Presentation is loading. Please wait.

Presentation is loading. Please wait.

CANDID : Preventing SQL Injection Attacks Using Dynamic Candidate Evaluations V. N. Venkatakrishnan Assistant Professor, Computer Science University of.

Published byStella Bennett Modified over 8 years ago

Similar presentations

Presentation on theme: "CANDID : Preventing SQL Injection Attacks Using Dynamic Candidate Evaluations V. N. Venkatakrishnan Assistant Professor, Computer Science University of."— Presentation transcript:

1 CANDID : Preventing SQL Injection Attacks Using Dynamic Candidate Evaluations V. N. Venkatakrishnan Assistant Professor, Computer Science University of Illinois at Chicago Joint work with: Sruthi Bandhakavi (UIUC) Prithvi Bisht (UIC) and P. Madhusudan (UIUC)

2 SQL Injection : Typical Query John’s phonebook entries are displayed Web browser Application Server Database User Input Query Web Page Result Set SELECT * FROM phonebook WHERE username = ‘John’ AND password = ‘open_sesame’ Phonebook Record Manager John open_sesame Username Password Submit Delete Display

3 SQL Injection : Typical Query All phonebook entries are displayed Web browser Application Server Database User Input Query Web Page Result Set SELECT * FROM phonebook WHERE username = ‘John’ OR 1=1 --AND password = ‘not needed’ Phonebook Record Manager John’ OR 1=1 -- not needed Username Password Submit Delete Display

4 SQL Injection Attacks are a Serious Threat SQL Injection XSS SQL Injection CVE Vulnerabilities (2004) CVE Vulnerabilities (2006) CardSystems security breach(2006): 263,000 customer credit card numbers stolen, 40 Million more exposed

5 Talk Overview CANDID Program Transformer Web Application Safe Web Application [ACM CCS’07]

6 SQL Injection Most systems separate code from data SQL queries can be constructed by arbitrary sequences of programming constructs that involve string operations Concatenation, substring …. Such construct also involve (untrusted) user inputs Inputs should be mere “data”, but in case of SQL results in “code” Result: Queries intended by the programmer can be “changed” by untrusted user input

7 Parse Structure for a Benign Query WHERE username = ‘John’ AND password = ‘os’ Select * from Table

8 Parse Structure for a Attack Query WHERE username = ‘John’ OR 1=1 Select * from Table -- AND …

9 Attacks Change Query Structure Boyd et. al [BK 04], ANCS ; Buehrer et. al. [BWS 05], SEM; Halfond et. al.[HO 05], ASE; Nguyen-Tuong et. al. [NGGSE 05], SEC; Pietraszek et. al[PB 05], RAID; Valeur et. al. [VMV 05], DIMVA; Su et. al. [SW 06], POPL... Benign Query Attack Query WHERE username = ‘John’ AND password = ‘os’ WHERE username = ‘John’ OR 1=1 --’ AND...

10 Prepared Statements Separates query structure from data Statements are NOT parsed for every user input WHERE username = ‘?’ AND password = ‘?’ mysql> PREPARE stmt_name FROM " SELECT * FROM phonebook WHERE username = ? AND password = ?” placeholder for input

11 Legacy Applications For existing applications adding PREPARE statements will prevent SQL injection attacks Hard to do automatically with static techniques Need to guess the structure of query at each query issue location Query issued at a location depends on path taken in program Human assisted efforts can add PREPARE statements Costly effort Problem: Is it possible to dynamically infer the benign query structure?

12 High level idea : Dynamic Candidate Evaluations Application Generate a candidate query along with the actual query The candidate query is always non-attacking Actual query is possibly malicious How can we guess benign candidate inputs for every execuction? SQL Parser SQL Parser Create benign sample inputs (Candidate Inputs) for every user input Execute the program simultaneously over actual inputs and candidate inputs Issue the actual query only if parse structures match Actual I/P Actual I/P DB Candidate Query Actual Query Candidate I/P Candidate I/P Match No Match

13 Finding Benign Candidate Inputs Actual Path Query Issue Location Candidate Path Have to create a set of candidate inputs which Are Benign Issue a query at the same query issue location By following the same path in the program Problem: Hard In the most general case it is undecidable

14 Our Solution : Use Manifestly benign inputs For every string create a sample string of ‘a’ s having the same length Candidate Input: uname = ‘aaaa’ pwd = ‘aa’ Shadow every intermediate string variable that depends on input For integer or boolean variable, use the originals Follow the original control flow Phonebook Record Manager John os User Name Password Submit DeleteDisplay

