CANDID : Preventing SQL Injection Attacks Using Dynamic Candidate Evaluations V. N. Venkatakrishnan Assistant Professor, Computer Science University of.

Slides:



Advertisements
Similar presentations
PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.
Advertisements

-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection Yuji Kosuga, Kenji Kono, Miyuki Hanaoka Keio University Miho Hishiyama,
The Essence of Command Injection Attacks in Web Applications Zhendong Su and Gary Wassermann Present by Alon Kremer April 2011.
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
1. What is SQL Injection 2. Different varieties of SQL Injection 3. How to prevent it.
ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.
Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009.
Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,
{ Code Injection Cable Johnson.  Overview  Common Injection Types  Developer Prevention Code Injection.
Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.
SQL Injection Timmothy Boyd CSE 7330.
Secure Software Engineering: Input Vulnerabilities
WAPTEC: Whitebox Analysis of Web Applications for Parameter Tampering Exploit Construction Prithvi Bisht ( + Timothy Hinrichs*
CSCI 6962: Server-side Design and Programming JDBC Database Programming.
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
SQL INJECTION COUNTERMEASURES &
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago.
Preventing SQL Injection Attacks in Stored Procedures Alex Hertz Chris Daiello CAP6135Dr. Cliff Zou University of Central Florida March 19, 2009.
AMNESIA: Analysis and Monitoring for NEutralizing SQL- Injection Attacks Published by Wiliam Halfond and Alessandro Orso Presented by El Shibani Omar CS691.
NMED 3850 A Advanced Online Design January 26, 2010 V. Mahadevan.
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
1 A Static Analysis Approach for Automatically Generating Test Cases for Web Applications Presented by: Beverly Leung Fahim Rahman.
Preventing Web Application Injections with Complementary Character Coding Raymond Mui Phyllis Frankl Polytechnic Institute of NYU Presented at ESORICS.
XSS-GUARD : Precise Dynamic Prevention of Cross Site Scripting (XSS) Attacks Prithvi Bisht ( Joint work with : V.N. Venkatakrishnan.
CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
Web Scripting [PHP] CIS166AE Wednesdays 6:00pm – 9:50pm Rob Loy.
NMED 3850 A Advanced Online Design January 12, 2010 V. Mahadevan.
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
C HAPTER 8 SQL Injection Slides adapted from "Foundations of Security: What Every Programmer Needs To Know" by Neil Daswani, Christoph Kern, and Anita.
An Analysis Framework for Security in Web Applications Gary Wassermann and Zhendong Su University of California, Davis.
Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.
Accessing Your MySQL Database from the Web with PHP (Ch 11) 1.
C ANDID : P REVENTING SQL I NJECTION A TTACKS U SING D YNAMIC C ANDIDATE E VALUATIONS Presented by Jeong-hoon, Park 1.
Sumanth M Ganesh B CPSC 620.  SQL Injection attacks allow a malicious individual to execute arbitrary SQL code on your server  The attack could involve.
Aniket Joshi Justin Thomas. Agenda Introduction to SQL Injection SQL Injection Attack SQL Injection Prevention Summary.
Building Secure Web Applications With ASP.Net MVC.
WEB SECURITY WEEK 2 Computer Security Group University of Texas at Dallas.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.
JDBC CS 260 Database Systems. Overview  Introduction  JDBC driver types  Eclipse project setup  Programming with JDBC  Prepared statements  SQL.
CSC 2720 Building Web Applications Accessing MySQL from PHP.
Module: Software Engineering of Web Applications Chapter 3 (Cont.): user-input-validation testing of web applications 1.
SQL Injection Anthony Brown March 4, 2008 IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions.
Secure Authentication. SQL Injection Many web developers are unaware of how SQL queries can be tampered with SQL queries are able to circumvent access.
ADVANCED SQL.  The SQL ORDER BY Keyword  The ORDER BY keyword is used to sort the result-set by one or more columns.  The ORDER BY keyword sorts the.
SQL Injection By Wenonah Abadilla. Topics What is SQL What is SQL Injection Damn Vulnerable Web App SQLI Demo Prepared Statements.
CS320 Web and Internet Programming Database Access with JDBC Chengyu Sun California State University, Los Angeles.
Introduction SQL Injection is a very old security attack. It first came into existence in the early 1990's ex: ”Hackers” movie hero does SQL Injection.
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
SQL Injection By Wenonah Abadilla.
Database System Implementation CSE 507
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
SQL Injection.
SQL INJECTION ATTACKS.
SQL Injection Attacks Many web servers have backing databases
University of Illinois at Chicago
University of Illinois at Chicago
University of Illinois at Chicago
Chapter 13 Security Methods Part 3.
Lecture 2 - SQL Injection
Presentation transcript:

CANDID : Preventing SQL Injection Attacks Using Dynamic Candidate Evaluations V. N. Venkatakrishnan Assistant Professor, Computer Science University of Illinois at Chicago Joint work with: Sruthi Bandhakavi (UIUC) Prithvi Bisht (UIC) and P. Madhusudan (UIUC)

SQL Injection : Typical Query John’s phonebook entries are displayed Web browser Application Server Database User Input Query Web Page Result Set SELECT * FROM phonebook WHERE username = ‘John’ AND password = ‘open_sesame’ Phonebook Record Manager John open_sesame Username Password Submit Delete Display

SQL Injection : Typical Query All phonebook entries are displayed Web browser Application Server Database User Input Query Web Page Result Set SELECT * FROM phonebook WHERE username = ‘John’ OR 1=1 --AND password = ‘not needed’ Phonebook Record Manager John’ OR 1=1 -- not needed Username Password Submit Delete Display

