Code-based Analysis Approach to Detect and Prevent SQL Injection Attacks

Now-a-days web applications are everywhere. Usually these applications are developed by database program which are often written in popular host programming languages such as C, C++, C#, Java, etc., with embedded Structured Query Language (SQL). These applications are used to access and process crucial data with the help of Database Management System (DBMS). Preserving the sensitive data from any kind of attacks is one of the prime factors that needs to be maintained by the web applications. The SQL injection attacks is one of the important security threat for the web applications. In this paper, we propose a code-based analysis approach to automatically detect and prevent the possible SQL Injection Attacks (SQLIA) in a query before submitting it to the underlying database. This approach analyses the user input by assigning a complex number to each input element. It has two part (i) input clustering and (ii) safe (non-malicious) input identification. We provide a details discussion of the proposal w.r.t the literature on security and execution overhead point of view.

[1]  Kim-Kwang Raymond Choo,et al.  Context-oriented web application protection model , 2016, Appl. Math. Comput..

[2]  Giovanni Vigna,et al.  A Learning-Based Approach to the Detection of SQL Attacks , 2005, DIMVA.

[3]  Angshuman Jana,et al.  On Preventing SQL Injection Attacks , 2015, ACSS.

[4]  Zhendong Su,et al.  The essence of command injection attacks in web applications , 2006, POPL '06.

[5]  Alessandro Orso,et al.  A Classification of SQL Injection Attacks and Countermeasures , 2006, ISSSE.

[6]  Premkumar T. Devanbu,et al.  JDBC checker: a static analysis tool for SQL/JDBC applications , 2004, Proceedings. 26th International Conference on Software Engineering.

[7]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[8]  Tadeusz Pietraszek,et al.  Defending Against Injection Attacks Through Context-Sensitive String Evaluation , 2005, RAID.

[9]  Stéphane Bressan,et al.  Introduction to Database Systems , 2005 .

[10]  Jay Ligatti,et al.  Defining code-injection attacks , 2012, POPL '12.

[11]  Richard Sharp,et al.  Abstracting application-level web security , 2002, WWW.

[12]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[13]  Vineet Agarwal,et al.  A new approach of text steganography based on mathematical model of number system , 2014, 2014 International Conference on Circuits, Power and Computing Technologies [ICCPCT-2014].

[14]  Alessandro Orso,et al.  Combining static analysis and runtime monitoring to counter SQL-injection attacks , 2005, ACM SIGSOFT Softw. Eng. Notes.

[15]  Alessandro Orso,et al.  AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks , 2005, ASE.

[16]  Mohammad Abu Kausar,et al.  Suitability Of Influxdb Database For Iot Applications 1851 , 2019 .

[17]  Vitaly Shmatikov,et al.  Diglossia: detecting code injection attacks with precision and efficiency , 2013, CCS.

[18]  Shih-Kun Huang,et al.  Web application security assessment by fault injection and behavior monitoring , 2003, WWW '03.

[19]  Angelos D. Keromytis,et al.  SQLrand: Preventing SQL Injection Attacks , 2004, ACNS.

[20]  Angshuman Jana,et al.  A Symbolic Model Checker for Database Programs , 2018, ICSOFT.

[21]  Qi Li,et al.  Research on SQL Injection Vulnerability Attack model , 2018, 2018 5th IEEE International Conference on Cloud Computing and Intelligence Systems (CCIS).

[22]  Cheng-Hsiung Liu,et al.  An Automatic Mechanism for Adjusting Validation Function , 2008, 22nd International Conference on Advanced Information Networking and Applications - Workshops (aina workshops 2008).

[23]  V. N. Venkatakrishnan,et al.  CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks , 2010, TSEC.

[24]  Anh Nguyen-Tuong,et al.  Automatically Hardening Web Applications Using Precise Tainting , 2005, SEC.

[25]  Angshuman Jana,et al.  Defining Abstract Semantics for Static Dependence Analysis of Relational Database Applications , 2016, ICISS.

[26]  Shiuh-Pyng Shieh,et al.  Web Application Security: Threats, Countermeasures, and Pitfalls , 2017, Computer.

[27]  Srinath Srinivasa,et al.  Active databases as information systems , 2004, Proceedings. International Database Engineering and Applications Symposium, 2004. IDEAS '04..

[28]  Agostino Cortesi,et al.  Data Leakage Analysis of the Hibernate Query Language on a Propositional Formulae Domain , 2016, Trans. Large Scale Data Knowl. Centered Syst..

[29]  Bruce W. Weide,et al.  Using parse tree validation to prevent SQL injection attacks , 2005, SEM '05.

[30]  R.A. McClure,et al.  SQL DOM: compile time checking of dynamic SQL statements , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[31]  Agostino Cortesi,et al.  Policy-Based Slicing of Hibernate Query Language , 2015, CISIM.

[32]  Michael Franz,et al.  Dynamic taint propagation for Java , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[33]  Ramez Elmasri,et al.  Fundamentals of Database Systems , 1989 .

[34]  Agostino Cortesi,et al.  Extending Abstract Interpretation to Dependency Analysis of Database Applications , 2020, IEEE Transactions on Software Engineering.