May 7, 2021

SpywareNews.com

Dedicated Forum to help removing adware, malware, spyware, ransomware, trojans, viruses and more!

Spinner: Automated Dynamic Command Subsystem Perturbation. (arXiv:2105.00391v1 [cs.CR])

Injection attacks have been a major threat to web applications. Despite the
significant effort in thwarting injection attacks, protection against injection
attacks remains challenging due to the sophisticated attacks that exploit the
existing protection techniques’ design and implementation flaws. In this paper,
we develop Spinner, a system that provides general protection against input
injection attacks, including OS/shell command, SQL, and XXE injection. Instead
of focusing on detecting malicious inputs, Spinner constantly randomizes
underlying subsystems so that injected inputs (e.g., commands or SQL queries)
that are not properly randomized will not be executed, hence prevented. We
revisit the design and implementation choices of previous randomization-based
techniques and develop a more robust and practical protection against various
sophisticated input injection attacks. To handle complex real-world
applications, we develop a bidirectional analysis that combines forward and
backward static analysis techniques to identify intended commands or SQL
queries to ensure the correct execution of the randomized target program. We
implement Spinner for the shell command processor and two different database
engines (MySQL and SQLite) and in diverse programming languages including
C/C++, PHP, JavaScript and Lua. Our evaluation results on 42 real-world
applications including 27 vulnerable ones show that it effectively prevents a
variety of input injection attacks with low runtime overhead (around 5%).