research-article

Hacking the DBMS to Prevent Injection Attacks

Authors:

Ibéria Medeiros,

Miguel Beatriz,

Miguel CorreiaAuthors Info & Claims

CODASPY '16: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy

Pages 295 - 306

https://doi.org/10.1145/2857705.2857723

Published: 09 March 2016 Publication History

Abstract

After more than a decade of research, web application security continues to be a challenge and the backend database the most appetizing target. The paper proposes preventing injection attacks against the database management system (DBMS) behind web applications by embedding protections in the DBMS itself. The motivation is twofold. First, the approach of embedding protections in operating systems and applications running on top of them has been effective to protect this software. Second, there is a semantic mismatch between how SQL queries are believed to be executed by the DBMS and how they are actually executed, leading to subtle vulnerabilities in prevention mechanisms. The approach -- SEPTIC -- was implemented in MySQL and evaluated experimentally with web applications written in PHP and Java/Spring. In the evaluation SEPTIC has shown neither false negatives nor false positives, on the contrary of alternative approaches, causing also a low performance overhead in the order of 2.2%.

References

[1]

Spring framework, 2014. http://spring.io/.

[2]

B. Ahuja, A. Jana, A. Swarnkar, and R. Halder. On preventing SQL injection attacks. Advanced Computing and Systems for Security, 395:49--64, 2015.

[3]

S. Bandhakavi, P. Bisht, P. Madhusudan, and V. N. Venkatakrishnan. CANDID: preventing SQL injection attacks using dynamic candidate evaluations. In Proceedings of the 14th ACM Conference on Computer and Communications Security, pages 12--24, Oct. 2007.

Digital Library

[4]

BBC Technology. Millions of websites hit by Drupal hack attack, Oct. 2014. http://www.bbc.com/news/technology-29846539.

[5]

T. Berners-Lee, R. Fielding, and L. Masinter. Uniform resource identifier (URI): Generic syntax. IETF Request for Comments: RFC 3986, Jan. 2005.

[6]

S. W. Boyd and A. D. Keromytis. SQLrand: Preventing SQL injection attacks. In Proceedings of the 2nd Applied Cryptography and Network Security Conference, pages 292--302, 2004.

[7]

G. T. Buehrer, B. W. Weide, and P. Sivilotti. Using parse tree validation to prevent SQL injection attacks. In Proceedings of the 5th International Workshop on Software Engineering and Middleware, pages 106--113, Sept. 2005.

Digital Library

[8]

E. Cecchet, V. Udayabhanu, T. Wood, and P. Shenoy. Benchlab: An open testbed for realistic benchmarking of web applications. In Proceedings of the 2nd USENIX Conference on Web Application Development, 2011.

Digital Library

[9]

J. Clarke. SQL Injection Attacks and Defense. Syngress, 2009.

Digital Library

[10]

CVE. http://cve.mitre.org.

[11]

A. Douglen. SQL smuggling or, the attack that wasn't there. Technical report, COMSEC Consulting, Information Security, 2007.

[12]

M. Dowd, J. Mcdonald, and J. Schuh. Art of Software Security Assessment. Pearson Professional Education, 2006.

Digital Library

[13]

W. Halfond and A. Orso. AMNESIA: analysis and monitoring for neutralizing SQL-injection attacks. In Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering, pages 174--183, Nov. 2005.

Digital Library

[14]

W. Halfond, A. Orso, and P. Manolios. WASP: protecting web applications using positive tainting and syntax-aware evaluation. IEEE Transactions on Software Engineering, 34(1):65--81, 2008.

Digital Library

[15]

M. Howard and D. LeBlanc. Writing Secure Code for Windows Vista. Microsoft Press, 1st edition, 2007.

Digital Library

[16]

ICS-CERT. Incident response/vulnerability coordination in 2014. ICS-CERT Monitor, Set.-Feb. 2015.

[17]

Imperva. Hacker intelligence initiative, monthly trend report#8. Apr. 2012.

[18]

JSoup. http://jsoup.org.

[19]

M. Koschany. Debian hardening, 2013. https://wiki.debian.org/ Hardening.

[20]

W. Masri and S. Sleiman. SQLPIL: SQL injection prevention by input labeling. Security and Communication Networks, 8(15):2545--2560, 2015.

Digital Library

[21]

Measureit. https://code.google.com/p/measureit/.

[22]

I. Medeiros, N. F. Neves, and M. Correia. Automatic detection and correction of web application vulnerabilities using data mining to predict false positives. In Proceedings of the International World Wide Web Conference, pages 63--74, Apr. 2014.

Digital Library

[23]

G. Modelo-Howard, C. Gutierrezand, F. Arshad, S. Bagchi, and Y. Qi. Psigene: Webcrawling to generalize SQL injection signatures. In Proceedings of the 44th IEEE/IFIP International Conference on Dependable Systems and Networks, June 2014.

Digital Library

[24]

OSVDB. http://osvdb.org.

