Benjamin Davis Hao Chen University of California, Davis.

Slides:

Advertisements

Similar presentations

Advertisements

Connecting to Databases. relational databases tables and relations accessed using SQL database -specific functionality –transaction processing commit.

The Relational Model and Relational Algebra Nothing is so practical as a good theory Kurt Lewin, 1945.

PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.

Keys, Referential Integrity and PHP One to Many on the Web.

CIT 613: Relational Database Development using SQL Introduction to SQL.

Copyright © 2011 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 13 Introduction to SQL Programming Techniques.

15 Chapter 15 Web Database Development Database Systems: Design, Implementation, and Management, Fifth Edition, Rob and Coronel.

SQL (Structured Query Language) X/OPEN Call Level Interface For SQL ODBC (Open DataBase Connectivity) API JDBC (Java DataBase Connectivity) API SQL (Structured.

DT228/3 Web Development Databases. Database Almost all web application on the net access a database e.g. shopping sites, message boards, search engines.

1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.

Scripting Languages CS 351 – Programming Paradigms.

Database Systems More SQL Database Design -- More SQL1.

1 Detecting Logic Vulnerabilities in E- Commerce Applications Presenter: Liu Yin Slides Adapted from Fangqi Sun Computer Science Department College of.

1 Foundations of Software Design Lecture 27: Java Database Programming Marti Hearst Fall 2002.

Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Web to Database Connectivity Tools Frank Cervone Assistant Director for Systems DePaul University Libraries Access ‘98 October 3, 1998.

October 30, 2008 Extensible Workflow Management for Simmod ESUG32, Frankfurt, Oct 30, 2008 Alexander Scharnweber (DLR) October 30, 2008 Slide 1 > Extensible.

M. Taimoor Khan * Java Server Pages (JSP) is a server-side programming technology that enables the creation of dynamic,

CSCI 6962: Server-side Design and Programming Course Introduction and Overview.

7/8/05MySQL David Lawrence1 David Lawrence, JLab An introduction for the novice.

PHP Data Object (PDO) Khaled Al-Sham’aa. What is PDO? PDO is a PHP extension to formalise PHP's database connections by creating a uniform interface.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

©Silberschatz, Korth and Sudarshan5.1Database System Concepts Chapter 5: Other Relational Languages Query-by-Example (QBE) Datalog.

Automatically Hardening Web Applications Using Precise Tainting Anh Nguyen-Tuong Salvatore Guarnieri Doug Greene Jeff Shirley David Evans University of.

Sys Prog & Scripting - HW Univ1 Systems Programming & Scripting Lecture 19: Database Support.

Preventing Web Application Injections with Complementary Character Coding Raymond Mui Phyllis Frankl Polytechnic Institute of NYU Presented at ESORICS.

Stored Procedures, Triggers, Program Access Dr Lisa Ball 2008.

CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.

Module 11: Programming Across Multiple Servers. Overview Introducing Distributed Queries Setting Up a Linked Server Environment Working with Linked Servers.

Dr Gordon Russell, Napier University Unit Embedded SQL - V3.0 1 Embedded SQL Unit 5.1.

Demo: Power Tools for P8 Presenter: Jay Bowen Demonstration Topic: Choice List Features Demo URL below Power Tools Choice List Support 1. Native P8 Choice.

EGEE is a project funded by the European Union under contract IST Outstanding design issues Stephen Hicks 23/06/04

1 MSCS 237 Overview of web technologies (A specific type of distributed systems)

Self-assembling Agent System Presentation 1 Donald Lee.

Efficient RDF Storage and Retrieval in Jena2 Written by: Kevin Wilkinson, Craig Sayers, Harumi Kuno, Dave Reynolds Presented by: Umer Fareed 파리드.

ABSTRACT The JDBC (Java Database Connectivity) API is the industry standard for database- independent connectivity between the Java programming language.

RDF languages and storages part 1 - expressivness Maciej Janik Conrad Ibanez CSCI 8350, Fall 2004.

