{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T04:59:26Z","timestamp":1750309166911,"version":"3.41.0"},"publisher-location":"New York, NY, USA","reference-count":21,"publisher":"ACM","license":[{"start":{"date-parts":[[2024,4,14]],"date-time":"2024-04-14T00:00:00Z","timestamp":1713052800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2024,4,14]]},"DOI":"10.1145\/3639476.3639772","type":"proceedings-article","created":{"date-parts":[[2024,5,24]],"date-time":"2024-05-24T15:15:01Z","timestamp":1716563701000},"page":"16-20","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":1,"title":["Synthesis of Allowlists for Runtime Protection against SQLi"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-2443-4949","authenticated-orcid":false,"given":"Kostyantyn","family":"Vorobyov","sequence":"first","affiliation":[{"name":"Oracle Labs, Brisbane, Australia"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9470-5081","authenticated-orcid":false,"given":"Francois","family":"Gauthier","sequence":"additional","affiliation":[{"name":"Oracle Labs, Brisbane, Australia"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5905-8499","authenticated-orcid":false,"given":"Padmanabhan","family":"Krishnan","sequence":"additional","affiliation":[{"name":"Oracle Labs, Brisbane, Australia"}]}],"member":"320","published-online":{"date-parts":[[2024,5,24]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"Oracle Database 21c. 2023. Using Oracle Virtual Private Database to Control Data Access. https:\/\/docs.oracle.com\/en\/database\/oracle\/oracle-database\/21\/dbseg\/using-oracle-vpd-to-control-data-access.html#GUID-06022729-9210-4895-BF04-6177713C65A7"},{"key":"e_1_3_2_1_2_1","volume-title":"Proceedings of the 2007 ACM Conference on Computer and Communications Security, CCS 2007","author":"Bandhakavi Sruthi","year":"2007","unstructured":"Sruthi Bandhakavi, Prithvi Bisht, P. Madhusudan, and V. N. Venkatakrishnan. [n. d.]. CANDID: preventing sql injection attacks using dynamic candidate evaluations. In Proceedings of the 2007 ACM Conference on Computer and Communications Security, CCS 2007, Alexandria, Virginia, USA, October 28--31, 2007, Peng Ning, Sabrina De Capitani di Vimercati, and Paul F. Syverson (Eds.). ACM, 12--24."},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"crossref","unstructured":"E. Bertino A. Kamra and J. P. Early. 2007. Profiling Database Application to Detect SQL Injection Attacks. In IPCCC.","DOI":"10.1109\/PCCC.2007.358926"},{"key":"e_1_3_2_1_4_1","volume-title":"Proceedings of the 5th International Workshop on Software Engineering and Middleware, SEM 2005","author":"Buehrer Gregory","year":"2005","unstructured":"Gregory Buehrer, Bruce W. Weide, and Paolo A. G. Sivilotti. 2005. Using parse tree validation to prevent SQL injection attacks. In Proceedings of the 5th International Workshop on Software Engineering and Middleware, SEM 2005, Lisbon, Portugal, September 5--6, 2005, Elisabetta Di Nitto and Amy L. Murphy (Eds.). ACM, 106--113."},{"key":"e_1_3_2_1_5_1","unstructured":"V. H. S. Campos R. E. Rodrigues I. R. de Assis Costa a nd D. do Couto Texeira and F. M. Q. Pereira. [n. d.]. A Tool for the Range Analysis of Whole Programs. http:\/\/range-analysis.googlecode.com\/."},{"key":"e_1_3_2_1_6_1","volume-title":"Proceedings of the 31st IEEE\/ACM International Conference on Automated Software Engineering, ASE 2016","author":"Ceccato Mariano","year":"2016","unstructured":"Mariano Ceccato, Cu D. Nguyen, Dennis Appelt, and Lionel C. Briand. 2016. SOFIA: an automated security oracle for black-box testing of SQL-injection vulnerabilities. In Proceedings of the 31st IEEE\/ACM International Conference on Automated Software Engineering, ASE 2016, Singapore, September 3--7, 2016, David Lo, Sven Apel, and Sarfraz Khurshid (Eds.). ACM, 167--177."},{"key":"e_1_3_2_1_7_1","unstructured":"The Economist. 