Abstract
SQL injection attacks are one of the top-most threats for applications written for the Web. These attacks are launched through specially crafted user inputs, on Web applications that use low-level string operations to construct SQL queries. In this work, we exhibit a novel and powerful scheme for automatically transforming Web applications to render them safe against all SQL injection attacks.
A characteristic diagnostic feature of SQL injection attacks is that they change the intended structure of queries issued. Our technique for detecting SQL injection is to dynamically mine the programmer-intended query structure on any input, and detect attacks by comparing it against the structure of the actual query issued. We propose a simple and novel mechanism, called Candid, for mining programmer intended queries by dynamically evaluating runs over benign candidate inputs. This mechanism is theoretically well founded and is based on inferring intended queries by considering the symbolic query computed on a program run. Our approach has been implemented in a tool called Candid that retrofits Web applications written in Java to defend them against SQL injection attacks. We have also implemented Candid by modifying a Java Virtual Machine, which safeguards applications without requiring retrofitting. We report extensive experimental results that show that our approach performs remarkably well in practice.
- Alur, R., Černý, P., Madhusudan, P., and Nam, W. 2005. Synthesis of interface specifications for Java classes. In Proceedings of the 32nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL'05). ACM, New York, 98--109. Google Scholar
Digital Library
- Ammons, G., Bodík, R., and Larus, J. R. 2002. Mining specifications. SIGPLAN Not. 37, 1, 4--16. Google Scholar
Digital Library
- Anley, C. 2002. Advanced SQL injection in SQL server applications. Next Generation Security Software Ltd. Tech. rep.Google Scholar
- Balzarotti, D., Cova, M., Felmetsger, V. V., and Vigna, G. 2007. Multimodule vulnerability analysis of Web-based applications. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS'07). ACM, New York, 25--35. Google Scholar
Digital Library
- Bandhakavi, S., Bisht, P., Madhusudan, P., and Venkatakrishnan, V. N. 2007. CANDID: Preventing SQL injection attacks using dynamic candidate evaluations. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS'07). ACM, New York, 12--24. Google Scholar
Digital Library
- Biba, K. J. 1977. Integrity considerations for secure computer systems. Tech. rep. ESD-TR-76-372, USAF Electronic Systems Division, Bedford, MA.Google Scholar
- Bisht, P. and Venkatakrishnan, V. N. 2008. XSS-GUARD: Precise dynamic prevention of cross-site scripting attacks. In Proceedings of the International Conference on Detection of Intrusions, Malware and Vulnerability Analysis. Springer, Berlin, 23--43. Google Scholar
Digital Library
- Boyd, S. W. and Keromytis, A. D. 2004. SQLrand: Preventing SQL injection attacks. In Proceedings of the Conference on Applied Cryptography and Network Security. Springer, Berlin, 292--302.Google Scholar
- Buehrer, G., Weide, B. W., and Sivilotti, P. A. G. 2005. Using parse tree validation to prevent SQL injection attacks. In Proceedings of the 5th International Workshop on Software Engineering and Middleware (SEM'05). ACM, New York, 106--113. Google Scholar
Digital Library
- Chauhan, M. 2008. Chauhan, M. 2008. An efficient implementation of candidate evaluation in a Java environment. https://alcazar.sisl.rites.uic.edu/wiki/pub/Main/CANDIDJavaImplementation/Project_Report_Megha.pdf.Google Scholar
- Cook, W. R. and Rai, S. 2005. Safe query objects: Statically typed objects as remotely executable queries. In Proceedings of the 27th International Conference on Software Engineering (ICSE'05). ACM, New York, 97--106. Google Scholar
Digital Library
- Emmi, M., Majumdar, R., and Sen, K. 2007. Dynamic test input generation for database applications. In Proceedings of the International Symposium on Software Testing and Analysis (ISSTA'07). ACM, New York, 151--162. Google Scholar
Digital Library
- Halfond, W. G., Viegas, J., and Orso, A. 2006. A classification of SQL-injection attacks and countermeasures. In Proceedings of the IEEE International Symposium on Secure Software Engineering. IEEE, Los Alamitos, CA.Google Scholar
- Halfond, W. G. J., Orso, A., and Manolios, P. 2006. Using positive tainting and syntax-aware evaluation to counter SQL injection attacks. In Proceedings of the 14th ACM SIGSOFT International Symposium on Foundations of Software Engineering (SIGSOFT'06). ACM, New York, 175--185. Google Scholar
Digital Library
- Halfond, W. G. J., Orso, A., and Orso, A. 2005. AMNESIA: Analysis and monitoring for neutralizing SQL-injection attacks. In Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering (ASE'05). ACM, New York, 174--183. Google Scholar
