Research and implementation of SQL injection prevention method based on ISR

SQL injection is a major thread to the security of WEB applications. The paper analyzes the weakness of the current solutions to prevent it. It presents a method of preventing SQL injection attacks by ISR (Instruction Set Randomization) and introduces a prototype system based on the method. The system first randomizes the SQL keywords by appending a random integer, then the randomized SQL statement are transmitted to a DBMS proxy, the proxy can find and prevent the SQL injection attack by analysising the syntax, finally the DBMS proxy translates the randomized SQL to the standard SQL statement and send it to DBMS. Experimental results show that this system can effectly prevent SQL injection attack and has low processing cost.

[1]  Premkumar T. Devanbu,et al.  Static checking of dynamically generated queries in database applications , 2004, Proceedings. 26th International Conference on Software Engineering.

[2]  Zhou Mingji On Analysis and Prevention of SQL Injection , 2007 .

[3]  Angelos D. Keromytis,et al.  On the General Applicability of Instruction-Set Randomization , 2010, IEEE Transactions on Dependable and Secure Computing.

[4]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[5]  Alexander Aiken,et al.  Static Detection of Security Vulnerabilities in Scripting Languages , 2006, USENIX Security Symposium.