amnesia analysis and monitoring for neutralizing sql
play

AMNESIA: Analysis and Monitoring for Neutralizing SQL- Injection - PowerPoint PPT Presentation

Jun 24, 2023 •388 likes •627 views

AMNESIA: Analysis and Monitoring for Neutralizing SQL- Injection Attacks William Halfond Alessandro Orso Georgia Institute of Technology This work was supported in part by NSF awards CCR-0306372, CCR-0205422, and CCR-0209322 to Georgia Tech,

  1. AMNESIA: Analysis and Monitoring for Neutralizing SQL- Injection Attacks William Halfond Alessandro Orso Georgia Institute of Technology This work was supported in part by NSF awards CCR-0306372, CCR-0205422, and CCR-0209322 to Georgia Tech, and by the DHS

  2. AMNESIA: Analysis and Monitoring for Neutralizing SQL- Injection Attacks • David Aucsmith (CTO of Security and Business Unit, Microsoft) defined SQLIA as one of the most serious threats to web apps William Halfond • Open Web Application Security Project (OWASP) lists SQLIA in Alessandro Orso its top ten most critical web application security vulnerabilities Georgia Institute of Technology • Successful attacks on Guess Inc., Travelocity, FTD.com, Tower Records, RIAA, … This work was supported in part by NSF awards CCR-0306372, CCR-0205422, and CCR-0209322 to Georgia Tech, and by the DHS

  3. Vulnerable Application String queryString = "SELECT info FROM userTable WHERE "; if ((! login.equals("")) && (! password.equals(""))) { queryString += "login='" + login + "' AND pass='" + password + "'"; } else { queryString+="login='guest'"; } ResultSet tempSet = stmt.execute(queryString); William Halfond – ASE 2005 – November 10 th , 2005

  4. Attack Scenario String queryString = "SELECT info FROM userTable WHERE "; if ((! login.equals("")) && (! password.equals(""))) { queryString += "login='" + login + "' AND pass='" + password + "'"; } else { queryString+="login='guest'"; } ResultSet tempSet = stmt.execute(queryString); Normal Usage ¬ User submits login “ doe ” and password “ xyz ” ¬ SELECT info FROM users WHERE login=’ doe ’ AND pass=’ xyz ’ William Halfond – ASE 2005 – November 10 th , 2005

  5. Attack Scenario String queryString = "SELECT info FROM userTable WHERE "; if ((! login.equals("")) && (! password.equals(""))) { queryString += "login='" + login + "' AND pass='" + password + "'"; } else { queryString+="login='guest'"; } ResultSet tempSet = stmt.execute(queryString); Malicious Usage ¬ Attacker submits “ admin’ or 1=1 -- ” and password of “” ¬ SELECT info FROM users WHERE login=‘ admin’ or 1=1 -- ’ AND pass=’’ William Halfond – ASE 2005 – November 10 th , 2005

  6. Background Information “Why the obvious solutions don’t work.” • Input filtering • Stored procedures • Defensive coding William Halfond – ASE 2005 – November 10 th , 2005

  7. Presentation Outline • Background Information • The AMNESIA Technique • Empirical Evaluation • Related Work • Conclusion William Halfond – ASE 2005 – November 10 th , 2005

  8. Our Solution: AMNESIA Basic Insights 1. Code contains enough information to accurately model all legitimate queries. 2. A SQL Injection Attack will violate the predicted model. Solution: Static analysis => build query models Runtime analysis => enforce models William Halfond – ASE 2005 – November 10 th , 2005

  9. Overview of the Technique Identify all hotspots. 1. Build SQL query models for each 2. hotspot. Instrument hotspots. 3. Monitor application at runtime. 4. William Halfond – ASE 2005 – November 10 th , 2005

  10. 1 – Identify Hotspots Scan application code to identify hotspots. String queryString = "SELECT info FROM userTable WHERE "; if ((! login.equals("")) && (! password.equals(""))) { queryString += "login='" + login + "' AND pass='" + password + "'"; } else { queryString+="login='guest'"; } ResultSet tempSet = stmt.execute(queryString); Hotspot William Halfond – ASE 2005 – November 10 th , 2005

  11. 2 – Build SQL Query Model Use Java String Analysis [1] to construct 1. character-level automata Parse automata to group characters into 2. SQL tokens = ‘ guest ‘ login SELECT info FROM userTable WHERE login β β = ‘ ‘ AND pass = ‘ ‘ William Halfond – ASE 2005 – November 10 th , 2005

  12. 3 – Instrument Application Wrap each hotspot with call to monitor. String queryString = "SELECT info FROM userTable WHERE "; if ((! login.equals("")) && (! password.equals(""))) { queryString += "login='" + login + "' AND pass='" + password + "'"; } else { queryString+="login='guest'"; Call to Monitor } if (monitor.accepts (hotspotID, queryString) { ResultSet tempSet = stmt.execute(queryString); } Hotspot William Halfond – ASE 2005 – November 10 th , 2005

