CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks

SQL injection attacks are one of the top-most threats for applications written for the Web. These attacks are launched through specially crafted user inputs, on Web applications that use low-level string operations to construct SQL queries. In this work, we exhibit a novel and powerful scheme for automatically transforming Web applications to render them safe against all SQL injection attacks. A characteristic diagnostic feature of SQL injection attacks is that they change the intended structure of queries issued. Our technique for detecting SQL injection is to dynamically mine the programmer-intended query structure on any input, and detect attacks by comparing it against the structure of the actual query issued. We propose a simple and novel mechanism, called Candid, for mining programmer intended queries by dynamically evaluating runs over benign candidate inputs. This mechanism is theoretically well founded and is based on inferring intended queries by considering the symbolic query computed on a program run. Our approach has been implemented in a tool called Candid that retrofits Web applications written in Java to defend them against SQL injection attacks. We have also implemented Candid by modifying a Java Virtual Machine, which safeguards applications without requiring retrofitting. We report extensive experimental results that show that our approach performs remarkably well in practice.

[1]  Pavol Cerný,et al.  Synthesis of interface specifications for Java classes , 2005, POPL '05.

[2]  Alessandro Orso,et al.  Using positive tainting and syntax-aware evaluation to counter SQL injection attacks , 2006, SIGSOFT '06/FSE-14.

[3]  Chris Anley,et al.  Advanced SQL Injection In SQL Server Applications , 2002 .

[4]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[5]  Zhendong Su,et al.  The essence of command injection attacks in web applications , 2006, POPL '06.

[6]  S. Rai,et al.  Safe query objects: statically typed objects as remotely executable queries , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[7]  Alessandro Orso,et al.  A Classification of SQL Injection Attacks and Countermeasures , 2006, ISSSE.

[8]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[9]  Bruce W. Weide,et al.  Using parse tree validation to prevent SQL injection attacks , 2005, SEM '05.

[10]  Alexander Aiken,et al.  Static Detection of Security Vulnerabilities in Scripting Languages , 2006, USENIX Security Symposium.

[11]  Giovanni Vigna,et al.  A Learning-Based Approach to the Detection of SQL Attacks , 2005, DIMVA.

[12]  Ravi Sandhu,et al.  ACM Transactions on Information and System Security: Editorial , 2005 .

[13]  Zhendong Su,et al.  Sound and precise analysis of web applications for injection vulnerabilities , 2007, PLDI '07.

[14]  R.A. McClure,et al.  SQL DOM: compile time checking of dynamic SQL statements , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[15]  Laurie Hendren,et al.  Soot: a Java bytecode optimization framework , 2010, CASCON.

[16]  Angelos D. Keromytis,et al.  SQLrand: Preventing SQL Injection Attacks , 2004, ACNS.

[17]  Wei Xu,et al.  Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks , 2006, USENIX Security Symposium.

[18]  George C. Necula,et al.  Mining Temporal Specifications for Error Detection , 2005, TACAS.

[19]  V. N. Venkatakrishnan,et al.  XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks , 2008, DIMVA.

[20]  Tadeusz Pietraszek,et al.  Defending Against Injection Attacks Through Context-Sensitive String Evaluation , 2005, RAID.

[21]  Renaud Pawlak,et al.  Spoon: Program Analysis and Transformation in Java , 2006 .

[22]  V. N. Venkatakrishnan,et al.  CANDID: preventing sql injection attacks using dynamic candidate evaluations , 2007, CCS '07.

[23]  Alessandro Orso,et al.  AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks , 2005, ASE.

[24]  SQL Injection Signatures Evasion , 2004 .

[25]  Rupak Majumdar,et al.  Dynamic test input generation for database applications , 2007, ISSTA '07.

[26]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[27]  James R. Larus,et al.  Mining specifications , 2002, POPL '02.

[28]  Giovanni Vigna,et al.  Multi-module vulnerability analysis of web-based applications , 2007, CCS '07.

[29]  Anh Nguyen-Tuong,et al.  Automatically Hardening Web Applications Using Precise Tainting , 2005, SEC.