Digital Library
- Hansen, R. and Patterson, M. 2005. Stopping injection attacks with computational theory. Black Hat Briefings Conference.Google Scholar
- Livshits, V. B. and Lam, M. S. 2005. Finding security vulnerabilities in Java applications with static analysis. In Proceedings of the 14th Conference on USENIX Security Symposium (SSYM'05). USENIX, Berkeley, CA, 18--18. Google Scholar
Digital Library
- McClure, R. A. and Krüger, I. H. 2005. SQL DOM: Compile time checking of dynamic SQL statements. In Proceedings of the 27th International Conference on Software Engineering (ICSE'05). ACM, New York, 88--96. Google Scholar
Digital Library
- MITRE. Common vulnerabilities and exposures list. http://cve.mitre.org/.Google Scholar
- Maor O. and Shulman, A. 2002. SQL Injection Signatures Evasion. Tech. rep. Imperva.Google Scholar
- Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., and Evans, D. 2005. Automatically hardening Web applications using precise tainting. In Proceedings of the 20th IFIP Information Security Conference (SEC'05). Springer, Berlin, 295--308.Google Scholar
- Pawlak, R., Noguera, C., and Petitprez, N. 2006. SPOON: Program analysis and transformation in Java. Tech. rep. 5901, INRIA.Google Scholar
- Pietraszek, T. and Berghe, C. V. 2006. Defending against injection attacks through context-sensitive string evaluation. In Proceedings of the Conference on Recent Advances in Intrusion Detection. Springer, Berlin, 124--145. Google Scholar
Digital Library
- Sabelfeld, A. and Myers, A. C. 2003. Language-based information-flow Security. IEEE J. Selected Areas Comm. 21, 1. Google Scholar
Digital Library
- Su, Z. and Wassermann, G. 2006. The essence of command injection attacks in Web applications. In Proceedings of the Conference Record of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL'06). ACM, New York, 372--382. Google Scholar
Digital Library
- Sutton. 2006. Dark reading security analysis. http://www.darkreading.com/document.asp?doc id=103774&WT.svl=news13.Google Scholar
- Valeur, F., Mutz, D., and Vigna, G. 2005. A learning-based approach to the detection of SQL attacks. In Proceedinigs of the International Conference on Intrusion and Malware Detection and Vulnerability Assessment. Springer, Berlin, 123--140. Google Scholar
Digital Library
- Vallée-Rai, R., Co, P., Gagnon, E., Hendren, L., Lam, P., and Sundaresan, V. 1999. SOOT—a Java bytecode optimization framework. In Proceedings of the Conference of the Centre for Advanced Studies on Collaborative Research (CASCON'99). 125--135. Google Scholar
Digital Library
- Wassermann, G. and Su, Z. 2007. Sound and precise analysis of Web applications for injection vulnerabilities. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation. ACM, New York. Google Scholar
Digital Library
- Weimer, W. and Necula, G. C. 2005. Mining temporal specifications for error detection. In Proceedings of the International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS). 461--476. Google Scholar
Digital Library
- Xie, Y. and Aiken, A. 2006. Static detection of security vulnerabilities in scripting languages. In Proceedings of the 15th Conference on USENIX Security Symposium. USENIX, Berkeley, CA. Google Scholar
Digital Library
- Xu, W., Bhatkar, S., and Sekar, R. 2006. Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks. In Proceedings of the 15th Conference on USENIX Security Symposium. USENIX, Berkeley, CA. Google Scholar
Digital Library
Index Terms
CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks
Recommendations
CANDID: preventing sql injection attacks using dynamic candidate evaluations
CCS '07: Proceedings of the 14th ACM conference on Computer and communications securitySQL injection attacks are one of the topmost threats for applications written for the Web. These attacks are launched through specially crafted user input on web applications that use low level string operations to construct SQL queries. In this work, ...
SQL-IDS: a specification-based approach for SQL-injection detection
SAC '08: Proceedings of the 2008 ACM symposium on Applied computingVulnerabilities in web applications allow malicious users to obtain unrestricted access to private and confidential information. SQL injection attacks rank at the top of the list of threats directed at any database-driven application written for the ...
Automated detection of parameter tampering opportunities and vulnerabilities in web applications
Parameter tampering attacks are dangerous to a web application whose server fails to replicate the validation of user-supplied data that is performed by the client in web forms. Malicious users who circumvent the client can capitalize on the missing ...






Comments