skip to main content
research-article

CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks

Published:05 March 2010Publication History
Skip Abstract Section

Abstract

SQL injection attacks are one of the top-most threats for applications written for the Web. These attacks are launched through specially crafted user inputs, on Web applications that use low-level string operations to construct SQL queries. In this work, we exhibit a novel and powerful scheme for automatically transforming Web applications to render them safe against all SQL injection attacks.

A characteristic diagnostic feature of SQL injection attacks is that they change the intended structure of queries issued. Our technique for detecting SQL injection is to dynamically mine the programmer-intended query structure on any input, and detect attacks by comparing it against the structure of the actual query issued. We propose a simple and novel mechanism, called Candid, for mining programmer intended queries by dynamically evaluating runs over benign candidate inputs. This mechanism is theoretically well founded and is based on inferring intended queries by considering the symbolic query computed on a program run. Our approach has been implemented in a tool called Candid that retrofits Web applications written in Java to defend them against SQL injection attacks. We have also implemented Candid by modifying a Java Virtual Machine, which safeguards applications without requiring retrofitting. We report extensive experimental results that show that our approach performs remarkably well in practice.

References

  1. Alur, R., Černý, P., Madhusudan, P., and Nam, W. 2005. Synthesis of interface specifications for Java classes. In Proceedings of the 32nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL'05). ACM, New York, 98--109. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Ammons, G., Bodík, R., and Larus, J. R. 2002. Mining specifications. SIGPLAN Not. 37, 1, 4--16. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Anley, C. 2002. Advanced SQL injection in SQL server applications. Next Generation Security Software Ltd. Tech. rep.Google ScholarGoogle Scholar
  4. Balzarotti, D., Cova, M., Felmetsger, V. V., and Vigna, G. 2007. Multimodule vulnerability analysis of Web-based applications. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS'07). ACM, New York, 25--35. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Bandhakavi, S., Bisht, P., Madhusudan, P., and Venkatakrishnan, V. N. 2007. CANDID: Preventing SQL injection attacks using dynamic candidate evaluations. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS'07). ACM, New York, 12--24. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Biba, K. J. 1977. Integrity considerations for secure computer systems. Tech. rep. ESD-TR-76-372, USAF Electronic Systems Division, Bedford, MA.Google ScholarGoogle Scholar
  7. Bisht, P. and Venkatakrishnan, V. N. 2008. XSS-GUARD: Precise dynamic prevention of cross-site scripting attacks. In Proceedings of the International Conference on Detection of Intrusions, Malware and Vulnerability Analysis. Springer, Berlin, 23--43. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Boyd, S. W. and Keromytis, A. D. 2004. SQLrand: Preventing SQL injection attacks. In Proceedings of the Conference on Applied Cryptography and Network Security. Springer, Berlin, 292--302.Google ScholarGoogle Scholar
  9. Buehrer, G., Weide, B. W., and Sivilotti, P. A. G. 2005. Using parse tree validation to prevent SQL injection attacks. In Proceedings of the 5th International Workshop on Software Engineering and Middleware (SEM'05). ACM, New York, 106--113. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Chauhan, M. 2008. Chauhan, M. 2008. An efficient implementation of candidate evaluation in a Java environment. https://alcazar.sisl.rites.uic.edu/wiki/pub/Main/CANDIDJavaImplementation/Project_Report_Megha.pdf.Google ScholarGoogle Scholar
  11. Cook, W. R. and Rai, S. 2005. Safe query objects: Statically typed objects as remotely executable queries. In Proceedings of the 27th International Conference on Software Engineering (ICSE'05). ACM, New York, 97--106. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Emmi, M., Majumdar, R., and Sen, K. 2007. Dynamic test input generation for database applications. In Proceedings of the International Symposium on Software Testing and Analysis (ISSTA'07). ACM, New York, 151--162. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Halfond, W. G., Viegas, J., and Orso, A. 2006. A classification of SQL-injection attacks and countermeasures. In Proceedings of the IEEE International Symposium on Secure Software Engineering. IEEE, Los Alamitos, CA.Google ScholarGoogle Scholar
