Write a Blog >>
ASE 2020
Mon 21 - Fri 25 September 2020 Melbourne, Australia
Thu 24 Sep 2020 17:10 - 18:10 at Kangaroo - Most Influential Paper & Closing Chair(s): Elisabetta Di Nitto

The use of web applications has become increasingly popular in our routine activities, such as reading the news, paying bills, and shopping on-line. As the availability of these services grows, we are witnessing an increase in the number and sophistication of at- tacks that target them. In particular, SQL injection, a class of code- injection attacks in which specially crafted input strings result in illegal queries to a database, has become one of the most serious threats to web applications. In this paper we present and evalu- ate a new technique for detecting and preventing SQL injection at- tacks. Our technique uses a model-based approach to detect illegal queries before they are executed on the database. In its static part, the technique uses program analysis to automatically build a model of the legitimate queries that could be generated by the applica- tion. In its dynamic part, the technique uses runtime monitoring to inspect the dynamically-generated queries and check them against the statically-built model. We developed a tool, AMNESIA, that implements our technique and used the tool to evaluate the tech- nique on seven web applications. In the evaluation we targeted the subject applications with a large number of both legitimate and malicious inputs and measured how many attacks our technique de- tected and prevented. The results of the study show that our tech- nique was able to stop all of the attempted attacks without generat- ing any false positives.

Thu 24 Sep

Displayed time zone: (UTC) Coordinated Universal Time change

17:10 - 18:40
Most Influential Paper & ClosingPlenary at Kangaroo
Chair(s): Elisabetta Di Nitto Politecnico di Milano
AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks
William G.J. Halfond University of Southern California, Alessandro Orso Georgia Tech
Day closing
ASE2020 Closing & ASE2021