research-article

Hacking the DBMS to Prevent Injection Attacks

Authors:
Ibéria Medeiros

INESC-ID, Faculdade de Ciências da Universidade de Lisboa, Lisboa, Portugal

INESC-ID, Faculdade de Ciências da Universidade de Lisboa, Lisboa, Portugal
View Profile

,
Miguel Beatriz

INESC-ID, Instituto Superior Técnico da Universidade de Lisboa, Lisboa, Portugal

INESC-ID, Instituto Superior Técnico da Universidade de Lisboa, Lisboa, Portugal
View Profile

,
Nuno Neves

LaSIGE, Faculdade de Ciências da Universidade de Lisboa, Lisboa, Portugal

LaSIGE, Faculdade de Ciências da Universidade de Lisboa, Lisboa, Portugal
View Profile

,
Miguel Correia

INESC-ID, Instituto Superior Técnico da Universidade de Lisboa, Lisboa, Portugal

INESC-ID, Instituto Superior Técnico da Universidade de Lisboa, Lisboa, Portugal
View Profile

CODASPY '16: Proceedings of the Sixth ACM Conference on Data and Application Security and PrivacyMarch 2016Pages 295–306https://doi.org/10.1145/2857705.2857723

Published:09 March 2016Publication History

CODASPY '16: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy

Pages 295–306

ABSTRACT

After more than a decade of research, web application security continues to be a challenge and the backend database the most appetizing target. The paper proposes preventing injection attacks against the database management system (DBMS) behind web applications by embedding protections in the DBMS itself. The motivation is twofold. First, the approach of embedding protections in operating systems and applications running on top of them has been effective to protect this software. Second, there is a semantic mismatch between how SQL queries are believed to be executed by the DBMS and how they are actually executed, leading to subtle vulnerabilities in prevention mechanisms. The approach -- SEPTIC -- was implemented in MySQL and evaluated experimentally with web applications written in PHP and Java/Spring. In the evaluation SEPTIC has shown neither false negatives nor false positives, on the contrary of alternative approaches, causing also a low performance overhead in the order of 2.2%.

References

Spring framework, 2014. http://spring.io/.Google Scholar
B. Ahuja, A. Jana, A. Swarnkar, and R. Halder. On preventing SQL injection attacks. Advanced Computing and Systems for Security, 395:49--64, 2015.Google ScholarCross Ref
S. Bandhakavi, P. Bisht, P. Madhusudan, and V. N. Venkatakrishnan. CANDID: preventing SQL injection attacks using dynamic candidate evaluations. In Proceedings of the 14th ACM Conference on Computer and Communications Security, pages 12--24, Oct. 2007. Google ScholarDigital Library
BBC Technology. Millions of websites hit by Drupal hack attack, Oct. 2014. http://www.bbc.com/news/technology-29846539.Google Scholar
T. Berners-Lee, R. Fielding, and L. Masinter. Uniform resource identifier (URI): Generic syntax. IETF Request for Comments: RFC 3986, Jan. 2005.Google Scholar
S. W. Boyd and A. D. Keromytis. SQLrand: Preventing SQL injection attacks. In Proceedings of the 2nd Applied Cryptography and Network Security Conference, pages 292--302, 2004.Google ScholarCross Ref
G. T. Buehrer, B. W. Weide, and P. Sivilotti. Using parse tree validation to prevent SQL injection attacks. In Proceedings of the 5th International Workshop on Software Engineering and Middleware, pages 106--113, Sept. 2005. Google ScholarDigital Library
E. Cecchet, V. Udayabhanu, T. Wood, and P. Shenoy. Benchlab: An open testbed for realistic benchmarking of web applications. In Proceedings of the 2nd USENIX Conference on Web Application Development, 2011. Google ScholarDigital Library
J. Clarke. SQL Injection Attacks and Defense. Syngress, 2009. Google ScholarDigital Library
CVE. http://cve.mitre.org.Google Scholar
A. Douglen. SQL smuggling or, the attack that wasn't there. Technical report, COMSEC Consulting, Information Security, 2007.Google Scholar
M. Dowd, J. Mcdonald, and J. Schuh. Art of Software Security Assessment. Pearson Professional Education, 2006. Google ScholarDigital Library
W. Halfond and A. Orso. AMNESIA: analysis and monitoring for neutralizing SQL-injection attacks. In Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering, pages 174--183, Nov. 2005. Google ScholarDigital Library
W. Halfond, A. Orso, and P. Manolios. WASP: protecting web applications using positive tainting and syntax-aware evaluation. IEEE Transactions on Software Engineering, 34(1):65--81, 2008. Google ScholarDigital Library
M. Howard and D. LeBlanc. Writing Secure Code for Windows Vista. Microsoft Press, 1st edition, 2007. Google ScholarDigital Library
ICS-CERT. Incident response/vulnerability coordination in 2014. ICS-CERT Monitor, Set.-Feb. 2015.Google Scholar
Imperva. Hacker intelligence initiative, monthly trend report#8. Apr. 2012.Google Scholar
JSoup. http://jsoup.org.Google Scholar
M. Koschany. Debian hardening, 2013. https://wiki.debian.org/ Hardening.Google Scholar
W. Masri and S. Sleiman. SQLPIL: SQL injection prevention by input labeling. Security and Communication Networks, 8(15):2545--2560, 2015.Google ScholarDigital Library
Measureit. https://code.google.com/p/measureit/.Google Scholar
I. Medeiros, N. F. Neves, and M. Correia. Automatic detection and correction of web application vulnerabilities using data mining to predict false positives. In Proceedings of the International World Wide Web Conference, pages 63--74, Apr. 2014. Google ScholarDigital Library
G. Modelo-Howard, C. Gutierrezand, F. Arshad, S. Bagchi, and Y. Qi. Psigene: Webcrawling to generalize SQL injection signatures. In Proceedings of the 44th IEEE/IFIP International Conference on Dependable Systems and Networks, June 2014. Google ScholarDigital Library
OSVDB. http://osvdb.org.Google Scholar
PHP Address Book. http://php-addressbook.sourceforge.net.Google Scholar
T. Pietraszek and C. V. Berghe. Defending against injection attacks through context-sensitive string evaluation. In Proceedings of the 8th International Conference on Recent Advances in Intrusion Detection, pages 124--145, 2005. Google ScholarDigital Library
D. Ray and J. Ligatti. Defining code-injection attacks. In Proceedings of the 39th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 179--190, 2012. Google ScholarDigital Library
refbase. http://http://www.refbase.net.Google Scholar
Search Security TechTarget. Wordpress vulnerable to stored XSS, Apr. 2015. http://searchsecurity.techtarget.com/news/4500245137/ WordPress-vulnerable-to-stored-XSS-researchers-find.Google Scholar
SolidIT. DB-Engines Ranking. http://db-engines.com/en/ranking, accessed Aug. 10th, 2015.Google Scholar
S. Son, K. S. McKinley, and V. Shmatikov. Diglossia: detecting code injection attacks with precision and efficiency. In Proceedings of the 20th ACM Conference on Computer and Communications Security, pages 1181--1192, 2013. Google ScholarDigital Library
Spring. http://docs.spring.io/spring/docs/2.5.4/reference/aop.html.Google Scholar
sqlmap. https://github.com/sqlmapproject/testenv/tree/master/mysql.Google Scholar
Z. Su and G. Wassermann. The essence of command injection attacks in web applications. In Proceedings of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 372--382, Jan. 2006. Google ScholarDigital Library
Trustwave SpiderLabs. ModSecurity - Open Source Web Application Firewall. http://www.modsecurity.org.Google Scholar
WebChess. http://sourceforge.net/projects/webchess/.Google Scholar
J. Williams and D. Wichers. OWASP Top 10: The ten most critical web application security risks. Technical report, OWASP Foundation, 2013.Google Scholar
W. Xu, S. Bhatkar, and R. Sekar. Practical dynamic taint analysis for countering input validation attacks on web applications. Technical Report SECLAB-05-04, Department of Computer Science, Stony Brook University, 2005.Google Scholar
ZeroCMS. Content management system built using PHP and MySQL. http://www.aas9.in/zerocms/.Google Scholar