2017. The world's most valuable resource is no longer oil but data. https:\/\/www.economist.com\/leaders\/2017\/05\/06\/the-worlds-most-valuable-resource-is-no-longer-oil-but-data"},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"crossref","unstructured":"M. Guarnieri M. Balliu D. Schoepe D. Basin and A. Sabelfeld. 2019. Information-Flow Control for Database-Backed Applications. In EuroS&P.","DOI":"10.1109\/EuroSP.2019.00016"},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/3320269.3384760"},{"key":"e_1_3_2_1_10_1","volume-title":"Apron: A Library of Numerical Abstract Domains for Static Analysis. In CAV.","author":"Jeannet B.","year":"2009","unstructured":"B. Jeannet and A. Min\u00e9. 2009. Apron: A Library of Numerical Abstract Domains for Static Analysis. In CAV."},{"volume-title":"Proceedings of the ACM Symposium on Applied Computing (SAC). ACM, 184--188","author":"Logozzo F.","key":"e_1_3_2_1_11_1","unstructured":"F. Logozzo and M. F\u00e4hndrich. 2008. Pentagons: a weakly relational abstract domain for the efficient validation of array accesses. In Proceedings of the ACM Symposium on Applied Computing (SAC). ACM, 184--188."},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1109\/TR.2019.2900007"},{"key":"e_1_3_2_1_13_1","volume-title":"Proceedings Eighth Working Conference on Reverse Engineering. IEEE, 310--319","author":"Min\u00e9 A.","year":"2001","unstructured":"A. Min\u00e9. 2001. The Octagon abstract domain. In Proceedings Eighth Working Conference on Reverse Engineering. IEEE, 310--319."},{"key":"e_1_3_2_1_14_1","unstructured":"MySQL. 2023. Column privileges. https:\/\/dev.mysql.com\/doc\/refman\/8.0\/en\/grant.html#grant-column-privileges"},{"key":"e_1_3_2_1_15_1","unstructured":"PostgreSQL. 2023. Row Security Policies. https:\/\/www.postgresql.org\/docs\/current\/ddl-rowsecurity.html"},{"key":"e_1_3_2_1_16_1","unstructured":"SQL Server. 2023. Column-level Security. https:\/\/learn.microsoft.com\/en-us\/azure\/synapse-analytics\/sql-data-warehouse\/column-level-security"},{"key":"e_1_3_2_1_17_1","unstructured":"SQL Server. 2023. Row-level Security. https:\/\/learn.microsoft.com\/en-us\/sql\/relational-databases\/security\/row-level-security"},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.tcs.2005.07.035"},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1145\/586110.586145"},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"crossref","unstructured":"C. Wang A. Cheung and R. Bodik. 2017. Synthesizing Highly Expressive SQL Queries from Input-Output Examples. In PLDI.","DOI":"10.1145\/3062341.3062365"},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"crossref","unstructured":"N. Yaghmazadeh Y. Wang I. Dillig and Thomas Dillig. 2017. SQLizer: Query Synthesis from Natural Language. In OOPSLA.","DOI":"10.1145\/3133887"}],"event":{"name":"ICSE-NIER'24: 2024 ACM\/IEEE 44th International Conference on Software Engineering: New Ideas and Emerging Results","sponsor":["SIGSOFT ACM Special Interest Group on Software Engineering","IEEE CS","Faculty of Engineering of University of Porto"],"location":"Lisbon Portugal","acronym":"ICSE-NIER'24"},"container-title":["Proceedings of the 2024 ACM\/IEEE 44th International Conference on Software Engineering: New Ideas and Emerging Results"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3639476.3639772","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3639476.3639772","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T22:53:39Z","timestamp":1750287219000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3639476.3639772"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,4,14]]},"references-count":21,"alternative-id":["10.1145\/3639476.3639772","10.1145\/3639476"],"URL":"https:\/\/doi.org\/10.1145\/3639476.3639772","relation":{},"subject":[],"published":{"date-parts":[[2024,4,14]]},"assertion":[{"value":"2024-05-24","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}