Preventing SQL Injection Attacks in Stored Procedures Alex Hertz Chris Daiello CAP6135Dr. Cliff Zou University of Central Florida March 19, 2009.

Slides:



Advertisements
Similar presentations
Operating System Security
Advertisements

Understand Database Security Concepts
Introduction The concept of “SQL Injection”
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Stephen S. Yau CSE , Fall Security Strategies.
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
OWASP Mobile Top 10 Why They Matter and What We Can Do
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
SEC835 Database and Web application security Information Security Architecture.
ISOM MIS3150 Data and Info Mgmt Database Security Arijit Sengupta.
Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.
Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 
Chapter 16 IT Controls, Asset Protection, and Security.
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
SQL INJECTION COUNTERMEASURES &
Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Business Computing 550 Lesson 6. 2 Security Threats on Web Sites Issues and vulnerabilities 1.Illegal Access and Use (Hacking the system or users exposing.
AMNESIA: Analysis and Monitoring for NEutralizing SQL- Injection Attacks Published by Wiliam Halfond and Alessandro Orso Presented by El Shibani Omar CS691.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.
Computer Security and Penetration Testing
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
OSI and TCP/IP Models And Some Vulnerabilities AfNOG th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.
CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.
OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.
Database A database is a collection of data organized to meet users’ needs. In this section: Database Structure Database Tools Industrial Databases Concepts.
Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.
Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.
SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.
Sumanth M Ganesh B CPSC 620.  SQL Injection attacks allow a malicious individual to execute arbitrary SQL code on your server  The attack could involve.
Building Secure Web Applications With ASP.Net MVC.
PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.
Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.
Presented by Sharan Dhanala
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Database Security Lesson Introduction ●Understand the importance of securing data stored in databases ●Learn how the structured nature of data in databases.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.
Introduction Program File Authorization Security Theorem Active Code Authorization Authorization Logic Implementation considerations Conclusion.
Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.
Computer Security By Duncan Hall.
Module: Software Engineering of Web Applications Chapter 3 (Cont.): user-input-validation testing of web applications 1.
SQL Injection Josh Mann. What is SQL Injection  SQL injection is a technique for exploiting web applications that use client-supplied data in SQL queries.
PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.
SQL Injection By: Ayman Mohamed Abdel Rahim Ali Ehab Mohamed Hassan Ibrahim Bahaa Eldin Mohamed Abdel Sabour Tamer Mohamed Kamal Eldin Jihad Ahmad Adel.
SQL INJECTION Lecturer: A.Prof.Dr. DANG TRAN KHANH Student :Le Nguyen Truong Giang.
Antivirus Software Technology By Mitchell Zell. Intro  Computers are vulnerable to attack  Most common type of attack is Malware  Short for malicious.
Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.
Introduction SQL Injection is a very old security attack. It first came into existence in the early 1990's ex: ”Hackers” movie hero does SQL Injection.
Database and Cloud Security
Database System Implementation CSE 507
Group 18: Chris Hood Brett Poche
Module: Software Engineering of Web Applications
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
World Wide Web policy.
Static Detection of Cross-Site Scripting Vulnerabilities
Secure Software Confidentiality Integrity Data Security Authentication
SQL INJECTION ATTACKS.
SQL Injection Attacks Many web servers have backing databases
Unit 1.6 Systems security Lesson 2
Brute force attacks, DDOS, Botnet, Exploit, SQL injection
Lecture 2 - SQL Injection
Presentation transcript:

Preventing SQL Injection Attacks in Stored Procedures Alex Hertz Chris Daiello CAP6135Dr. Cliff Zou University of Central Florida March 19, 2009

Research Paper Publication ◦ Australian Software Engineering Conference, (ASWEC 2006) Authors ◦ Ke Wei  Dept. of Electrical and Computer Engineering at Iowa State University ◦ M. Muthuprasanna  Dept. of Electrical and Computer Engineering at Iowa State University ◦ Suraj Kothari  Dept. of Electrical and Computer Engineering at Iowa State University

SQL Injection Attack Targets interactive web applications that employ database services. These applications form SQL statements from user input. An attacker can place malicious SQL statements into the input ◦ Can gain access to vital database information ◦ Can use this vulnerability as an IP/Port scanner of the internal network

SQL Injection Attack There has been extensive research in the field of guarding against this vulnerability in the application layer. ◦ This can be done by examining dynamic SQL query semantics at runtime. There has been little research on the vulnerabilities that exist in stored procedures, which are at the database layer.

Motivation The growing popularity of the Internet in the past decade has made it something we rely on for everyday activities. The applications and their underlying databases hold confidential and sensitive data. Downtime can easily result in millions of dollars damages. These databases have security flaws that must be protected against targeted attacks.

Motivation According to the Imperva Application Defence Center, 92% of all web applications are vulnerable to some form of malicious intrusion. Vulnerabilities that lead to SQL Injection attacks are well understood. However, there is still a lack of effective techniques for detecting and preventing them.

Stored Procedures Stored procedures are an important part of relational database systems ◦ They add an extra layer of abstraction into the design of a software system ◦ This extra layer can hide some of the design secrets from potentially malicious users  i.e. Definitions of tables The use of dynamic SQL queries can be useful, but can pose an SQL injection vulnerability

Example Consider a stored procedure that is called with a username and a password This procedure uses that user input to dynamically generate an SQL statement to be executed using the system function.

Example For instance, after calling the procedure with the values “testuser” and “testpasswd” for the username and password respectively, the procedure would generate the following SQL query ◦ select PROFILE from EMPLOYEE where NAME=‘testuser’ and PASSWD=‘testpasswd’ This statement would then be passed to the EXEC() function.

Example A user could also input “‘OR 1 = 1 --’” as the username and “null” as the password The SQL query generated would look like ◦ select PROFILE from EMPLOYEE where NAME=“OR 1 = 1 −− ’ and PASS=‘null’ The characters “ −− ” will comment out anything following them The query will be interpreted as a tautology, thus always satisfied.

Proposal This paper proposes a technique designed to defend against attacks directed at stored procedures. ◦ Static application code analysis  Stored procedure parser ◦ Runtime validation

Proposal The key intuition behind the technique described in this paper is that an SQL injection will alter the structure of an SQL statement. An SQL injection can be identified by detecting the difference in the structures. This is done in two phases

Offline Phase A parser is used to pre-process and identify specific SQL statements in the EXEC() call for runtime analysis.

Runtime Phase The technique monitors all dynamically- generated SQL queries associated with the user input. The technique captures the original structure of the SQL statement and checks for compliance after inclusion of the user inputs.

Runtime Phase If an attack is detected ◦ The malicious statement is prevented from accessing the database ◦ Details about the attack are provided

Proposal The control flow graph of the stored procedures can be represented as an SQL-graph ◦ Indicates which user inputs the dynamically built SQL statements depend on. The control flow graph is extracted during the static analysis phase.

SQL-Graph

SQL-Graph Only EXEC() calls that depend on user input need to be tested in this system. Other EXEC() calls can exist, but pose no security threat if they do not take user input. The concept of the SQL-graph is to reduce the runtime overhead by displaying dependencies between multiple queries and inputs.

Runtime Validation Before an EXEC() is called, the SQL statement is sent into a the validation function to determine if it is a valid statement. This function will be able to detect ◦ Tautologies ◦ Addition SQL statements ◦ Second-Order Injection ◦ Other Injection attacks

Our Intentions We intend to implement this technique on our own system. ◦ Verify the validity of the algorithm We will try to analyze the effectiveness on newer database management systems ◦ The authors used SQL Server 2005 We will try to improve upon the author’s algorithm