CANDID : Preventing SQL Injection Attacks Using Dynamic ...

CANDID : Preventing SQL Injection Attacks Using Dynamic ...

CANDID : Preventing SQL Injection Attacks Using Dynamic Candidate Evaluations V. N. Venkatakrishnan Assistant Professor, Computer Science University of Illinois at Chicago Joint work with: Sruthi Bandhakavi (UIUC) Prithvi Bisht (UIC) and P. Madhusudan (UIUC) SQL Injection : Typical Query Phonebook Record Manager Usernam John e Passwor open_sesame d Display Delete Submit Web browser User Input

Web Page SELECT * FROM phonebook WHERE username = John AND password = open_sesame Johns phonebook entries are displayed Application Server Query Result Set Database SQL Injection : Typical Query Phonebook Record Manager Usernam John OR 1=1 e -Passwor not needed d

Display Delete Submit Web browser User Input Web Page SELECT * FROM phonebook WHERE username = John OR 1=1 --AND password = not needed All phonebook entries are displayed Application Server Query Result Set Database XS

S SQL Injection Attacks are a Serious Threat CVE Vulnerabilities (2004) L SQ tion c e j In S XS L SQ tion jec In CVE Vulnerabilities (2006) CardSystems security breach(2006): 263,000 customer credit card numbers stolen, 40 Million more exposed Talk Overview

Web Application CANDID Program Transformer Safe Web Application [ACM CCS07] SQL Injection Most systems separate code from data SQL queries can be constructed by arbitrary sequences of programming constructs that involve string operations Concatenation, substring . Such construct also involve (untrusted) user inputs Inputs should be mere data, but in case of SQL results in code Result: Queries intended by the programmer can be changed by untrusted user input

Parse Structure for a Benign Query Selec t* from Table WHERE username = John AND password = os Parse Structure for a Attack Query > Selec t* from Table

lit > WHERE username = John OR 1=1-- AND Attacks Change Query Structure Boyd et. al [BK 04], ANCS ; Buehrer et. al. [BWS 05], SEM; Halfond et. al.[HO 05], ASE; Nguyen-Tuong et. al. [NGGSE 05], SEC; Pietraszek et. al[PB 05], RAID; Valeur et. al. [VMV 05], DIMVA; Su et. al. [SW 06], POPL ...

> > > WHERE username = John OR 1=1 -- AND ...

WHERE username = John AND password = os Benign Query Attack Query Prepared Statements mysql> PREPARE stmt_name FROM " SELECT * FROM phonebook WHERE username = ? AND placeholde password = ? r for input

Separates query structure from data Statements are NOT parsed for every user input WHERE username = ? AND password = ? Legacy Applications For existing applications adding PREPARE statements will prevent SQL injection attacks Hard to do automatically with static techniques Need to guess the structure of query at each query issue location Query issued at a location depends on path taken in program

Human assisted efforts can add PREPARE statements Costly effort Problem: Is it possible to dynamically infer the benign query structure? High level idea : Dynamic Candidate Evaluations Create benign sample inputs (Candidate Inputs) for every user input Execute the program simultaneously over actual inputs and candidate inputs Generate a candidate query along with the actual query The candidate query is always non-attacking Actual query is possibly malicious Issue the actual query only if parse structures match Actual I/P Actual I/P Candidate

I/P Candidate Applicatio n Actual Query Candidate Query Match SQL Parser SQL DB Parser No Match How can we guess benign candidate inputs for every I/P execuction? Finding Benign Candidate Inputs Have to create a set of candidate inputs which

Are Benign Issue a query at the same query issue location By following the same path in the program Problem: Hard In the most general case it is undecidable Candidate Path Actual Path Query Issue Location Our Solution : Use Manifestly benign inputs Phonebook Record Manager User Name

Password John os Display Submit For every string create a Delete sample string of a s having the same length Candidate Input: uname = aaaa pwd = aa Shadow every intermediate string variable that depends on input

For integer or boolean variable, use the originals Follow the original control flow Evaluate conditionals only on actual inputs Candidate Input : input str uname, uname = aaaa str pwd, bool display pwd = aa display = true true User Input : uname = john pwd = os display = false Candidate Input : uname = aaaa pwd = aa false display?

