A Static Analysis Framework For Detecting SQL Injection Vulnerabilities

Recently SQL injection attack (SIA) has become a major threat to Web applications. Via carefully crafted user input, attackers can expose or manipulate the back-end database of a Web application. This paper proposes the construction and outlines the design of a static analysis framework (called SAFELI) for identifying SIA vulnerabilities at compile time. SAFELI statically inspects MSIL bytecode of an ASP.NET Web application, using symbolic execution. At each hotspot that submits SQL query, a hybrid constraint solver is used to find out the corresponding user input that could lead to breach of information security. Once completed, SAFELI has the future potential to discover more delicate SQL injection attacks than black-box Web security inspection tools.

[1]  Anh Nguyen-Tuong,et al.  Automatically Hardening Web Applications Using Precise Tainting , 2005, SEC.

[2]  31st Annual International Computer Software and Applications Conference, COMPSAC 2007, Beijing, China, July 24-27, 2007. Volume 1 , 2007, Annual International Computer Software and Applications Conference.

[3]  W. Visser,et al.  Second Generation of a Java Model Checker , 2000 .

[4]  Dawson R. Engler,et al.  EXE: automatically generating inputs of death , 2006, CCS '06.

[5]  Alessandro Orso,et al.  AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks , 2005, ASE.

[6]  Tevfik Bultan,et al.  A Library for Composite Symbolic Representations , 2001, TACAS.

[7]  R. Bryant Graph-Based Algorithms for Boolean Function Manipulation12 , 1986 .

[8]  Aske Simon Christensen,et al.  Precise Analysis of String Expressions , 2003, SAS.

[9]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[10]  Acm Sigsoft,et al.  ESEC/FSE'05 : proceedings of the joint 10th European Software Engineering Conference (ESEC) and the 13th ACM SIGSOFT Symposium on the Foundations of Software Engineering (FSE-13), September 5-9, 2005, Lisbon, Portugal , 2005 .

[11]  Angelos D. Keromytis,et al.  Countering code-injection attacks with instruction-set randomization , 2003, CCS '03.

[12]  Randal E. Bryant,et al.  Graph-Based Algorithms for Boolean Function Manipulation , 1986, IEEE Transactions on Computers.

[13]  Edmund M. Clarke,et al.  Symbolic Model Checking: 10^20 States and Beyond , 1990, Inf. Comput..

[14]  Shih-Kun Huang,et al.  Web application security assessment by fault injection and behavior monitoring , 2003, WWW '03.

[15]  Junfeng Yang,et al.  Automatically generating malicious disks using symbolic execution , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[16]  Nikolai Tillmann,et al.  Parameterized unit tests , 2005, ESEC/FSE-13.

[17]  William Pugh,et al.  The Omega Library interface guide , 1995 .

[18]  Angelos D. Keromytis,et al.  SQLrand: Preventing SQL Injection Attacks , 2004, ACNS.

[19]  Chris Anley,et al.  Advanced SQL Injection In SQL Server Applications , 2002 .

[20]  Premkumar T. Devanbu,et al.  JDBC checker: a static analysis tool for SQL/JDBC applications , 2004, Proceedings. 26th International Conference on Software Engineering.

[21]  Sarfraz Khurshid,et al.  Generalized Symbolic Execution for Model Checking and Testing , 2003, TACAS.