Code Injection - Preventing Code Injection

Preventing Code Injection

To prevent code injection problems, utilize secure input and output handling, such as:

  • Input validation
  • Selective input inclusion/exclusion
  • Escaping dangerous characters. For instance, in PHP, using the htmlspecialchars function (converts HTML tags to their ISO-8859-1 equivalents) and/or strip_tags function (completely removes HTML tags) for safe output of text in HTML, and mysql_real_escape_string to isolate data which will be included in an SQL request, to protect against SQL Injection.
  • Input encoding
  • Output encoding
  • Other coding practices which are not prone to code injection vulnerabilities, such as "parameterized SQL queries" (also known as "prepared statements" and sometimes "bound variables" or "bound values").
  • Modular shell disassociation from kernel

The solutions listed above deal primarily with web-based injection of HTML or script code into a server-side application. Other approaches need to be taken however, when you are dealing with injection of user code on the user machine, resulting in privilege elevation attacks. Some approaches that are used to detect and isolate managed and unmanaged code injections are:

  • Runtime image hash validation - capture a hash of a part or complete image of the executable loaded into memory, and compare it with stored and expected hash.
  • NX bit - all user data is stored in a special memory sections that are marked as non-executable. The processor is made aware that no code exists in that part of memory, and refuses to execute anything found in there.

Read more about this topic:  Code Injection

Famous quotes containing the words preventing and/or code:

    If anything characterizes the cultural life of the seventies in America, it is an insistence on preventing failures of communication.
    Richard Dean Rosen (b. 1949)

    Many people will say to working mothers, in effect, “I don’t think you can have it all.” The phrase for “have it all” is code for “have your cake and eat it too.” What these people really mean is that achievement in the workplace has always come at a price—usually a significant personal price; conversely, women who stayed home with their children were seen as having sacrificed a great deal of their own ambition for their families.
    Anne C. Weisberg (20th century)