Using Automated Fix Generation to Secure SQL Statements

Since 2002, over 10% of total cyber vulnerabilities were SQL injection vulnerabilities. Since most developers are not experienced software security practitioners, a solution for correctly fixing SQL injection vulnerabilities that does not require security expertise is desirable. In this paper, we propose an automated method for removing SQL injection vulnerabilities from Java code by converting plain text SQL statements into prepared statements. Prepared statements restrict the way that input can affect the execution of the statement. An automated solution allows developers to remove SQL injection vulnerabilities by replacing vulnerable code with generated secure code. In a formative case study, we tested our automated fix generation algorithm on five toy Java programs which contained seeded SQL injection vulnerabilities and a set of object traceability issues. The results of our case study show that our technique was able remove SQL injection vulnerabilities in five different statement configurations.

[1]  E. Lynch A quick fix? , 2006, Nursing standard (Royal College of Nursing (Great Britain) : 1987).

[2]  Alessandro Orso,et al.  Combining static analysis and runtime monitoring to counter SQL-injection attacks , 2005, ACM SIGSOFT Softw. Eng. Notes.

[3]  Alessandro Orso,et al.  AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks , 2005, ASE.

[4]  Gary McGraw,et al.  Knowledge for Software Security , 2005, IEEE Secur. Priv..

[5]  Rudolf Ramler,et al.  Economic perspectives in test automation: balancing automated and manual testing with opportunity cost , 2006, AST '06.

[6]  Zhendong Su,et al.  The essence of command injection attacks in web applications , 2006, POPL '06.

[7]  Michael J. Carey,et al.  The BEA streaming XQuery processor , 2004, The VLDB Journal.

[8]  David Hovemeyer,et al.  Finding bugs is easy , 2004, SIGP.

[9]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[10]  Acm Sigsoft,et al.  Proceedings of the third International Workshop on Software Engineering for Secure Systems , 2007 .

[11]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[12]  Bruce W. Weide,et al.  Using parse tree validation to prevent SQL injection attacks , 2005, SEM '05.

[13]  Mary Lou Soffa,et al.  Automated test data generation using an iterative relaxation method , 1998, SIGSOFT '98/FSE-6.

[14]  Chris Anley,et al.  Advanced SQL Injection In SQL Server Applications , 2002 .