SQLrand: Preventing SQL Injection Attacks

We present a practical protection mechanism against SQL injection attacks. Such attacks target databases that are accessible through a web front-end, and take advantage of flaws in the input validation logic of Web components such as CGI scripts. We apply the concept of instruction-set randomization to SQL, creating instances of the language that are unpredictable to the attacker. Queries injected by the attacker will be caught and terminated by the database parser. We show how to use this technique with the MySQL database using an intermediary proxy that translates the random SQL to its standard language. Our mechanism imposes negligible performance overhead to query processing and can be easily retrofitted to existing systems.

[1]  Andrew Berman,et al.  TRON: Process-Specific File Protection for the UNIX Operating System , 1995, USENIX.

[2]  David A. Wagner,et al.  A Secure Environment for Untrusted Helper Applications , 1996, USENIX Security Symposium.

[3]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[4]  Daniel F. Sterne,et al.  Confining Root Programs with Domain and Type Enforcement , 1996, USENIX Security Symposium.

[5]  T. Mitchem,et al.  Using kernel hypervisors to secure applications , 1997, Proceedings 13th Annual Computer Security Applications Conference.

[6]  David H. Ackley,et al.  Building diverse computer systems , 1997, Proceedings. The Sixth Workshop on Hot Topics in Operating Systems (Cat. No.97TB100133).

[7]  Thomas E. Anderson,et al.  SLIC: An Extensibility System for Commodity Operating Systems , 1998, USENIX Annual Technical Conference.

[8]  Klaus Erik Schauser,et al.  Consh: Confined Execution Environment for Internet Computations , 1998 .

[9]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[10]  Alain J. Mayer,et al.  Security of Web Browser Scripting Languages: Vulnerabilities, Attacks, and Remedies , 1998, USENIX Security Symposium.

[11]  A. Acharya,et al.  MAPbox: Using Parameterized Behavior Classes to Confine Applications , 1999 .

[12]  Alexander Aiken,et al.  A theory of type qualifiers , 1999, PLDI '99.

[13]  Timothy Fraser,et al.  Hardening COTS software with generic software wrappers , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[14]  David A. Wagner,et al.  A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities , 2000, NDSS.

[15]  Calton Pu,et al.  The Cracker Patch Choice: An Analysis of Post Hoc Security Techniques , 2000 .

[16]  R. M. Balzer,et al.  Mediating connectors: a non-bypassable process wrapping technology , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[17]  Diomidis Spinellis,et al.  Sandboxing Applications , 2001, USENIX Annual Technical Conference, FREENIX Track.

[18]  Stephen Smalley,et al.  Integrating Flexible Support for Security Policies into the Linux Operating System , 2001, USENIX Annual Technical Conference, FREENIX Track.

[19]  Robert N. M. Watson,et al.  TrustedBSD: Adding Trusted Operating System Features to FreeBSD , 2001, USENIX Annual Technical Conference, FREENIX Track.

[20]  David Evans,et al.  Statically Detecting Likely Buffer Overflow Vulnerabilities , 2001, USENIX Security Symposium.

[21]  David A. Wagner,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Detecting Format String Vulnerabilities with Type Qualifiers , 2001 .

[22]  Chris Anley,et al.  Advanced SQL Injection In SQL Server Applications , 2002 .

[23]  Steve J. Chapin,et al.  Type-Assisted Dynamic Buffer Overflow Detection , 2002, USENIX Security Symposium.

[24]  Matt Bishop,et al.  A Flexible Containment Mechanism for Executing Untrusted Code , 2002, USENIX Security Symposium.

[25]  Todd M. Austin,et al.  High Coverage Detection of Input-Related Security Faults , 2003, USENIX Security Symposium.

[26]  Tal Garfinkel,et al.  Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools , 2003, NDSS.

[27]  Niels Provos,et al.  Improving Host Security with System Call Policies , 2003, USENIX Security Symposium.

[28]  Angelos D. Keromytis,et al.  Countering code-injection attacks with instruction-set randomization , 2003, CCS '03.

[29]  John Johansen,et al.  PointGuard™: Protecting Pointers from Buffer Overflow Vulnerabilities , 2003, USENIX Security Symposium.

[30]  David H. Ackley,et al.  Randomized instruction set emulation to disrupt binary code injection attacks , 2003, CCS '03.

[31]  Saumya K. Debray,et al.  Obfuscation of executable code to improve resistance to static disassembly , 2003, CCS '03.

[32]  Michael Rodeh,et al.  CSSV: towards a realistic tool for statically detecting all buffer overflows in C , 2003, PLDI '03.

[33]  Daniel C. DuVarney,et al.  Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits , 2003, USENIX Security Symposium.