CANDID: preventing sql injection attacks using dynamic candidate evaluations

SQL injection attacks are one of the topmost threats for applications written for the Web. These attacks are launched through specially crafted user input on web applications that use low level string operations to construct SQL queries. In this work, we exhibit a novel and powerful scheme for automatically transforming web applications to render them safe against all SQL injection attacks. A characteristic diagnostic feature of SQL injection attacks is that they change the intended structure of queries issued. Our technique for detecting SQL injection is to dynamically mine the programmer-intended query structure on any input, and detect attacks by comparing it against the structure of the actual query issued. We propose a simple and novel mechanism, called C<scp>ANDID</scp>, for mining programmer intended queries by dynamically evaluating runs over benign candidate inputs. This mechanism is theoretically well founded and is based on inferring intended queries by considering the symbolic query computed on a program run. Our approach has been implemented in a tool called C<scp>ANDID</scp>, that retrofits Web applications written in Java to defend them against SQL injection attacks. We report extensive experimental results that show that our approach performs remarkably well in practice.

[1]  Alessandro Orso,et al.  Using positive tainting and syntax-aware evaluation to counter SQL injection attacks , 2006, SIGSOFT '06/FSE-14.

[2]  Chris Anley,et al.  Advanced SQL Injection In SQL Server Applications , 2002 .

[3]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[4]  Alexander Aiken,et al.  Static Detection of Security Vulnerabilities in Scripting Languages , 2006, USENIX Security Symposium.

[5]  Laurie Hendren,et al.  Soot---a java optimization framework , 1999 .

[6]  Alessandro Orso,et al.  AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks , 2005, ASE.

[7]  Tadeusz Pietraszek,et al.  Defending Against Injection Attacks Through Context-Sensitive String Evaluation , 2005, RAID.

[8]  George C. Necula,et al.  Mining Temporal Specifications for Error Detection , 2005, TACAS.

[9]  Rupak Majumdar,et al.  Dynamic test input generation for database applications , 2007, ISSTA '07.

[10]  Pavol Cerný,et al.  Synthesis of interface specifications for Java classes , 2005, POPL '05.

[11]  Zhendong Su,et al.  The essence of command injection attacks in web applications , 2006, POPL '06.

[12]  S. Rai,et al.  Safe query objects: statically typed objects as remotely executable queries , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[13]  Alessandro Orso,et al.  A Classification of SQL Injection Attacks and Countermeasures , 2006, ISSSE.

[14]  SQL Injection Signatures Evasion , 2004 .

[15]  Anh Nguyen-Tuong,et al.  Automatically Hardening Web Applications Using Precise Tainting , 2005, SEC.

[16]  Angelos D. Keromytis,et al.  SQLrand: Preventing SQL Injection Attacks , 2004, ACNS.

[17]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[18]  Bruce W. Weide,et al.  Using parse tree validation to prevent SQL injection attacks , 2005, SEM '05.

[19]  R.A. McClure,et al.  SQL DOM: compile time checking of dynamic SQL statements , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[20]  Wei Xu,et al.  Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks , 2006, USENIX Security Symposium.

[21]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[22]  James R. Larus,et al.  Mining specifications , 2002, POPL '02.

[23]  Giovanni Vigna,et al.  A Learning-Based Approach to the Detection of SQL Attacks , 2005, DIMVA.