SQL Injection Attacks are a Serious Threat SQL Injection XSS SQL Injection CVE Vulnerabilities (2004) CVE Vulnerabilities (2006) CardSystems security breach(2006): 263,000 customer credit card numbers stolen, 40 Million more exposed

Talk Overview CANDID Program Transformer Web Application Safe Web Application [ACM CCS’07]

SQL Injection Most systems separate code from data SQL queries can be constructed by arbitrary sequences of programming constructs that involve string operations Concatenation, substring …. Such construct also involve (untrusted) user inputs Inputs should be mere “data”, but in case of SQL results in “code” Result: Queries intended by the programmer can be “changed” by untrusted user input

Parse Structure for a Benign Query WHERE username = ‘John’ AND password = ‘os’ Select * from Table

Parse Structure for a Attack Query WHERE username = ‘John’ OR 1=1 Select * from Table -- AND …

Attacks Change Query Structure Boyd et. al [BK 04], ANCS ; Buehrer et. al. [BWS 05], SEM; Halfond et. al.[HO 05], ASE; Nguyen-Tuong et. al. [NGGSE 05], SEC; Pietraszek et. al[PB 05], RAID; Valeur et. al. [VMV 05], DIMVA; Su et. al. [SW 06], POPL... Benign Query Attack Query WHERE username = ‘John’ AND password = ‘os’ WHERE username = ‘John’ OR 1=1 --’ AND...

Prepared Statements Separates query structure from data Statements are NOT parsed for every user input WHERE username = ‘?’ AND password = ‘?’ mysql> PREPARE stmt_name FROM " SELECT * FROM phonebook WHERE username = ? AND password = ?” placeholder for input

Legacy Applications For existing applications adding PREPARE statements will prevent SQL injection attacks Hard to do automatically with static techniques Need to guess the structure of query at each query issue location Query issued at a location depends on path taken in program Human assisted efforts can add PREPARE statements Costly effort Problem: Is it possible to dynamically infer the benign query structure?

High level idea : Dynamic Candidate Evaluations Application Generate a candidate query along with the actual query The candidate query is always non-attacking Actual query is possibly malicious How can we guess benign candidate inputs for every execuction? SQL Parser SQL Parser Create benign sample inputs (Candidate Inputs) for every user input Execute the program simultaneously over actual inputs and candidate inputs Issue the actual query only if parse structures match Actual I/P Actual I/P DB Candidate Query Actual Query Candidate I/P Candidate I/P Match No Match

Finding Benign Candidate Inputs Actual Path Query Issue Location Candidate Path Have to create a set of candidate inputs which Are Benign Issue a query at the same query issue location By following the same path in the program Problem: Hard In the most general case it is undecidable

Our Solution : Use Manifestly benign inputs For every string create a sample string of ‘a’ s having the same length Candidate Input: uname = ‘aaaa’ pwd = ‘aa’ Shadow every intermediate string variable that depends on input For integer or boolean variable, use the originals Follow the original control flow Phonebook Record Manager John os User Name Password Submit DeleteDisplay

Evaluate conditionals only on actual inputs true input str uname, str pwd, bool display query = ‘SELECT * from phonebook WHERE username = ‘ + uname + ’ AND password = ’ + pwd +’ false query = ‘DELETE * from phonebook WHERE username = ‘ + uname + ’ AND password = ’ + pwd +’ User Input : uname = “john” pwd = “os” display = false Candidate Input : uname = “aaaa” pwd = “aa” display = true Actual Query: DELETE * from phonebook WHERE username = ‘john’ AND password = ’ os’ Candidate Query: DELETE * from phonebook WHERE username = ‘aaaa’ AND password = ’aa’ Candidate Input : uname = “aaaa” pwd = “aa” display?

CANDID Program Transformation Example i/p str uname; i/p str pwd; i/p bool delete; falsetrue query = DELETE * from phonebook WHERE username = ‘ + uname + ’ AND password = ’ + pwd +’ query_c = DELETE * from phonebook WHERE username = ‘ + uname_c + ’ AND password = ’ + pwd_c +’; query = SELECT * from phonebook WHERE username = ‘ + uname + ’ AND password = ’ + pwd +’ ; query_c = SELECT * from phonebook WHERE username = ‘ + uname_c + ’ AND password = ’ + pwd_c +’; query = DELETE * from phonebook WHERE username = ‘ + uname + ’ AND password = ’ + pwd +’ query = SELECT * from phonebook WHERE username = ‘ + uname + ’ AND password = ’ + pwd +’ ; uname = input_1, pwd = input_2, delete = input_3; uname_c = createSample(uname), pwd_c = createSample(pwd); str uname_c; str pwd_c; if(match_queries(query,query_c) == true) execute_query(query) execute_query(query) display?

Resilience of CANDID Input Query Input Splitting Function “Alan Turing” SELECT... WHERE first_name = “Alan” AND last_name = “Turing” “aaaaaaaaaaa” SELECT... WHERE first_name = “aaaa” AND last_name = “aaaaaa” Instrumented Input Splitting Function Input Splitting fn = input[0..3] = “Alan” space_index = 4 ln = input[5..9] = “Turing” space_index = 4 fn_c = input_c[0..3] = “aaaa” ln_c = input_c[5..9] = “aaaaaa”

CANDID Implementation Architecture Offline View Online View DB Java Bytecode transformer Original Program Instrumented Web Application SQL Parse Tree Checker Web Server Browser Instrumented Web Application java bytecode java MySql Tomcat server

Thank You Questions? Acknowledgments: xkcd.com

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.