ABSTRACT
SQL injection attacks are one of the topmost threats for applications written for the Web. These attacks are launched through specially crafted user input on web applications that use low level string operations to construct SQL queries. In this work, we exhibit a novel and powerful scheme for automatically transforming web applications to render them safe against all SQL injection attacks.
A characteristic diagnostic feature of SQL injection attacks is that they change the intended structure of queries issued. Our technique for detecting SQL injection is to dynamically mine the programmer-intended query structure on any input, and detect attacks by comparing it against the structure of the actual query issued. We propose a simple and novel mechanism, called C<scp>ANDID</scp>, for mining programmer intended queries by dynamically evaluating runs over benign candidate inputs. This mechanism is theoretically well founded and is based on inferring intended queries by considering the symbolic query computed on a program run. Our approach has been implemented in a tool called C<scp>ANDID</scp>, that retrofits Web applications written in Java to defend them against SQL injection attacks. We report extensive experimental results that show that our approach performs remarkably well in practice.
- Online SQL syntax checker. http://www.wangz.net/gsqlparser/sqlpp/sqlformat.htm.Google Scholar
- Using Google code search to find security bugs. Internet Bulletin, Oct 2006.Google Scholar
- Alur, R., Cerný, P., Madhusudan, P., and Nam, W. Synthesis of interface specifications for java classes. In POPL (2005), pp. 98--109. Google ScholarDigital Library
- Ammons, G., Bodík, R., and Larus, J. R. Mining specifications. In POPL (2002), pp. 4--16. Google ScholarDigital Library
- Anley, C. Advanced SQL injection in SQL server applications, White paper, Next Generation Security Software Ltd. Tech. rep., 2002.Google Scholar
- Apache. The JMeter project. http://jakarta.apache.org/jmeter/.Google Scholar
- Biba, K. J. Integrity considerations for secure computer systems. Tech. Rep. ESD-TR-76-372, USAF Electronic Systems Division, Bedford, MA, Apr. 1977.Google Scholar
- Boyd, S. W., and Keromytis, A. D. Sqlrand: Preventing sql injection attacks. In ACNS (2004), pp. 292--302.Google ScholarCross Ref
- Buehrer, G., Weide, B. W., and Sivilotti, P. A. G. Using parse tree validation to prevent sql injection attacks. In SEM (2005). Google ScholarDigital Library
- Cook, W. R., and Rai, S. Safe query objects: statically typed objects as remotely executable queries. In ICSE (2005), pp. 97--106. Google ScholarDigital Library
- Emmi, M., Majumdar, R., and Sen, K. Dynamic test input generation for database applications. In International Symposium on Software Testing and Analysis (ISSTA'07), 2007, ACM. Google ScholarDigital Library
- Halfond, W., and Orso, A. AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks. In ASE (2005), pp. 174--183. Google ScholarDigital Library
- Halfond, W., Orso, A., and Manolios, P. Using Positive Tainting and Syntax-Aware Evaluation to Counter SQL Injection Attacks. In FSE (2006), pp. 175--185. Google ScholarDigital Library
- Halfond, W. G., Viegas, J., and Orso, A. A Classification of SQL-Injection Attacks and Countermeasures. In SSSE (2006).Google Scholar
- Secureworks press release. Internet news report, July 2006. http://www.secureworks.com/press/20060718-sql.html.Google Scholar
- Livshits, V. B., and Lam, M. S. Finding security vulnerabilities in Java applications with static analysis. In USENIX Security Symposium (2005). Google ScholarDigital Library
- McClure, R. A., and Krüger, I. H. Sql dom: compile time checking of dynamic sql statements. In ICSE (2005), pp. 88--96. Google ScholarDigital Library
- MITRE. Common vulnerabilities and exposures list. http://cve.mitre.org/.Google Scholar
- Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., and Evans, D. Automatically hardening web applications using precise tainting. In SEC(2005), pp. 295--308.Google Scholar
- O. Maor and A. Shulman. SQL injection signatures evasion. White paper, Imperva. Tech. rep., 2002.Google Scholar
- Pietraszek, T., and Berghe, C. V. Defending against injection attacks through context-sensitive string evaluation. In RAID (2005). Google ScholarDigital Library
- Sabelfeld, A., and Myers, A. C. Language-based information-flow security. IEEE JSA, (2003).Google ScholarDigital Library
- Soot: a java optimization framework. http://www.sable.mcgill.ca/soot/.Google Scholar
- Su, Z., and Wassermann, G. The essence of command injection attacks in web applications. In POPL (2006), pp. 372--382. Google ScholarDigital Library
- Dark reading security analysis. Internet, September 2006. http://www.darkreading.com/document.asp?doc_id=103774&WT.svl=news1_3.Google Scholar
- Valeur, F., Mutz, D., and Vigna, G. A learning-based approach to the detection of sql attacks. In DIMVA (2005), pp. 123--140. Google ScholarDigital Library
- Top five vulnerabilities. IT management security report. http://www.computerweekly.com/Articles/2004/04/16/201840/Top+five+threats.htm.Google Scholar
- Weimer, W., and Necula, G. C. Mining temporal specifications for error detection. In TACAS (2005), pp. 461--476. Google ScholarDigital Library
- Xie, Y., and Aiken, A. Static detection of security vulnerabilities in scripting languages. In USENIX Security Symposium (2006). Google ScholarDigital Library
- Xu, W., Bhatkar, S., and Sekar, R. Taint-enhanced policy enforcement: A practical approach to defeat a wide range of attacks. In 15th USENIX Security Symposium (2006). Google ScholarDigital Library
Index Terms
- CANDID: preventing sql injection attacks using dynamic candidate evaluations
Recommendations
SQL-IDS: a specification-based approach for SQL-injection detection
SAC '08: Proceedings of the 2008 ACM symposium on Applied computingVulnerabilities in web applications allow malicious users to obtain unrestricted access to private and confidential information. SQL injection attacks rank at the top of the list of threats directed at any database-driven application written for the ...
CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks
SQL injection attacks are one of the top-most threats for applications written for the Web. These attacks are launched through specially crafted user inputs, on Web applications that use low-level string operations to construct SQL queries. In this work,...
Automated detection of parameter tampering opportunities and vulnerabilities in web applications
Parameter tampering attacks are dangerous to a web application whose server fails to replicate the validation of user-supplied data that is performed by the client in web forms. Malicious users who circumvent the client can capitalize on the missing ...
Comments