Spinner: Automated Dynamic Command Subsystem Perturbation
Meng Wang, Chijung Jung, Ali Ahad, and Yonghwi Kwon
TL;DR
Spinner is a system that enhances web application security by dynamically randomizing subsystems to prevent injection attacks, effectively blocking malicious inputs without relying solely on detection, and is applicable across multiple languages and database engines.
Contribution
It introduces a novel dynamic randomization approach combined with static analysis to protect against diverse injection attacks in real-world applications.
Findings
Prevents various injection attacks effectively
Low runtime overhead (~5%)
Works across multiple languages and database systems
Abstract
Injection attacks have been a major threat to web applications. Despite the significant effort in thwarting injection attacks, protection against injection attacks remains challenging due to the sophisticated attacks that exploit the existing protection techniques' design and implementation flaws. In this paper, we develop Spinner, a system that provides general protection against input injection attacks, including OS/shell command, SQL, and XXE injection. Instead of focusing on detecting malicious inputs, Spinner constantly randomizes underlying subsystems so that injected inputs (e.g., commands or SQL queries) that are not properly randomized will not be executed, hence prevented. We revisit the design and implementation choices of previous randomization-based techniques and develop a more robust and practical protection against various sophisticated input injection attacks. To handle…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsWeb Application Security Vulnerabilities · Security and Verification in Computing · Advanced Malware Detection Techniques