query = SELECT * from phonebook WHERE username = + uname + AND password = + pwd + query = DELETE * from phonebook WHERE username = + uname + AND password = + pwd + Actual Query: DELETE * from phonebook WHERE username = john AND password = os Candidate Query: DELETE * from phonebook WHERE username = aaaa AND password = aa CANDID Program Transformation Example i/p str uname; i/p str pwd; i/p bool delete; str uname_c; str pwd_c; uname = input_1, pwd = input_2, delete = input_3; uname_c = createSample(uname) , pwd_c = createSample(pwd); false true display? query = DELETE * from phonebook WHERE username = + uname + AND password = + pwd + query_c = DELETE * from phonebook WHERE username = + uname_c + AND password = + pwd_c +; query = SELECT * from phonebook WHERE username = + uname + AND password = + pwd + ; query_c = SELECT * from phonebook WHERE username = + uname_c + AND password = + pwd_c +; if(match_queries(query,query_c)

== true) execute_query(query) execute_query(query) Resilience of CANDID Input Splitting Alan Turing Input Input space_index = 4 Instrumented Splitting Input Splitting fn = input[0..3] Function = Alan ln = input[5..9] = Turing Query SELECT ... WHERE first_name = Alan AND last_name = Turing aaaaaaaaaaa space_index = 4 fn_c = input_c[0..3] = aaaa

ln_c = input_c[5..9] = aaaaaa SELECT ... WHERE first_name = aaaa AND last_name = aaaaaa CANDID Implementation Architecture Offline View java bytecode Original Program Online Instrumented Web Application Java Bytecode transformer View Web Server Tomcat

server SQL Parse Tree Checker java DB Browser Instrumented Web Application java bytecode MySql Thank You Questions? Acknowledgments: xkcd.com

Recently Viewed Presentations

  • European Legal History Lecture : Personal and Family Law

    European Legal History Lecture : Personal and Family Law

    European Legal History Lecture : Personal and Family Law Tutelage (tutela) Form of help for sui iuris persons with limitation to their legal capacity to act in their own name Subjects: - immature men and women - mature women without...
  • Biological explanations Drug treatments

    Biological explanations Drug treatments

    Sends feedback signal back to presynaptic neuron which at first increases the release of dopamine. By reducing stimulation of the dopamine system in the mesolimbic pathway, it reduces positive symptoms of the disorder, such as hallucinations and delusions.
  • Common Literary Techniques

    Common Literary Techniques

    Two meanings packed into one word (as in the poem Jabberwocky by Lewis Carroll.) 21 Examples: Brunch is formed from breakfast and lunch. Spork is formed from spoon and fork. Brangelina is formed from Brad and Angelina. Cliche Parody Satire...
  • Infection control - Wisconsin Department of Health Services

    Infection control - Wisconsin Department of Health Services

    * Topics Chain of infection Standard precautions Transmission-based precautions Attachments from PHEP Objectives Understand the various precautions used to prevent disease transmission Be able to practice the correct precautions for a given disease and task Chain of Infection Agent ↓...
  • Uprooting the Culture of Sexual Assault in ... - CGSC Foundation

    Uprooting the Culture of Sexual Assault in ... - CGSC Foundation

    Uprooting the Culture of Sexual Assault in the Armed Forces through a Gender Aware Perspective. By Cheryl Abbate. Agenda. Statement of the Problem. Diagnosis of the Problem. Solution to the Problem. Part 1: The Problem. The Problem.
  • Problem Description"Using Machine ... - Computer Science

    Problem Description"Using Machine ... - Computer Science

    Problem Description3. More on alternative approaches: Treat it as a regression/prediction problem; e.g. assign 1/n to the n-th finisher in the race (or use the percentage of the prize money allocated to the place the horse took in the race...
  • SEVEN BASIC QUALITY TOOLS - MM 27 Unsoed

    SEVEN BASIC QUALITY TOOLS - MM 27 Unsoed

    Tambahkan suatu catatan pada histogram tersebut, yang menunjukkan siapa yang mengumpulkan data kapan dan dimana, serta masukkan informasi tambahan apa saja yang diperlukan untuk pengenalan data tersebut. Cantumkan. Diagram Pareto.
  • Welcome to ENGR10

    Welcome to ENGR10

    Course Goals - Engineering. At the end of this course students will be able to: Understand the steps of the engineering design process . Apply basic physics concepts to the design and analysis of built systems