Server-side Programming The combination of –HTML –JavaScript –DOM is sometimes referred to as Dynamic HTML (DHTML) Web pages that include scripting are.

Practical RDF Chapter 10. Querying RDF: RDF as Data Shelley Powers, O’Reilly SNU IDB Lab. Hyewon Lim.

PHP Workshop ‹#› PHP Data Object (PDO). PHP Workshop ‹#› What is PDO? PDO is a PHP extension to formalise PHP's database connections by creating a uniform.

DATABASE CONNECTIVITY TO MYSQL. Introduction =>A real life application needs to manipulate data stored in a Database. =>A database is a collection of.

Practical RDF Ch.10 Querying RDF: RDF as Data Taewhi Lee SNU OOPSLA Lab. Shelley Powers, O’Reilly August 27, 2004.

MyGrid/Taverna Provenance Daniele Turi University of Manchester OMII f2f Meeting, London, 19-20/4/06.

WEB SECURITY WEEK 2 Computer Security Group University of Texas at Dallas.

Database Security Lesson Introduction ●Understand the importance of securing data stored in databases ●Learn how the structured nature of data in databases.

Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities.

JDBC CS 260 Database Systems. Overview  Introduction  JDBC driver types  Eclipse project setup  Programming with JDBC  Prepared statements  SQL.

ECMM6018 Enterprise Networking For Electronic Commerce Tutorial 6 CGI/Perl and databases.

Introduction to JDBC Instructor: Mohamed Eltabakh 1.

Bayu Priyambadha, S.Kom. Static content  Web Server delivers contents of a file (html) 1. Browser sends request to Web Server 3. Web Server sends HTML.

CS 440 Database Management Systems Stored procedures & OR mapping 1.

CS422 Principles of Database Systems Oracle PL/SQL Chengyu Sun California State University, Los Angeles.

Copyright © 2016 Ramez Elmasri and Shamkant B. Navathe.

SQL Injection By Wenonah Abadilla. Topics What is SQL What is SQL Injection Damn Vulnerable Web App SQLI Demo Prepared Statements.

MESA A Simple Microarray Data Management Server. General MESA is a prototype web-based database solution for the massive amounts of initial data generated.

 Abstract  Introduction  Literature Survey  Conclusion on Literature Survey  Threat model and system architecture  Proposed Work  Attack Scenarios.

The Common Gateway Interface (CGI) Pat Morin COMP2405.

More SQL: Complex Queries, Triggers, Views, and Schema Modification

SQL Injection By Wenonah Abadilla.

Internet/Web Databases

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

Introduction to Dynamic Web Programming

Database JDBC Overview CS Programming Languages for Web Applications

Abstract Intrusion detection in networks is of practical interest in many applications such as detecting an intruder in a battlefield. The intrusion detection.

Lecture Set 14 B new Introduction to Databases - Database Processing: The Connected Model (Using DataReaders)

Probabilistic Databases

Presentation transcript:

Benjamin Davis Hao Chen University of California, Davis

 Web services are highly attractive targets  Over 60% of attacks target Web applications  Over 80% of vulnerabilities found are in Web applications (From SANS 2009 Top Cyber Security Risks) 2

3 Latest Comment Latest Comment {User Content}

4 Latest Comment This is great! Latest Comment This is great!

5 Latest Comment steal(document.cookie); Latest Comment steal(document.cookie);

6 Application ? ? ? ? ? ? ? ? ? ?

Information Flow Tracking System 7 Application Input !!

Information Flow Tracking System 8 Application !!

Information Flow Tracking System 9 Application !!

Information Flow Tracking System 10 Application !! Output !!

Information Flow Tracking System 11 Application !! Output X

 Language-based “taint mode” ◦ Perl ◦ Ruby  Adding support to language structures ◦ Java [Chin, Wagner 09] ◦ PHP [Venema] 12

Information Flow Tracking System 13 Web Application Output Input Database Interface Database

Information Flow Tracking System Web Application 14 Output Input Database Interface Database !!