15 Evaluate conditionals only on actual inputs true input str uname, str pwd, bool display query = ‘SELECT * from phonebook WHERE username = ‘ + uname + ’ AND password = ’ + pwd +’ false query = ‘DELETE * from phonebook WHERE username = ‘ + uname + ’ AND password = ’ + pwd +’ User Input : uname = “john” pwd = “os” display = false Candidate Input : uname = “aaaa” pwd = “aa” display = true Actual Query: DELETE * from phonebook WHERE username = ‘john’ AND password = ’ os’ Candidate Query: DELETE * from phonebook WHERE username = ‘aaaa’ AND password = ’aa’ Candidate Input : uname = “aaaa” pwd = “aa” display?

16 CANDID Program Transformation Example i/p str uname; i/p str pwd; i/p bool delete; falsetrue query = DELETE * from phonebook WHERE username = ‘ + uname + ’ AND password = ’ + pwd +’ query_c = DELETE * from phonebook WHERE username = ‘ + uname_c + ’ AND password = ’ + pwd_c +’; query = SELECT * from phonebook WHERE username = ‘ + uname + ’ AND password = ’ + pwd +’ ; query_c = SELECT * from phonebook WHERE username = ‘ + uname_c + ’ AND password = ’ + pwd_c +’; query = DELETE * from phonebook WHERE username = ‘ + uname + ’ AND password = ’ + pwd +’ query = SELECT * from phonebook WHERE username = ‘ + uname + ’ AND password = ’ + pwd +’ ; uname = input_1, pwd = input_2, delete = input_3; uname_c = createSample(uname), pwd_c = createSample(pwd); str uname_c; str pwd_c; if(match_queries(query,query_c) == true) execute_query(query) execute_query(query) display?

17 Resilience of CANDID Input Query Input Splitting Function “Alan Turing” SELECT... WHERE first_name = “Alan” AND last_name = “Turing” “aaaaaaaaaaa” SELECT... WHERE first_name = “aaaa” AND last_name = “aaaaaa” Instrumented Input Splitting Function Input Splitting fn = input[0..3] = “Alan” space_index = 4 ln = input[5..9] = “Turing” space_index = 4 fn_c = input_c[0..3] = “aaaa” ln_c = input_c[5..9] = “aaaaaa”

18 CANDID Implementation Architecture Offline View Online View DB Java Bytecode transformer Original Program Instrumented Web Application SQL Parse Tree Checker Web Server Browser Instrumented Web Application java bytecode java MySql Tomcat server

19 Thank You Questions? Acknowledgments: xkcd.com

Download ppt "CANDID : Preventing SQL Injection Attacks Using Dynamic Candidate Evaluations V. N. Venkatakrishnan Assistant Professor, Computer Science University of."

Similar presentations

PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.

PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.
-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.

-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection Yuji Kosuga, Kenji Kono, Miyuki Hanaoka Keio University Miho Hishiyama,

Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection Yuji Kosuga, Kenji Kono, Miyuki Hanaoka Keio University Miho Hishiyama,
The Essence of Command Injection Attacks in Web Applications Zhendong Su and Gary Wassermann Present by Alon Kremer April 2011.

The Essence of Command Injection Attacks in Web Applications Zhendong Su and Gary Wassermann Present by Alon Kremer April 2011.
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu 15 708 33 Ostrava-Poruba.

NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
1. What is SQL Injection 2. Different varieties of SQL Injection 3. How to prevent it.

1. What is SQL Injection 2. Different varieties of SQL Injection 3. How to prevent it.
ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.

ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.
Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.

Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.

Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009.

1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009.
Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,

Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,
{ Code Injection Cable Johnson.  Overview  Common Injection Types  Developer Prevention Code Injection.

{ Code Injection Cable Johnson.  Overview  Common Injection Types  Developer Prevention Code Injection.
Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.

Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.
SQL Injection Timmothy Boyd CSE 7330.

SQL Injection Timmothy Boyd CSE 7330.
Secure Software Engineering: Input Vulnerabilities

Secure Software Engineering: Input Vulnerabilities
WAPTEC: Whitebox Analysis of Web Applications for Parameter Tampering Exploit Construction Prithvi Bisht (http://cs.uic.edu/~pbisht) + Timothy Hinrichs*

WAPTEC: Whitebox Analysis of Web Applications for Parameter Tampering Exploit Construction Prithvi Bisht ( + Timothy Hinrichs*
CSCI 6962: Server-side Design and Programming JDBC Database Programming.

CSCI 6962: Server-side Design and Programming JDBC Database Programming.
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

Similar presentations

Ads by Google