  13. 4 – Runtime Monitoring Check queries against SQL query model. = ‘ guest ‘ login SELECT info FROM userTable WHERE login β β = ‘ ‘ AND pass = ‘ ‘ Normal Usage: SELECT info FROM userTable WHERE login = ‘ doe ‘ AND pass = ‘ xyz ‘ William Halfond – ASE 2005 – November 10 th , 2005

  14. 4 – Runtime Monitoring Check queries against SQL query model. = ‘ guest ‘ login SELECT info FROM userTable WHERE login β β = ‘ ‘ AND pass = ‘ ‘ Malicious Usage: SELECT info FROM userTable WHERE login = ‘ admin ‘ OR 1 = 1 -- ‘ AND pass = ‘ ‘ William Halfond – ASE 2005 – November 10 th , 2005

  15. AMNESIA Implementation William Halfond – ASE 2005 – November 10 th , 2005

  16. Limitations and Assumptions Assumption • Queries created by manipulating strings Limitations • False positives • When string analysis is not precise enough • False negatives • When query model includes spurious queries and an attack matches it William Halfond – ASE 2005 – November 10 th , 2005

  17. Evaluation: Research Questions RQ1: What percentage of attacks can our technique detect and prevent that would otherwise go undetected and reach the database? RQ2: How much overhead does our technique impose on web applications at runtime? RQ3: What percentage of legitimate accesses does our technique prevent from reaching the database? William Halfond – ASE 2005 – November 10 th , 2005

  18. Experiment Setup Average Subject LOC Hotspots Automata size Checkers 5,421 5 289 (772) Office Talk 4,543 40 40 (167) Employee Directory 5,658 23 107 (952) Bookstore 16,959 71 159 (5,269) Events 7,242 31 77 (550) Classifieds 10,949 34 91 (799) Portal 16,453 67 117 (1,187) • Applications are a mix of commercial (5) and student projects (2) • Attacks and legitimate inputs developed independently • Attack inputs represent broad range of exploits William Halfond – ASE 2005 – November 10 th , 2005

  19. Results: RQ1 Subject Unsuccessful Successful Detected Checkers 1195 248 248 (100%) Office Talk 598 160 160 (100%) Employee Directory 413 280 280 (100%) Bookstore 1028 182 182 (100%) Events 875 260 260 (100%) Classifieds 823 200 200 (100%) Portal 880 140 140 (100%) ⇒ No false negatives ⇒ Unsuccessful attacks = filtered by application William Halfond – ASE 2005 – November 10 th , 2005

  20. Results: RQ2 & RQ3 • Runtime Overhead • Less than 1ms. • Insignificant compared to cost of network/database access • No false positives • No legitimate input was flagged as SQLIA William Halfond – ASE 2005 – November 10 th , 2005

  21. Related Work • Require learning new API [2,8] • Customized runtime environments and high overhead [6,9,12,10,11] • Address only a subset of SQLIA [3,14] • Limited by machine learning [4,13] • Overly conservative static analysis [5,7] William Halfond – ASE 2005 – November 10 th , 2005

  22. Conclusion • SQL Injection Attacks (SQLIAs) are a serious threat to DB-based Web Applications • This technique detects and prevents SQLIAs by combining static analysis and runtime monitoring • Fully automated – No human effort required • Empirical evaluation • Commercial applications and real attacks • No false positives generated • Precise – No false negatives William Halfond – ASE 2005 – November 10 th , 2005

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

To what extent financial regulation in Brazil was effective in neutralizing the overvaluation of

To what extent financial regulation in Brazil was effective in neutralizing the overvaluation of

Dynamic Analysis of Monetary Policy Shock on Banking Behavior: A post- Keynesian Stock-Flow Consistent Model To what extent financial regulation in Brazil was effective in neutralizing the overvaluation of the exchange rate? Edwin LE HERON

306 views • 6 slides
ARTEMIS: Neutralizing BGP Hijacking within a Minute Alberto Dainotti alberto@caida.org

ARTEMIS: Neutralizing BGP Hijacking within a Minute Alberto Dainotti alberto@caida.org

ARTEMIS: Neutralizing BGP Hijacking within a Minute Alberto Dainotti alberto@caida.org Center for Applied Internet Data Analysis University of California, San Diego Joint work with: Pavlos Sermpezis, Vasileios Kotronis, Petros

375 views • 23 slides
Preventing SQL Injection Attacks Using AMNESIA William G.J. Halfond and Alessandro Orso Georgia

Preventing SQL Injection Attacks Using AMNESIA William G.J. Halfond and Alessandro Orso Georgia

Preventing SQL Injection Attacks Using AMNESIA William G.J. Halfond and Alessandro Orso Georgia Institute of Technology This work was partially supported by DHS contract FA8750-05-2-0214 and NSF awards CCR-0205422 and CCR-0209322 to Georgia

239 views • 21 slides
New Technologies, New Technologies, Old Problems Old Problems Historical Amnesia Historical

New Technologies, New Technologies, Old Problems Old Problems Historical Amnesia Historical

New Technologies, New Technologies, Old Problems Old Problems Historical Amnesia Historical Amnesia and Enterprise Computing and Enterprise Computing 1 1 Structure of the Talk Structure of the Talk General Introduction General

