ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
SQLProb: a proxy-based architecture towards preventing SQL injection attacks
Full text PdfPdf (990 KB)
Source
Symposium on Applied Computing archive
Proceedings of the 2009 ACM symposium on Applied Computing table of contents
Honolulu, Hawaii
SESSION: Computer security track table of contents
Pages 2054-2061  
Year of Publication: 2009
ISBN:978-1-60558-166-8
Authors
Anyi Liu  George Mason University
Yi Yuan  George Mason University
Duminda Wijesekera  George Mason University
Angelos Stavrou  George Mason University
Sponsor
SIGAPP: ACM Special Interest Group on Applied Computing
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 34,   Downloads (12 Months): 144,   Citation Count: 0
Additional Information:

abstract   references   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1529282.1529737
What is a DOI?

ABSTRACT

SQL injection attacks (SQLIAs) consist of maliciously crafted SQL inputs, including control code, used against Database-connected Web applications. To curtail the attackers' ability to generate such attacks, we propose an SQL Proxy-based Blocker (SQLProb). SQLProb harnesses the effectiveness and adaptivity of genetic algorithms to dynamically detect and extract users' inputs for undesirable SQL control sequences. Compared to state-of-the-art protection mechanisms, our method does not require any code changes on either the client, the web-server or the back-end database. Rather, our system uses a proxy that seamlessly integrates with existing operational environments offering protection to front-end web servers and back-end databases. To evaluate the overhead and the detection performance of our system, we implemented a prototype of SQLProb which we tested using real SQL attacks. Our experimental results show that we can detect all SQL injection attacks while maintaining very low resource utilization.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
T. Pietraszek, C. Vanden Berghe. Defending against injection attacks through context-sensitive string evaluation. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection (RAID), pages 124--145, 2005.
 
2
F. Valeur, D. Mutz, and G. Vigna. A learning-based approach to the detection of sql attacks. In Proceedings of the Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), pages 123140, 2005.
3
Zhendong Su , Gary Wassermann, The essence of command injection attacks in web applications, Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages, p.372-382, January 11-13, 2006, Charleston, South Carolina, USA
4
Gregory Buehrer , Bruce W. Weide , Paolo A. G. Sivilotti, Using parse tree validation to prevent SQL injection attacks, Proceedings of the 5th international workshop on Software engineering and middleware, September 05-06, 2005, Lisbon, Portugal  [doi>10.1145/1108473.1108496]
5
Sruthi Bandhakavi , Prithvi Bisht , P. Madhusudan , V. N. Venkatakrishnan, CANDID: preventing sql injection attacks using dynamic candidate evaluations, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA  [doi>10.1145/1315245.1315249]
 
6
Yichen Xie , Alex Aiken, Static detection of security vulnerabilities in scripting languages, Proceedings of the 15th conference on USENIX Security Symposium, July 31-August 04, 2006, Vancouver, B.C., Canada
 
7
V. Benjamin Livshits , Monica S. Lam, Finding security vulnerabilities in java applications with static analysis, Proceedings of the 14th conference on USENIX Security Symposium, p.18-18, July 31-August 05, 2005, Baltimore, MD
8
Monica S. Lam , John Whaley , V. Benjamin Livshits , Michael C. Martin , Dzintars Avots , Michael Carbin , Christopher Unkel, Context-sensitive program analysis as database queries, Proceedings of the twenty-fourth ACM SIGMOD-SIGACT-SIGART symposium on Principles of database systems, June 13-15, 2005, Baltimore, Maryland  [doi>10.1145/1065167.1065169]
9
Michael Martin , Benjamin Livshits , Monica S. Lam, Finding application errors and security flaws using PQL: a program query language, Proceedings of the 20th annual ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications, October 16-20, 2005, San Diego, CA, USA
10
David Scott , Richard Sharp, Abstracting application-level web security, Proceedings of the 11th international conference on World Wide Web, May 07-11, 2002, Honolulu, Hawaii, USA  [doi>10.1145/511446.511498]
11
Yao-Wen Huang , Fang Yu , Christian Hang , Chung-Hung Tsai , Der-Tsai Lee , Sy-Yen Kuo, Securing web application code by static analysis and runtime protection, Proceedings of the 13th international conference on World Wide Web, May 17-20, 2004, New York, NY, USA  [doi>10.1145/988672.988679]
 
12
W. Halfond, J. Viegas, and A. Orso. A Classification of SQL injection attacks and countermeasures. In Proceedings of the International Symposium on Secure Software Engineering (SEEE), March 2006.
 
13
S. Boyd and A. Keromytis. SQLrand: Preventing SQL injection attacks. In Proceedings of the 2nd Applied Cryptography and Network Security (ACNS), pages 292302, 2004.
 