  14. Halfond, W. G. J., Orso, A., and Manolios, P. 2006. Using positive tainting and syntax-aware evaluation to counter SQL injection attacks. In Proceedings of the 14th ACM SIGSOFT International Symposium on Foundations of Software Engineering (SIGSOFT'06). ACM, New York, 175--185. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Halfond, W. G. J., Orso, A., and Orso, A. 2005. AMNESIA: Analysis and monitoring for neutralizing SQL-injection attacks. In Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering (ASE'05). ACM, New York, 174--183. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Hansen, R. and Patterson, M. 2005. Stopping injection attacks with computational theory. Black Hat Briefings Conference.Google ScholarGoogle Scholar
  17. Livshits, V. B. and Lam, M. S. 2005. Finding security vulnerabilities in Java applications with static analysis. In Proceedings of the 14th Conference on USENIX Security Symposium (SSYM'05). USENIX, Berkeley, CA, 18--18. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. McClure, R. A. and Krüger, I. H. 2005. SQL DOM: Compile time checking of dynamic SQL statements. In Proceedings of the 27th International Conference on Software Engineering (ICSE'05). ACM, New York, 88--96. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. MITRE. Common vulnerabilities and exposures list. http://cve.mitre.org/.Google ScholarGoogle Scholar
  20. Maor O. and Shulman, A. 2002. SQL Injection Signatures Evasion. Tech. rep. Imperva.Google ScholarGoogle Scholar
  21. Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., and Evans, D. 2005. Automatically hardening Web applications using precise tainting. In Proceedings of the 20th IFIP Information Security Conference (SEC'05). Springer, Berlin, 295--308.Google ScholarGoogle Scholar
  22. Pawlak, R., Noguera, C., and Petitprez, N. 2006. SPOON: Program analysis and transformation in Java. Tech. rep. 5901, INRIA.Google ScholarGoogle Scholar
  23. Pietraszek, T. and Berghe, C. V. 2006. Defending against injection attacks through context-sensitive string evaluation. In Proceedings of the Conference on Recent Advances in Intrusion Detection. Springer, Berlin, 124--145. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Sabelfeld, A. and Myers, A. C. 2003. Language-based information-flow Security. IEEE J. Selected Areas Comm. 21, 1. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Su, Z. and Wassermann, G. 2006. The essence of command injection attacks in Web applications. In Proceedings of the Conference Record of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL'06). ACM, New York, 372--382. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Sutton. 2006. Dark reading security analysis. http://www.darkreading.com/document.asp?doc id=103774&WT.svl=news13.Google ScholarGoogle Scholar
  27. Valeur, F., Mutz, D., and Vigna, G. 2005. A learning-based approach to the detection of SQL attacks. In Proceedinigs of the International Conference on Intrusion and Malware Detection and Vulnerability Assessment. Springer, Berlin, 123--140. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Vallée-Rai, R., Co, P., Gagnon, E., Hendren, L., Lam, P., and Sundaresan, V. 1999. SOOT—a Java bytecode optimization framework. In Proceedings of the Conference of the Centre for Advanced Studies on Collaborative Research (CASCON'99). 125--135. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Wassermann, G. and Su, Z. 2007. Sound and precise analysis of Web applications for injection vulnerabilities. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation. ACM, New York. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Weimer, W. and Necula, G. C. 2005. Mining temporal specifications for error detection. In Proceedings of the International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS). 461--476. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Xie, Y. and Aiken, A. 2006. Static detection of security vulnerabilities in scripting languages. In Proceedings of the 15th Conference on USENIX Security Symposium. USENIX, Berkeley, CA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Xu, W., Bhatkar, S., and Sekar, R. 2006. Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks. In Proceedings of the 15th Conference on USENIX Security Symposium. USENIX, Berkeley, CA. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in

        Full Access

        • Published in

          cover image ACM Transactions on Information and System Security
          ACM Transactions on Information and System Security  Volume 13, Issue 2
          February 2010
          230 pages
          ISSN:1094-9224
          EISSN:1557-7406
          DOI:10.1145/1698750
          Issue’s Table of Contents

          Copyright © 2010 ACM

          Publisher

          Association for Computing Machinery

          New York, NY, United States

          Publication History

          • Published: 5 March 2010
          • Accepted: 1 September 2008
          • Revised: 1 July 2008
          • Received: 1 February 2008
          Published in tissec Volume 13, Issue 2

          Permissions

          Request permissions about this article.

          Request Permissions

          Check for updates

          Qualifiers

          • research-article
          • Research
          • Refereed

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!