Code Injection - Preventing Code Injection

Preventing Code Injection

To prevent code injection problems, utilize secure input and output handling, such as:

  • Input validation
  • Selective input inclusion/exclusion
  • Escaping dangerous characters. For instance, in PHP, using the htmlspecialchars function (converts HTML tags to their ISO-8859-1 equivalents) and/or strip_tags function (completely removes HTML tags) for safe output of text in HTML, and mysql_real_escape_string to isolate data which will be included in an SQL request, to protect against SQL Injection.
  • Input encoding
  • Output encoding
  • Other coding practices which are not prone to code injection vulnerabilities, such as "parameterized SQL queries" (also known as "prepared statements" and sometimes "bound variables" or "bound values").
  • Modular shell disassociation from kernel

The solutions listed above deal primarily with web-based injection of HTML or script code into a server-side application. Other approaches need to be taken however, when you are dealing with injection of user code on the user machine, resulting in privilege elevation attacks. Some approaches that are used to detect and isolate managed and unmanaged code injections are:

  • Runtime image hash validation - capture a hash of a part or complete image of the executable loaded into memory, and compare it with stored and expected hash.
  • NX bit - all user data is stored in a special memory sections that are marked as non-executable. The processor is made aware that no code exists in that part of memory, and refuses to execute anything found in there.

Read more about this topic:  Code Injection

Famous quotes containing the words preventing and/or code:

    In a language known to us, we have substituted the opacity of the sounds with the transparence of the ideas. But a language we do not know is a closed place in which the one we love can deceive us, making us, locked outside and convulsed in our impotence, incapable of seeing or preventing anything.
    Marcel Proust (1871–1922)

    Wise Draco comes, deep in the midnight roll
    Of black artillery; he comes, though late;
    In code corroborating Calvin’s creed
    And cynic tyrannies of honest kings;
    He comes, nor parlies; and the Town, redeemed,
    Gives thanks devout; nor, being thankful, heeds
    The grimy slur on the Republic’s faith implied,
    Which holds that Man is naturally good,
    And—more—is Nature’s Roman, never to be
    scourged.
    Herman Melville (1819–1891)