Preventing Injection Attacks with Syntax Embeddings: A Host and Guest Language Independent Approach

Preventing Injection Attacks with Syntax Embeddings: A Host and Guest Language Independent Approach

Bravenboer, M.
Dolstra, E.
Visser, E.

Electrical Engineering, Mathematics and Computer Science

Software Technology

2007-10-01

Software written in one language often needs to construct sentences in another language, such as SQL queries, XML output, or shell command invocations. This is almost always done using unhygienic string manipulation, the concatenation of constants and client-supplied strings. A client can then supply specially crafted input that causes the constructed sentence to be interpreted in an unintended way, leading to an injection attack. We describe a more natural style of programming that yields code that is impervious to injections by construction. Our approach embeds the grammars of the guest languages (e.g., SQL) into that of the host language (e.g., Java) and automatically generates code that maps the embedded language to constructs in the host language that reconstruct the embedded sentences, adding escaping functions where appropriate. This approach is generic, meaning that it can be applied with relative ease to any combination of host and guest languages. Preprint accepted for publiction in: Generative Programming and Component Engineering, 6th International Conference, GPCE 2007, Salzburg, Austria, October 1-3, 2007

http://resolver.tudelft.nl/uuid:aab5f097-5662-447c-a216-f671c49fa965

Delft University of Technology, Software Engineering Research Group

1872-5392

Technical Report Series TUD-SERG-2007-003

Institutional Repository

report

(c) 2007 The authors. Software Engineering Research Group, Department of Software Technology, Faculty of Electrical Engineering, Mathematics and Computer Science, Delft University of Technology.