Runtime monitors for tautology based SQL injection attacks

Increased usage of web applications in recent years has emphasized the need to achieve (i) confidentiality, (ii) integrity, and (iii) availability of web applications. Backend database being the main target for external attacks such as SQL Injection Attacks, there is an emerging need to handle such attacks to secure stored information. Pre-deployment testing alone does not ensure complete security and hence post-deployment monitoring of web applications during its interaction with the external world can help us to handle SQL Injection Attacks in a better way. In this paper, we present a framework which can be used to handle tautology based SQL Injection Attacks using post-deployment monitoring technique. Our framework uses two pre-deployment testing techniques i.e. basis path and data flow testing techniques to identify legal execution paths of the software. Runtime monitors are then developed and integrated to observe the behavior of the software for identified execution paths such that their violation will help to detect and prevent tautology based SQL Injection Attacks.

[1]  V. N. Venkatakrishnan,et al.  CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks , 2010, TSEC.

[2]  Zhendong Su,et al.  An Analysis Framework for Security in Web Applications , 2004 .

[3]  Zhendong Su,et al.  The essence of command injection attacks in web applications , 2006, POPL '06.

[4]  Alessandro Orso,et al.  A Classification of SQL Injection Attacks and Countermeasures , 2006, ISSSE.

[5]  Alessandro Orso Monitoring, analysis, and testing of deployed software , 2010, FoSER '10.

[6]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[7]  Alessandro Orso,et al.  AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks , 2005, ASE.

[8]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[9]  Sajjan G. Shiva,et al.  A Holistic Game Inspired Defense Architecture , 2012 .

[10]  Alessandro Orso,et al.  Using positive tainting and syntax-aware evaluation to counter SQL injection attacks , 2006, SIGSOFT '06/FSE-14.

[11]  S. G. Shiva,et al.  A framework for development of runtime monitors , 2012, 2012 International Conference on Computer & Information Science (ICCIS).

[12]  Frank S. Rietta Application layer intrusion detection for SQL injection , 2006, ACM-SE 44.

[13]  A. Tajpour,et al.  Comparison of SQL injection detection and prevention techniques , 2010, 2010 2nd International Conference on Education Technology and Computer.

[14]  Karsten P. Ulland,et al.  Vii. References , 2022 .

[15]  Giovanni Vigna,et al.  Swaddler: An Approach for the Anomaly-Based Detection of State Violations in Web Applications , 2007, RAID.

[16]  Qishi Wu,et al.  AVOIDIT: A Cyber Attack Taxonomy , 2009 .

[17]  Alexander Aiken,et al.  Static Detection of Security Vulnerabilities in Scripting Languages , 2006, USENIX Security Symposium.

[18]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[19]  Dipankar Dasgupta,et al.  Game theory for cyber security , 2010, CSIIRW '10.

[20]  Georgios Nakos,et al.  Monitoring , 1976, Encyclopedia of the UN Sustainable Development Goals.

[21]  Giovanni Vigna,et al.  A Learning-Based Approach to the Detection of SQL Attacks , 2005, DIMVA.

[22]  Grigore Rosu,et al.  Java-MOP: A Monitoring Oriented Programming Environment for Java , 2005, TACAS.