (2004) 292--304.",
year = "2004",
url = "citeseer.ist.psu.edu/boyd04sqlrand.html" }
Citations (may not include all citations):
174
A Secure Environment for Untrusted Helper Applications
- Goldberg, Wagner et al. - 1996
140
Stackguard: Automatic adaptive detection and prevention of b..
- Cowan, Pu et al. - 1998
69
A First Step towards Automated Detection of Buffer Overrun V..
- Wagner, Foster et al. - 2000
66
Smashing the stack for fun and profit (context) - One - 1996
64
Detecting Format String Vulnerabilities with Type Qualifiers
- Shankar, Talwar et al. - 2001
62
Hardening COTS Software with Generic Software Wrappers
- Fraser, Badger et al. - 1999
54
SLIC: An Extensibility System for Commodity Operating System..
- Ghormley, Petrou et al. - 1998
45
Building Diverse Computer Systems
- Forrest, Somayaji et al. - 1997
35
Statically Detecting Likely Buffer Overflow Vulnerabilities
- Larochelle, Evans - 2001
33
A theory of type qualifiers
- Foster, hndrich et al. - 1999
28
Mapbox: Using parameterized behavior classes to confine appl..
- Acharya, Raje - 2000
25
Improving Host Security with System Call Policies
- Provos - 2003
21
Countering Code-Injection Attacks With Instruction-Set Rando.. (context) - Kc, Keromytis et al. - 2003
21
Using Kernel Hypervisors to Secure Applications (context) - Mitchem, Lu et al. - 1997
20
Address Obfuscation: an Efficient Approach to Combat a Broad.. (context) - Bhatkar, DuVarney et al. - 2003
19
Traps and Pitfalls: Practical Problems in System Call Interp..
- Garfinkel - 2003
18
Confining root programs with domain and type enforcement (context) - Walker, Stern et al. - 1996
16
Integrating Flexible Support for Security Policies into the .. (context) - Loscocco, Smalley - 2001
16
PointGuard: Protecting Pointers From Buffer Overflow Vulnera.. (context) - Cowan, Beattie et al. - 2003
16
Randomized Instruction Set Emulation to Disrupt Binary Code ..
- Barrantes, Ackley et al. - 2003
15
ww heap overflow (context) - Security, heap et al. - 1999
14
Consh: A confined execution environment for internet computa..
- Alexandrov, Kmiec et al. - 1998
14
Type-assisted dynamic buffer overflow detection
- Lhee, Chapin - 2002
12
CSSV: Towards a realistic tool for statically detecting all ..
- Dor, Rodeh et al. - 2003
11
Obfuscation of Executable Code to Improve Resistance to Stat..
- Linn, Debray - 2003
10
A Flexible Containment Mechanism for Executing Untrusted Cod.. (context) - Peterson, Bishop et al. - 2002
10
TRON: Process-Specific File Protection for the UNIX Operatin..
- Berman, Bourassa et al. - 1995
10
SubDomain: Parsimonious Security for Server Appliances (context) - Cowan, Beattie et al. - 2000
9
Security of Web Browser Scripting Languages: Vulnerabilities
- Anupam, Mayer - 1998
8
Mediating connectors: A non-bypassable process wrapping tech..
- Balzer, Goldman - 1999
8
Sandboxing Applications
- Prevelakis, Spinellis - 2001
8
High Coverage Detection of Input-Related Security Faults (context) - Larson, Austin - 2003
7
Advanced SQL Injection In SQL Server Applications (context) - Anley - 2002
5
The Cracker Patch Choice: An Analysis of Post Hoc Security T..
- Cowan, Hinton et al. - 2000
4
TrustedBSD: Adding Trusted Operating System Features to Free.. (context) - Watson - 2001
Documents on the same site (http://www1.cs.columbia.edu/~angelos/cv.html): More
Just Fast Keying: Key Agreement in a Hostile Internet - Aiello, Bellovin, Blaze.. (2004)
(Correct)
Automated Recovery in a Secure Bootstrap Process - Arbaugh, Keromytis, Farber.. (1998)
(Correct)
Requirements for Scalable Access Control and Security.. - Keromytis, Smith (2002)
(Correct)
Online articles have much greater impact More about CiteSeer.IST Add search form to your site Submit documents Feedback
CiteSeer.IST - Copyright Penn State and NEC