Information Flow Tracking System Web Application 15 Output Input Database Interface Database !!

Information Flow Tracking System Web Application 16 Output Input Database Interface Database !!

Information Flow Tracking System Web Application 17 Output Input Database Interface Database !!

Information Flow Tracking System Web Application 18 Output Input Database Interface Database ? ?

Information Flow Tracking System Web Application 19 Output Input Database Interface Database ? ?

Information Flow Tracking System Web Application 20 Output Input Database Interface Database ? ?

 What if you have multiple applications?  How to treat data from the database? ◦ All tainted -> false positives ◦ All untainted -> false negatives ◦ Require manual annotation? ◦ Application-specific decisions? 21

 Taint tracking through the entire system ◦ [Asbestos, 05] ◦ [HiStar, 06]  Implemented in ◦ Hardware ◦ OS ◦ VMM/emulator 22

Web Application 23 Output Input Database Interface Database !!

Web Application 24 Output Input Database Interface Database

Web Application 25 Output Input Database Interface Database !!

Web Application 26 Output Input Database Interface Database

 Low level/fine granularity ◦ Hardware mechanism [Suh, Lee, Devadas 04] ◦ Minos [Crandall, Chong, 04]  Lacks high-level database semantics ◦ Aggregate functions ◦ Comparisons, SELECT DISTINCT 27

 End-to-end taint tracking ◦ Across Web applications and databases  Leverage existing single-application information flow tracking engines  Compatible with existing Web services ◦ Require no changes to Web applications  Taint propagation through database functions 28

29 DB Interface Web Application Database Engine SQL

30 DB Interface Web Application Database Engine SQL Single-application information flow DBTaint

 Store taint data in database composite types ◦ Tuple of form: (, )  Store/retrieve taint values via SQL ◦ No additional mechanisms needed in the database ◦ No change to underlying database data structures 31 IdStatus (19, 0)(‘closed’, 1) (27, 0)(‘open’, 1) (32, 0)(‘pending, 1) IdStatus 19‘closed’ 27‘open’ 32‘pending’ Before DBTaintWith DBTaint

 Create functions that operate on composite types ◦ Comparison operators (=, !=, <, …) ◦ Arithmetic operations (+, -, …) ◦ Text operations (upper, lower, …) ◦ Aggregate functions (MAX, MIN, SUM, …)  Functions implemented in SQL ◦ CREATE FUNCTION ◦ CREATE OPERATOR ◦ CREATE AGGREGATE 32

 Arithmetic operations (4, 0) + (5, 1) = (9, ?) 33

 Arithmetic operations (4, 0) + (5, 1) = (9, ?) 34 untainted tainted

 Arithmetic operations (4, 0) + (5, 1) = (9, 1) 35 untainted tainted

 MAX {(2, 0), (3, 1), (5, 0)} = (5, ?) 36

 MAX {(2, 0), (3, 1), (5, 0)} = (5, ?) 37 untainted tainted untainted

 Untainted: trusted source ◦ Web application defaults ◦ Values generated entirely by the Web application  Tainted: from untrusted source, or unknown ◦ User input  Explicit information flow  Database returns untainted value only if database has received that value untainted 38

 MAX {(2, 0), (3, 1), (5, 0)} = (5, ?) 39 untainted tainted untainted

 MAX {(2, 0), (3, 1), (5, 0)} = (5, 0) 40 untainted tainted untainted

 Equality (3, 0) = (3, 1) 41 untainted tainted ?

