This paper defines and analyzes injection attacks. The definition is based on the NIE property, which states that an application’s untrusted inputs must only produce Noncode Insertions or Expansions (i.e., NIEs) in output programs. That is, when applications generate output programs (such as SQL queries) based on untrusted inputs, the NIE property requires that inputs only affect output programs by inserting or expanding noncode tokens (such as string and float literals, lambda values, pointers, etc). This paper calls attacks based on violating the NIE property BroNIEs (i.e., Broken NIEs) and shows that all code-injection attacks are BroNIEs. In addition, BroNIEs contain many malicious injections that do not involve injections of code; we call such attacks noncode-injection attacks. In order to mitigate both code- and noncode-injection attacks, this paper presents an algorithm for detecting and preventing BroNIEs.
CITATION STYLE
Ray, D., & Ligatti, J. (2014). Defining injection attacks. Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 8783, 425–441. https://doi.org/10.1007/978-3-319-13257-0_26
Mendeley helps you to discover research relevant for your work.