[25]

PHP Address Book. http://php-addressbook.sourceforge.net.

[26]

T. Pietraszek and C. V. Berghe. Defending against injection attacks through context-sensitive string evaluation. In Proceedings of the 8th International Conference on Recent Advances in Intrusion Detection, pages 124--145, 2005.

Digital Library

[27]

D. Ray and J. Ligatti. Defining code-injection attacks. In Proceedings of the 39th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 179--190, 2012.

Digital Library

[28]

refbase. http://http://www.refbase.net.

[29]

Search Security TechTarget. Wordpress vulnerable to stored XSS, Apr. 2015. http://searchsecurity.techtarget.com/news/4500245137/ WordPress-vulnerable-to-stored-XSS-researchers-find.

[30]

SolidIT. DB-Engines Ranking. http://db-engines.com/en/ranking, accessed Aug. 10th, 2015.

[31]

S. Son, K. S. McKinley, and V. Shmatikov. Diglossia: detecting code injection attacks with precision and efficiency. In Proceedings of the 20th ACM Conference on Computer and Communications Security, pages 1181--1192, 2013.

Digital Library

[32]

Spring. http://docs.spring.io/spring/docs/2.5.4/reference/aop.html.

[33]

sqlmap. https://github.com/sqlmapproject/testenv/tree/master/mysql.

[34]

Z. Su and G. Wassermann. The essence of command injection attacks in web applications. In Proceedings of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 372--382, Jan. 2006.

Digital Library

[35]

Trustwave SpiderLabs. ModSecurity - Open Source Web Application Firewall. http://www.modsecurity.org.

[36]

WebChess. http://sourceforge.net/projects/webchess/.

[37]

J. Williams and D. Wichers. OWASP Top 10: The ten most critical web application security risks. Technical report, OWASP Foundation, 2013.

[38]

W. Xu, S. Bhatkar, and R. Sekar. Practical dynamic taint analysis for countering input validation attacks on web applications. Technical Report SECLAB-05-04, Department of Computer Science, Stony Brook University, 2005.

[39]

ZeroCMS. Content management system built using PHP and MySQL. http://www.aas9.in/zerocms/.

Cited By

Jahanshahi RDoupé AEgele MSun HShieh SGu GAteniese G(2020)You shall not pass: Mitigating SQL Injection Attacks on Legacy Web ApplicationsProceedings of the 15th ACM Asia Conference on Computer and Communications Security10.1145/3320269.3384760(445-457)Online publication date: 5-Oct-2020
https://dl.acm.org/doi/10.1145/3320269.3384760

Index Terms

Hacking the DBMS to Prevent Injection Attacks
1. Security and privacy
  1. Software and application security
    1. Web application security
  2. Systems security
    1. Vulnerability management
      1. Penetration testing
2. Software and its engineering
  1. Software creation and management
    1. Software verification and validation

Recommendations

Defending against injection attacks through context-sensitive string evaluation
RAID'05: Proceedings of the 8th international conference on Recent Advances in Intrusion Detection

Injection vulnerabilities pose a major threat to application-level security. Some of the more common types are SQL injection, cross-site scripting and shell injection vulnerabilities. Existing methods for defending against injection attacks, that is, ...
A comparative analysis and performance evaluation of web application protection techniques against injection attacks

Nowadays, most animation activities are based on internet-enabled applications. But, the majority of web developers have ignored the privacy and security aspects of each application, turning them into attractive targets for security issues and therefore ...
Mitigation of SQL Injection Attacks using Threat Modeling

Day after day, SQL Injection (SQLI) attack is consistently proliferating across the globe. According to Open Web Application Security Project (OWASP) Top Ten Cheat Sheet-2014, SQLI is at top in the list of online attacks. The cause of spread of SQLI is ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CODASPY '16: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy

March 2016

340 pages

ISBN:9781450339353

DOI:10.1145/2857705

General Chairs:
Elisa Bertino
Purdue University, USA
,
Ravi Sandhu
University of Texas at San Antonio, USA
,
Program Chair:
Alexander Pretschner
Technische Universität München, Germany

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 March 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

CODASPY'16

Sponsor:

SIGSAC

CODASPY'16: Sixth ACM Conference on Data and Application Security and Privacy

March 9 - 11, 2016

Louisiana, New Orleans, USA

Acceptance Rates

CODASPY '16 Paper Acceptance Rate 22 of 115 submissions, 19%;

Overall Acceptance Rate 149 of 789 submissions, 19%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
341
Total Downloads

Downloads (Last 12 months)13
Downloads (Last 6 weeks)1

Reflects downloads up to 22 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Jahanshahi RDoupé AEgele MSun HShieh SGu GAteniese G(2020)You shall not pass: Mitigating SQL Injection Attacks on Legacy Web ApplicationsProceedings of the 15th ACM Asia Conference on Computer and Communications Security10.1145/3320269.3384760(445-457)Online publication date: 5-Oct-2020
https://dl.acm.org/doi/10.1145/3320269.3384760

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents