Presentation is loading. Please wait.

Presentation is loading. Please wait.

C ANDID : P REVENTING SQL I NJECTION A TTACKS U SING D YNAMIC C ANDIDATE E VALUATIONS 2008. 09. 25 Presented by Jeong-hoon, Park 1.

Published byArron Hodges Modified over 8 years ago

Similar presentations

Presentation on theme: "C ANDID : P REVENTING SQL I NJECTION A TTACKS U SING D YNAMIC C ANDIDATE E VALUATIONS 2008. 09. 25 Presented by Jeong-hoon, Park 1."— Presentation transcript:

1 C ANDID : P REVENTING SQL I NJECTION A TTACKS U SING D YNAMIC C ANDIDATE E VALUATIONS 2008. 09. 25 Presented by Jeong-hoon, Park 1

2 O UTLINE SQL Command Injection Attack (SQLCIA) Prepare Statements High level idea: Dynamic Candidate Evaluations Proposed Method Evaluation 2

3 SQL C OMMAND I NJECTION A TTACK (SQLCIA) 3 PhoneBook Record Manager User Name Password John 123 Display Delete submit SELECT * FROM phonebook WHERE username= ‘ John ’ AND Password = ‘ 123 ’ John’s phonebook entries are displayed

4 SQL C OMMAND I NJECTION A TTACK (SQLCIA) – CONT. 4 PhoneBook Record Manager User Name Password John’ OR 1=1 -- what? Display Delete submit SELECT * FROM phonebook WHERE username= ‘ John’ OR 1=1 -- ’ AND Password = ‘ what? ’ All phonebook entries are displayed

5 SQL C OMMAND I NJECTION A TTACK (SQLCIA) – CONT. 5

6 6

7 Most Systems separate code from data SQL queries can be constructed by arbitrary sequences of programming constructs that involve string operations like Concatenation, substring… Such Construct also involve (trusted / untrusted) user inputs. Queries intended by the programmer can be “changed” by untrusted user input. 7

8 SQL C OMMAND I NJECTION A TTACK (SQLCIA) – CONT. 8 SELECT * FROM phonebook WHERE username= ‘ John ’ AND Password = ‘ 123 ’ WHERE username= ‘ John ’ AND Password = ‘ 123 ’ Benign Query Benign Query

9 SQL C OMMAND I NJECTION A TTACK (SQLCIA) – CONT. 9 SELECT * FROM phonebook WHERE username= ‘ John’ OR 1=1 -- ’ AND Password = ‘ what? ’ WHERE username= ‘ John’ OR 1=1 -- ’ AND Password = ‘ what? ’ Attack Query Attack Query

10 P REPARE S TATEMENTS Prepare statement in Commercial DBMS is useful in preventing the SQLCIA It separates query structure from data Statements are not parsed for every user input ex) Mysql> PREPARE stmt_name FROM “SELECT * FRM phonebook WHERE username=? AND password=?” 10

11 P REPARE S TATEMENTS – CONT. The way to prevent SQLCIA is replacing all the query statements in legacy application by the PREPARE statements But, replacing them automatically with static techniques is very hard. Require to guess the structure of query at each query issue location in program code. Query issued at a location depends on path taken in program So, Problem is How can we dynamically infer the benign query structure? 11

12 H IGH LEVEL IDEA : D YNAMIC CANDIDATE E VALUATIONS 12 Actual Input Candidate Input Application SQL Parser Database Actual Query Candidate Query matching Non-matching

13 H IGH LEVEL IDEA : D YNAMIC CANDIDATE E VALUATIONS – CONT. But, It is undecidable because the candidate inputs Should be Benign Issue a query at the same query issue location by following the same path in the program 13 PhoneBook Record Manager User Name Password John 123 Display Delete submit

14 P ROPOSED M ETHOD Manifestly benign inputs For every string create a sample string of ‘a’s having the same length. Candidate Input: Uname=‘aaaa’ Pwd = ‘aaa’ For integer or boolean variable, use original input Follow the original control flow by using original inputs 14 PhoneBook Record Manager User Name Password John 123 Display Delete submit

15 P ROPOSED M ETHOD – CONT. 15 Input: String uname, String pwd, boolean display Display? “select * from phonebook where username=‘” + uname +” ‘ and password=‘” + pwd +”’ ”; “delete from phonebook where username=‘” + uname +” ‘ and password=‘” + pwd +”’ ”; display == true display == false User Input: uname=“John ” pwd=“12d” display=false User Input: uname=“John ” pwd=“12d” display=false Candidate Input: uname=“aaaa” pwd=“aaa ” Candidate Input: uname=“aaaa” pwd=“aaa ” Candidate Input(2): uname=“aaaa” pwd=“aaa ” display=true Candidate Input(2): uname=“aaaa” pwd=“aaa ” display=true Actual Query: Delete from phonebook where username=‘John’ and password=‘12d’ Candidate Query: Delete from phonebook where username=‘aaaa’ and password=‘aaa’

16 P ROPOSED M ETHOD – CONT. 16 Web Application CANDID Program Transformer Safe Web Application

17 Transformation Example 17 Input: String uname, String pwd, boolean display String uname_c, String pwd_c Display? Query=“Select * from phonebook where username=‘” + uname +” ‘ and password=‘” + pwd +”’ ”; Query_c=“Select * from phonebook where username=‘” + uname_c +” ‘ and password=‘” + pwd_c +”’ ”; Query=“delete from phonebook where username=‘” + uname +” ‘ and password=‘” + pwd +”’ ”; Query_c=“delete from phonebook where username=‘” + uname_c +” ‘ and password=‘” + pwd_c +”’ ”; display == true display == false Uname=input_1, pwd=input_2, delete=input_3; Uname_c=createSample(uname), pwd_c= createSample(pwd); P ROPOSED M ETHOD – CONT. execute_query(query)If(match_queries(query,query_c)==true) execute_query(query)

18 P ROPOSED M ETHOD – CONT. Implementation Architecture Offline View Online View 18 Original Program JAVA Bytecode Transformer Instrumented Program Browser Web Server SQL Parser Tree Checker Database Instrumented Program

19 E VALUATION 19 Attack Evaluation Result Performance Overhead

Download ppt "C ANDID : P REVENTING SQL I NJECTION A TTACKS U SING D YNAMIC C ANDIDATE E VALUATIONS 2008. 09. 25 Presented by Jeong-hoon, Park 1."

Similar presentations

How Did I Steal Your Database Mostafa

How Did I Steal Your Database Mostafa
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection Yuji Kosuga, Kenji Kono, Miyuki Hanaoka Keio University Miho Hishiyama,

Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection Yuji Kosuga, Kenji Kono, Miyuki Hanaoka Keio University Miho Hishiyama,
The Essence of Command Injection Attacks in Web Applications Zhendong Su and Gary Wassermann Present by Alon Kremer April 2011.

The Essence of Command Injection Attacks in Web Applications Zhendong Su and Gary Wassermann Present by Alon Kremer April 2011.
Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
1. What is SQL Injection 2. Different varieties of SQL Injection 3. How to prevent it.

1. What is SQL Injection 2. Different varieties of SQL Injection 3. How to prevent it.
Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.

Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,

Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,
 2004 Prentice Hall, Inc. All rights reserved. Chapter 25 – Perl and CGI (Common Gateway Interface) Outline 25.1 Introduction 25.2 Perl 25.3 String Processing.

 2004 Prentice Hall, Inc. All rights reserved. Chapter 25 – Perl and CGI (Common Gateway Interface) Outline 25.1 Introduction 25.2 Perl 25.3 String Processing.
{ Code Injection Cable Johnson.  Overview  Common Injection Types  Developer Prevention Code Injection.

{ Code Injection Cable Johnson.  Overview  Common Injection Types  Developer Prevention Code Injection.
Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.

Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.
Secure Software Engineering: Input Vulnerabilities

Secure Software Engineering: Input Vulnerabilities
MIS 5211.001 Week 11 Site:

MIS Week 11 Site:
CSCI 6962: Server-side Design and Programming JDBC Database Programming.

CSCI 6962: Server-side Design and Programming JDBC Database Programming.
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
SQL INJECTION COUNTERMEASURES &

SQL INJECTION COUNTERMEASURES &
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Automatically Hardening Web Applications Using Precise Tainting Anh Nguyen-Tuong Salvatore Guarnieri Doug Greene Jeff Shirley David Evans University of.

Automatically Hardening Web Applications Using Precise Tainting Anh Nguyen-Tuong Salvatore Guarnieri Doug Greene Jeff Shirley David Evans University of.
Preventing SQL Injection Attacks in Stored Procedures Alex Hertz Chris Daiello CAP6135Dr. Cliff Zou University of Central Florida March 19, 2009.

Preventing SQL Injection Attacks in Stored Procedures Alex Hertz Chris Daiello CAP6135Dr. Cliff Zou University of Central Florida March 19, 2009.

Similar presentations

Ads by Google