Eliminating SQL Injection Attacks - A Transparent Defense Mechanism

The widespread adoption of Web services as an instant means of information dissemination and various other transactions, has essentially made them a key component of today's Internet infrastructure. Web-based systems comprise both of infrastructure components and of application-specific code. Various organizations have started extensively deploying intrusion detection/prevention systems and Firewalls as a means of securing their vital installations. However, very little emphasis is laid on securing the applications that run on these systems, apart from frequent updates and patching. SQL-injection attacks are a class of attacks that many of these systems are highly vulnerable to, and there is no known fool-proof defense against such attacks. In this paper, we propose a technique, which combines static application code analysis with runtime validation to detect the occurrence of such attacks. The deployment of this technique eliminates the need to modify source code of application scripts, additionally allowing seamless integration with currently-deployed systems. We provide various optimizations improving overall efficiency, and also preliminary evaluation of prototype developed

[1]  Laurie J. Hendren,et al.  Optimizing Java Bytecode Using the Soot Framework: Is It Feasible? , 2000, CC.

[2]  Jianyi Lin,et al.  Computer crime and security survey , 2002 .

[3]  Alessandro Orso,et al.  AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks , 2005, ASE.

[4]  R.A. McClure,et al.  SQL DOM: compile time checking of dynamic SQL statements , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[5]  S. Rai,et al.  Safe query objects: statically typed objects as remotely executable queries , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[6]  Bruce W. Weide,et al.  Using parse tree validation to prevent SQL injection attacks , 2005, SEM '05.

[7]  Kostas Kontogiannis,et al.  Proceedings of the Eighth IEEE International Symposium on Web Site Evolution , 2006 .

[8]  Premkumar T. Devanbu,et al.  JDBC checker: a static analysis tool for SQL/JDBC applications , 2004, Proceedings. 26th International Conference on Software Engineering.

[9]  Alessandro Orso,et al.  Combining static analysis and runtime monitoring to counter SQL-injection attacks , 2005, ACM SIGSOFT Softw. Eng. Notes.

[10]  Premkumar T. Devanbu,et al.  Static checking of dynamically generated queries in database applications , 2004, Proceedings. 26th International Conference on Software Engineering.

[11]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[12]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[13]  Angelos D. Keromytis,et al.  SQLrand: Preventing SQL Injection Attacks , 2004, ACNS.

[14]  Chris Anley,et al.  Advanced SQL Injection In SQL Server Applications , 2002 .

[15]  Aske Simon Christensen,et al.  Precise Analysis of String Expressions , 2003, SAS.

[16]  Zhendong Su,et al.  An Analysis Framework for Security in Web Applications , 2004 .

[17]  Angelos D. Keromytis,et al.  Countering code-injection attacks with instruction-set randomization , 2003, CCS '03.