Defending Against Injection Attacks Through Context-Sensitive String Evaluation

300 word summary for Defending Against Injection Attacks

What is the paper about?

Defending Against Injection Attacks Through Context-Sensitive String Evaluation introduces CSSE – Context-Sensitive String Evaluation – a way to detect sqlI in php at runtime – essentially an intrusion detection platform for php apps (though it required modifications to source-code) and its implementation.

The paper is primarily aimed at developers of php applications and researchers.

The paper outlines what an injection attack is, and identifies important properties of injection attacks and the root causes of injection attacks.

The paper has a lot of theory about the types of injection attacks, and defines and implements a new detection method

This paper provides an invaluable section outlining related work and theory, including:

1) safe ad-hoc serialisation (manual input validation – the most common defence, automatic input validation [eg gpc_magic_quotes], variable tainting [eg perl] and techniques provided by SQLRand)

2) serialisation API’s eg DOM, PrepairedStatement in Java

finally, they introduce their own technique – Context-Sensitive String Evaluation [CSSE]

The authors are aware of potential weaknesses in their work, and evaluate identified weaknesses: false positives, false negatives, memory overhead, execution overhead, etc.

they note that it causes a 10% performance hit, and they list possible reasons why, with a note to check in future for possible performance tuning (they also note that they didn’t tune it for performance)

Is title/abstract accurate

Yes, its very descriptive of the paper

Is the big ‘point’ of the work clear?

Yes.

Is there an original/significant contribution to knowledge

Yes, this is unique / novel

Is this an extension to previous work?

Are aims and objectives clearly stated?

yes

Technical aspects of critique

Has proper attention been given to the current literature

yes, there is an awesome background information section

Are ideas/arguments technically correct?

yes, its from ibm research…

Is empirical evidence provided?

yes, they run an experiment and provide results

Is there a balanced presentation of the literature?

yes, its very well written

Is the research design/methodology clearly stated?

yes, its an experiment.

Has any sampling involved been carefully and thoughtfully selected?

yes, they provide tables of results

Is it representative? Is it likely to bias the research?

its results form other methods and their implementations (this is a common theme)

Have any ethical issues been clearly identified and handled correctly?

not really, they only tested one application, and they only tested previously known, publicly available bugs

Has the data collection method clearly stated?

yes, its an experiment on publicly available bugs, and the results without the CSSE enabled, compared to when it is enabled

Was there a pilot study to check proposed approach?

nope

Is the data collection method valid and reliable?

yes, its a repeatable experiment

What is the method of analysis? Clearly described and reliable?

experiment

Are results clearly presented?

yes, though a couple more tables would be nice

Are all hypotheses and any assumptions clearly stated at the outset?

yes.

Presentaton

IS the paper well structured? Can you follow the arguments? Is there a good flow through the paper i.e. Is there a ‘story’?

yes, its very well written

Are technical terms/abbreviations explained?

yes, ill be using this as one of my sources

Are tables/graphs/diagrams easy to follow and clearly signposted?

yes, they have a few graphs

Do they aid understanding?

they are a bit difficult, as they have used stacked graphs (my personal preference would be two separate tables)

Is the discussion well balanced? – Not front/top heavy

its got a lot of theory at the start, but the background info / theory / implementation / results sections are about the same size

Are conclusions well supported by arguments/results presented in the paper

Is the work well ‘joined-up’?

yeah, it flows well

Do the authors recognise potential areas of weakness in their work?

The authors are aware of potential weaknesses in their work, and evaluate identified weaknesses: false positives, false negatives, memory overhead, execution overhead, etc.

they note that it causes a 10% performance hit, and they list possible reasons why, with a note to check in future for possible performance tuning (they also note that they didn’t tune it for performance)

How up-to-date is the work – are references current and representative of the field?

upto about 2005

Leave a Reply