14
A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening web applications using precise tainting. In Proceedings of the 20th IFIP International Information Security Conference (SEC), pages 295--308, 2005.
15
William G. J. Halfond , Alessandro Orso , Panagiotis Manolios, Using positive tainting and syntax-aware evaluation to counter SQL injection attacks, Proceedings of the 14th ACM SIGSOFT international symposium on Foundations of software engineering, November 05-11, 2006, Portland, Oregon, USA  [doi>10.1145/1181775.1181797]
 
16
Wei Xu , Sandeep Bhatkar , R. Sekar, Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks, Proceedings of the 15th conference on USENIX Security Symposium, July 31-August 04, 2006, Vancouver, B.C., Canada
17
William G. J. Halfond , Alessandro Orso, AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks, Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering, November 07-11, 2005, Long Beach, CA, USA  [doi>10.1145/1101908.1101935]
 
18
C. Brabrand, A. Mller, M. Ricky, and M. I. Schwartzbach. Powerforms: Declarative client-side form field validation. In Proceedings of the World Wide Web (WWW), 2000.
19
David Scott , Richard Sharp, Abstracting application-level web security, Proceedings of the 11th international conference on World Wide Web, May 07-11, 2002, Honolulu, Hawaii, USA  [doi>10.1145/511446.511498]
 
20
David Scott , Richard Sharp, Specifying and Enforcing Application-Level Web Security Policies, IEEE Transactions on Knowledge and Data Engineering, v.15 n.4, p.771-783, July 2003  [doi>10.1109/TKDE.2003.1208998]
21
Davide Balzarotti , Marco Cova , Viktoria V. Felmetsger , Giovanni Vigna, Multi-module vulnerability analysis of web-based applications, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA  [doi>10.1145/1315245.1315250]
 
22
Sin Yeung Lee , Wai Lup Low , Pei Yuen Wong, Learning Fingerprints for a Database Intrusion Detection System, Proceedings of the 7th European Symposium on Research in Computer Security, p.264-280, October 14-16, 2002
 
23
Y. Kosuga, K. Kono, M. Hanaoka, M. Hishiyama, Y. Takahama. Sania: Syntactic and semantic analysis for automated testing against SQL injection. In Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC), pages 107--117, 2007.
24
Martin Johns , Christian Beyerlein, SMask: preventing injection attacks in web applications by approximating automatic data/code separation, Proceedings of the 2007 ACM symposium on Applied computing, March 11-15, 2007, Seoul, Korea  [doi>10.1145/1244002.1244071]
 
25
Ryan Riley , Xuxian Jiang , Dongyan Xu, An Architectural Approach to Preventing Code Injection Attacks, Proceedings of the 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, p.30-40, June 25-28, 2007  [doi>10.1109/DSN.2007.13]
 
26
Carl Gould , Zhendong Su , Premkumar Devanbu, JDBC Checker: A Static Analysis Tool for SQL/JDBC Applications, Proceedings of the 26th International Conference on Software Engineering, p.697-698, May 23-28, 2004
27
William R. Cook , Siddhartha Rai, Safe query objects: statically typed objects as remotely executable queries, Proceedings of the 27th international conference on Software engineering, May 15-21, 2005, St. Louis, MO, USA  [doi>10.1145/1062455.1062488]
 
28
Y. Kosuga, K. Kono, M. Hanaoka, M. Hishiyama, and Y. Takahama. Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection. In Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC '07), Miami Beach, Florida, 2007.
29
Xuxian Jiang , Dongyan Xu, Profiling self-propagating worms via behavioral footprinting, Proceedings of the 4th ACM workshop on Recurring malcode, November 03-03, 2006, Alexandria, Virginia, USA  [doi>10.1145/1179542.1179547]
 
30
T. O. Fundation. Top ten most critical web application vulnerabilities, 2005. http://www.owasp.org/documentation/topten.html.
 
31
R. Durbin, S. Eddy, and A. Krogh. Biological sequence analysis. Cambridge University Press, ISBN: 0521629713, 1998.
 
32
Sanctum Inc. AppShield 4.0 Whitepaper, 2002. http://www.sanctuminc.com.
 
33
MySQL Proxy Project Wiki. http://forge.mysql.com/wiki/MySQL_Proxy.
 
34
SPI Dynamics. Web application security assessment. SPI Dynamics Whitepaper, 2003.
 
35
Kavado, Inc. InterDo Vers. 3.0, 2003.
 
36
SQLBrute - SQL Injection brute force tool. http://www.darknet.org.uk/2007/06/sqlbrute-sql-injection-brute-force-tool/.
 
37
JavaCC Project. https://javacc.dev.java.net/.
 
38
JJTree. https://javacc.dev.java.net/doc/JJTree.html.
 
39
Wget http://ftp.gnu.org/gnu/wget/.
 
40
McAfee Entercept Database Edition. http://www.anidirect.com/products/intrusionprevention/ds_entercept_databaseedition.pdf.
 
41
GreenSQL. http://www.greensql.net/.
 
42
SANA Security's Primary Response. http://www.sanasecurity.com/common/files/PR3.O_datasheet.pdf.

INDEX TERMS

Primary Classification:
  K. Computing Milieux
  K.6 MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS
      K.6.m Miscellaneous

Additional Classification:
  K. Computing Milieux
  K.6 MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS
      K.6.5 Security and Protection (D.4.6, K.4.2)
          Subjects: Unauthorized access (e.g., hacking, phreaking)


Keywords:
SQL injection attack, information security, intrusion detection, intrusion prevention

Collaborative Colleagues:
Anyi Liu: colleagues
Yi Yuan: colleagues
Duminda Wijesekera: colleagues
Angelos Stavrou: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player