Graduation Year

2013

Document Type

Thesis

Degree

M.S.C.S.

Degree Granting Department

Computer Science and Engineering

Major Professor

Jarred Ligatti

Keywords

Algorithms, Formal definitions, Parsing, Programming languages, Security

Abstract

This thesis shows that existing definitions of code-injection attacks (e.g., SQL-injection attacks) are flawed. The flaws make it possible for attackers to circumvent existing mechanisms, by supplying code-injecting inputs that are not recognized as such. The flaws also make it possible for benign inputs to be treated as attacks. After describing these flaws in conventional definitions of code-injection attacks, this thesis proposes a new definition, which is based on whether the symbols input to an application get used as (normal-form) values in the application's output. Because values are already fully evaluated, they cannot be considered ``code'' when injected. This simple new definition of code-injection attacks avoids the problems of existing definitions, improves our understanding of how and when such attacks occur, and enables us to evaluate the effectiveness of mechanisms for mitigating such attacks.

Scholar Commons Citation

Ray, Donald, "Defining and Preventing Code-injection Attacks" (2013). USF Tampa Graduate Theses and Dissertations.
https://digitalcommons.usf.edu/etd/4566

Download

Included in

Computer Sciences Commons

COinS

USF Tampa Graduate Theses and Dissertations

Defining and Preventing Code-injection Attacks

Graduation Year

Document Type

Degree

Degree Granting Department

Major Professor

Keywords

Abstract

Scholar Commons Citation

Included in

Search

Browse By

Useful Links

USF Tampa Graduate Theses and Dissertations

Defining and Preventing Code-injection Attacks

Author

Graduation Year

Document Type

Degree

Degree Granting Department

Major Professor

Keywords

Abstract

Scholar Commons Citation

Included in

Share

Search

Browse By

Useful Links