 Equality 3 == 3 42

 Equality (3, 0) == (3, 1)  Adopt notion of backwards-compatibility [Chin, Wagner 09] 43 untainted tainted

 MAX {(5, 1), (5, 0)} = (5, ?) 44 untainted tainted

 MAX {5, 5} = 5 45

 MAX {5, 5} = 5 46 OR

 MAX {(5, 1), (5, 0)} = (5, ?) 47 OR

 MAX {(5, 1), (5, 0)} = (5, 0)  When possible, prefer to return untainted values 48 untainted tainted untainted

49 WebApp DB Interface Database Table IdStatus 19‘closed’ 27‘open’ 32‘pending’

50 WebApp DB Interface Database Table x = DB.get(id=27) IdStatus 19‘closed’ 27‘open’ 32‘pending’

51 WebApp DB Interface Database Table x = DB.get(id=27) IdStatus 19‘closed’ 27‘open’ 32‘pending’

52 WebApp DB Interface Database Table x = DB.get(id=27) IdStatus 19‘closed’ 27‘open’ 32‘pending’

53 WebApp DB Interface Database Table x = “open” IdStatus 19‘closed’ 27‘open’ 32‘pending’

54 WebApp DB Interface Database Table IdStatus (19, 0)(‘closed’, 1) (27, 0)(‘open’, 1) (32, 0)(‘pending, 1) DBTaint

55 WebApp Database Table IdStatus (19, 0)(‘closed’, 1) (27, 0)(‘open’, 1) (32, 0)(‘pending, 1) x = DB.get(id=27) DB Interface DBTaint

56 WebApp Database Table Rewritten query IdStatus (19, 0)(‘closed’, 1) (27, 0)(‘open’, 1) (32, 0)(‘pending, 1) DB Interface DBTaint

57 WebApp Database Table Result tuples IdStatus (19, 0)(‘closed’, 1) (27, 0)(‘open’, 1) (32, 0)(‘pending, 1) DB Interface DBTaint

58 WebApp Database Table IdStatus (19, 0)(‘closed’, 1) (27, 0)(‘open’, 1) (32, 0)(‘pending, 1) DB Interface DBTaint Collapse tuples and taint appropriately

59 WebApp Database Table x = “open” // x is tainted x = “open” // x is tainted IdStatus (19, 0)(‘closed’, 1) (27, 0)(‘open’, 1) (32, 0)(‘pending, 1) DB Interface DBTaint

 Account for composite types in SQL queries  Collapse and taint result tuples as needed  These changes are: ◦ Transparent to web application ◦ High-level, portable 60 unchanged DB DB Interface DBTaint

61  Parameterized queries  Prepare: ◦ INSERT … (id, status) VALUES (?, ?) ◦ Execute ◦ (27, ‘open’)

62  Parameterized queries  Prepare: ◦ INSERT … (id, status) VALUES (?, ?) ◦ // with DBTaint: ◦ INSERT … (id, status) VALUES (ROW(?, ?), ROW(?, ?))

63  Parameterized queries  Prepare: ◦ INSERT … (id, status) VALUES (?, ?) ◦ // with DBTaint: ◦ INSERT … (id, status) VALUES (ROW(?, ?), ROW(?, ?)) ◦ Execute ◦ (27, ‘open’) // 27 is untainted, ‘open’ is tainted ◦ // with DBTaint: ◦ (27, 0, ‘open’, 1)

 Prepare phase: ◦ Queries are passed with placeholders for data  Execute phase: ◦ Data values are passed separately, independently  Taint tracking engine requirement: ◦ Only need to track taint values per variable  We handle non-parameterized queries too ◦ See paper for details 64

 Leverage existing single-application information flow tracking systems  No changes to Web application 65 DB Interface Web Application Single-application information flow DBTaint

 Languages ◦ Perl ◦ Java  Database Interfaces ◦ Perl DataBase Interface (DBI) ◦ Java Database Connectivity (JDBC)  Database ◦ PostgreSQL 66

 RT: Request Tracker (ticket tracking system) ◦ 60,000+ lines of Perl ◦ Perl DBI (DataBase Interface) API ◦ Perl taint mode  JForum (discussion board system) ◦ 30,000+ lines of Java ◦ Java Database Connectivity (JDBC) API ◦ Character-level taint engine [Chin, Wagner ’09] 67

68

 Cross-application information flow tracking  Persistent taint tracking  Multiple Web applications, multiple Databases 69

 End-to-end information flow through Web services  Compatible with existing Web services ◦ Requires no changes to Web applications  Taint propagation through database functions 70