Code injections occur when untrusted input to an application gets used as code in that application's output. This project compares existing definitions of code injections and presents new definitions that resolve some of the problems (false positives and negatives) with existing definitions. Analysis of the new definitions provides insights into the requirements for mechanisms to mitigate code injections. The project also considers attacks based on injecting noncode, rather than code, symbols.
Slides from a talk Cagri Cetin gave at the Florida Center for Cybersecurity conference in April, 2017.
Note: The next 3 publications have typos in the algorithm for preventing BroNIEs (e.g., on Page 12 of the ISC paper and Page 14 of the Technical Report). Every instance of "temTokens[i]" in these documents should be "temTokens[j]".
Slides from a talk Donald gave at the annual Florida Center for Cybersecurity conference in October, 2015.
This research was supported in part by NSF grants CNS-0716343 and CNS-0742736. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.
This research was also supported by a grant from the Florida Center for Cybersecurity (FC2).