Skip to main content

PHP Aspis: using partial taint tracking to protect against injection attacks

Papagiannis, Ioannis and Migliavacca, Matteo and Pietzuch, Peter (2011) PHP Aspis: using partial taint tracking to protect against injection attacks. In: WebApps'11 Proceedings of the 2nd USENIX conference on Web application development. USENIX Association, Berkeley, California, USA, pp. 13-24. ISBN 978931971867. (Access to this publication is currently restricted. You may be able to access a copy if URLs are provided)

PDF
Restricted to Repository staff only
Contact us about this Publication Download (229kB)
[img]

Abstract

Web applications are increasingly popular victims of security attacks. Injection attacks, such as Cross Site Scripting or SQL Injection, are a persistent problem.

Even though developers are aware of them, the suggested best practices for protection are error prone: unless all user input is consistently filtered, any application may be vulnerable. When hosting web applications, administrators face a dilemma: they can only deploy applications that are trusted or they risk their system’s security. To prevent injection vulnerabilities, we introduce PHP Aspis: a source code transformation tool that applies partial taint tracking at the language level. PHP Aspis augments values with taint meta-data to track their origin in order to detect injection vulnerabilities. To improve performance, PHP Aspis carries out taint propagation only in an application’s most vulnerable parts: thirdparty plugins. We evaluate PHP Aspis with Wordpress, a popular open source weblog platform, and show that it prevents all code injection exploits that were found in Wordpress plugins in 2010.

Item Type: Book section
Subjects: Q Science > QA Mathematics (inc Computing science) > QA 76 Software, computer programming,
Divisions: Faculties > Sciences > School of Computing > Security Group
Faculties > Sciences > School of Computing > Data Science
Depositing User: Matteo Migliavacca
Date Deposited: 23 Oct 2012 20:42 UTC
Last Modified: 24 Jan 2020 04:04 UTC
Resource URI: https://kar.kent.ac.uk/id/eprint/31861 (The current URI for this page, for reference purposes)
Migliavacca, Matteo: https://orcid.org/0000-0002-5684-4865
  • Depositors only (login required):

Downloads

Downloads per month over past year