Index Terms

Hacking the DBMS to Prevent Injection Attacks
1. Security and privacy
  1. Software and application security
    1. Web application security
  2. Systems security
    1. Vulnerability management
      1. Penetration testing
2. Software and its engineering
  1. Software creation and management
    1. Software verification and validation

Recommendations

Defending against injection attacks through context-sensitive string evaluation
RAID'05: Proceedings of the 8th international conference on Recent Advances in Intrusion Detection

Injection vulnerabilities pose a major threat to application-level security. Some of the more common types are SQL injection, cross-site scripting and shell injection vulnerabilities. Existing methods for defending against injection attacks, that is, ...
Read More
A comparative analysis and performance evaluation of web application protection techniques against injection attacks

Nowadays, most animation activities are based on internet-enabled applications. But, the majority of web developers have ignored the privacy and security aspects of each application, turning them into attractive targets for security issues and therefore ...
Read More
Mitigation of SQL Injection Attacks using Threat Modeling

Day after day, SQL Injection (SQLI) attack is consistently proliferating across the globe. According to Open Web Application Security Project (OWASP) Top Ten Cheat Sheet-2014, SQLI is at top in the list of online attacks. The cause of spread of SQLI is ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CODASPY '16: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy
March 2016
340 pages
ISBN:9781450339353
DOI:10.1145/2857705
General Chairs:
Elisa Bertino
Purdue University, USA
,
Ravi Sandhu
University of Texas at San Antonio, USA
,
Program Chair:
Alexander Pretschner
Technische Universität München, Germany
Copyright © 2016 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 9 March 2016
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
dbms self-protection
injection attacks
security
software security
web applications
Qualifiers
- research-article
Conference

Acceptance Rates
CODASPY '16 Paper Acceptance Rate22of115submissions,19%Overall Acceptance Rate149of789submissions,19%
More
Upcoming Conference
CODASPY '24

Sponsor:

sigsac

Fourteenth ACM Conference on Data and Application Security and Privacy

June 19 - 21, 2024

Porto , Portugal
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 1
  Total Citations
  View Citations
- 340
  Total Downloads
- Downloads (Last 12 months)13
- Downloads (Last 6 weeks)3
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Hacking the DBMS to Prevent Injection Attacks

CODASPY '16: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy

ABSTRACT

References

Cited By

Index Terms

Recommendations

Defending against injection attacks through context-sensitive string evaluation

A comparative analysis and performance evaluation of web application protection techniques against injection attacks

Mitigation of SQL Injection Attacks using Threat Modeling