SQLProb: a proxy-based architecture towards preventing SQL injection attacks

SQL injection attacks (SQLIAs) consist of maliciously crafted SQL inputs, including control code, used against Database-connected Web applications. To curtail the attackers' ability to generate such attacks, we propose an SQL Proxy-based Blocker (SQLProb). SQLProb harnesses the effectiveness and adaptivity of genetic algorithms to dynamically detect and extract users' inputs for undesirable SQL control sequences. Compared to state-of-the-art protection mechanisms, our method does not require any code changes on either the client, the web-server or the back-end database. Rather, our system uses a proxy that seamlessly integrates with existing operational environments offering protection to front-end web servers and back-end databases. To evaluate the overhead and the detection performance of our system, we implemented a prototype of SQLProb which we tested using real SQL attacks. Our experimental results show that we can detect all SQL injection attacks while maintaining very low resource utilization.

[1]  Benjamin Livshits,et al.  Context-sensitive program analysis as database queries , 2005, PODS.

[2]  Giovanni Vigna,et al.  A Learning-Based Approach to the Detection of SQL Attacks , 2005, DIMVA.

[3]  Alessandro Orso,et al.  Using positive tainting and syntax-aware evaluation to counter SQL injection attacks , 2006, SIGSOFT '06/FSE-14.

[4]  Premkumar T. Devanbu,et al.  JDBC checker: a static analysis tool for SQL/JDBC applications , 2004, Proceedings. 26th International Conference on Software Engineering.

[5]  T. Speed,et al.  Biological Sequence Analysis , 1998 .

[6]  Richard Sharp,et al.  Specifying and Enforcing Application-Level Web Security Policies , 2003, IEEE Trans. Knowl. Data Eng..

[7]  Xuxian Jiang,et al.  Profiling self-propagating worms via behavioral footprinting , 2006, WORM '06.

[8]  Zhendong Su,et al.  The essence of command injection attacks in web applications , 2006, POPL '06.

[9]  Anh Nguyen-Tuong,et al.  Automatically Hardening Web Applications Using Precise Tainting , 2005, SEC.

[10]  Richard Sharp,et al.  Abstracting application-level web security , 2002, WWW.

[11]  S. Rai,et al.  Safe query objects: statically typed objects as remotely executable queries , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[12]  Alessandro Orso,et al.  A Classification of SQL Injection Attacks and Countermeasures , 2006, ISSSE.

[13]  Wei Xu,et al.  Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks , 2006, USENIX Security Symposium.

[14]  Angelos D. Keromytis,et al.  SQLrand: Preventing SQL Injection Attacks , 2004, ACNS.

[15]  Tadeusz Pietraszek,et al.  Defending Against Injection Attacks Through Context-Sensitive String Evaluation , 2005, RAID.

[16]  Sin Yeung Lee,et al.  Learning Fingerprints for a Database Intrusion Detection System , 2002, ESORICS.

[17]  Xuxian Jiang,et al.  An Architectural Approach to Preventing Code Injection Attacks , 2010, IEEE Transactions on Dependable and Secure Computing.

[18]  Martin Johns,et al.  SMask: preventing injection attacks in web applications by approximating automatic data/code separation , 2007, SAC '07.

[19]  Monica S. Lam,et al.  Finding Application Errors Using PQL: a Program Query Language , 2004 .

[20]  Giovanni Vigna,et al.  Multi-module vulnerability analysis of web-based applications , 2007, CCS '07.

[21]  Claus Brabrand,et al.  PowerForms: Declarative client-side form field validation , 2004, World Wide Web.

[22]  V. N. Venkatakrishnan,et al.  CANDID: preventing sql injection attacks using dynamic candidate evaluations , 2007, CCS '07.

[23]  Kenji Kono,et al.  Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[24]  Bruce W. Weide,et al.  Using parse tree validation to prevent SQL injection attacks , 2005, SEM '05.

[25]  Benjamin Livshits,et al.  Finding application errors and security flaws using PQL: a program query language , 2005, OOPSLA '05.

[26]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[27]  Alessandro Orso,et al.  AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks , 2005, ASE.

[28]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[29]  Alexander Aiken,et al.  Static Detection of Security Vulnerabilities in Scripting Languages , 2006, USENIX Security Symposium.