Anti-code injection framework

A new company, Recursion Ventures, has been formed by Dan Kaminsky, Michael Tiffany and Henry Bar-Levav to take a fresh approach to computer security. Recursion Ventures Interpolique framework is aimed at helping developers make their web applications immune to SQL injection and cross-site scripting attacks. The basic idea is to transform data entered by the user into Base64 so that, even where it's constructed incorrectly with additional code, it's unable to cause any damage.

The problem in SQL injection is often that the query string is composed of a combination of defined strings and variables. If an attacker succeeds in passing ';DROP TABLE CUSTOMER-- as a variable, damage to the database can result. By encoding the data, the string JztEUk9QIFRBQkxFIEtVTkRFLS0= is instead passed to the database and, even when incorrectly escaped, is unable to do any damage.

The database must of course support decoding of string parameters in this format. Version 0.1 of Recursion Ventures framework includes a MySQL extension offering this functionality. Kaminsky has thrown the concepts behind the framework out for discussion. Anyone thinking of deploying the tool should, however, first consider using stored procedures or prepared SQL statements. These involve processing (entered) data and instructions separately and also effectively prevent SQL injection.

Kaminsky is well known for having exposed a basic flaw in the internet's Domain Name System. Michael Tiffany was leader of internet strategy at Western Integrated Networks, a large US fibre-to-the-home provider and Henry Bar-Levav ran the internet consulting firm OVEN and is a pioneer of commercial Internet in New York.

(crve)