816 views • 59 slides
Everyday Strategies for Neutralizing Worries and Anxiety How mindfulness, acceptance, and

Everyday Strategies for Neutralizing Worries and Anxiety How mindfulness, acceptance, and

Everyday Strategies for Neutralizing Worries and Anxiety How mindfulness, acceptance, and attention to positive goals can improve the quality of kids (and parents) lives Chris McCurry, Ph.D. Associates in Behavior

1.32k views • 78 slides
Neutralizing Linguistically Problematic Annotations i U in Unsupervised Dependency Parsing

Neutralizing Linguistically Problematic Annotations i U in Unsupervised Dependency Parsing

Neutralizing Linguistically Problematic Annotations i U in Unsupervised Dependency Parsing Evaluation i d D d P i E l ti Roy Schwartz 1 , Omri Abend 1 , Roi Reichart 2 and Ari Rappoport 1 1 The Hebrew University, 2 MIT In proceedings of

492 views • 26 slides
iSMART 4.0.X S.M.A.R.T ( Self-Monitoring, Analysis and Reporting Technology ) A monitoring system

iSMART 4.0.X S.M.A.R.T ( Self-Monitoring, Analysis and Reporting Technology ) A monitoring system

iSMART 4.0.X S.M.A.R.T ( Self-Monitoring, Analysis and Reporting Technology ) A monitoring system for computer hard disk drives to detect and report on various indicators of reliability, in the hope of anticipating failures. 1992 1995 iSMART

481 views • 25 slides
Neutralizing Linguistically Problematic Annotations in Unsupervised Dependency Parsing Evaluation

Neutralizing Linguistically Problematic Annotations in Unsupervised Dependency Parsing Evaluation

Neutralizing Linguistically Problematic Annotations in Unsupervised Dependency Parsing Evaluation Roy Schwartz 1 , Omri Abend 1 , Roi Reichart 2 and Ari Rappoport 1 1 The Hebrew University, 2 MIT ISCOL 2011 Outline Introduction

290 views • 28 slides
ARTEMIS : Neutralizing BGP Hijacking within a Minute Pavlos Sermpezis INSPIRE group (Prof.

ARTEMIS : Neutralizing BGP Hijacking within a Minute Pavlos Sermpezis INSPIRE group (Prof.

ARTEMIS : Neutralizing BGP Hijacking within a Minute Pavlos Sermpezis INSPIRE group (Prof. Xenofontas Dimitropoulos) FORTH, Greece ERC Networking Symposium, SIGCOMM 2018 The ERC history of ARTEMIS ERC NetVolution project 2014

200 views • 17 slides
Predicting and Understanding HIV-1 Resistance to Broadly Neutralizing Antibodies Anna Feldmann

Predicting and Understanding HIV-1 Resistance to Broadly Neutralizing Antibodies Anna Feldmann

Predicting and Understanding HIV-1 Resistance to Broadly Neutralizing Antibodies Anna Feldmann Max Planck Institute for Informatics Motivation HIV-1 drug target space is limited Drug resistance emergence under HAART Consistent

718 views • 32 slides
The absolutely neutralizing coalescence theory of mutation Paul de Lacy Rutgers University

The absolutely neutralizing coalescence theory of mutation Paul de Lacy Rutgers University

The absolutely neutralizing coalescence theory of mutation Paul de Lacy Rutgers University Network on Core Mechanisms of Exponence Universitt Leipzig Friday, 8 January 2008 This talk argues that mutation is due to the coalescence of (parts

469 views • 17 slides
Selectio Selection and and st structural analy analysis is of of sybodies bodies neutr

Selectio Selection and and st structural analy analysis is of of sybodies bodies neutr

Selectio Selection and and st structural analy analysis is of of sybodies bodies neutr neutralizing lizing SAR SARS CoV CoV 2 T. Custdio, H. Das, D. Sheward, L. Hanke, S. Pazicky, J.Pieprzyk, M. Sorgenfrei, M. Schroer, A. Gruzinov,

300 views • 15 slides
Analysis of system level market power Amelia Blanke Manager, Monitoring & Reporting

Analysis of system level market power Amelia Blanke Manager, Monitoring & Reporting

Analysis of system level market power Amelia Blanke Manager, Monitoring & Reporting Department of Market Monitoring Market Surveillance Committee Meeting General Session June 7, 2019 ISO PUBLIC ISO Public DMM analysis of structural

435 views • 15 slides
Backbone Network DRDoS Attack Monitoring and Analysis YANG XU, QITIAN SU Twitter: @xuy1202

Backbone Network DRDoS Attack Monitoring and Analysis YANG XU, QITIAN SU Twitter: @xuy1202

Backbone Network DRDoS Attack Monitoring and Analysis YANG XU, QITIAN SU Twitter: @xuy1202 @suqitian Network Security Research Lab, Qihoo 360 http://netlab.360.com/ FloCon 2017 Backbone Network DRDoS Attack Monitoring and Analysis Thread

238 views • 22 slides
Analysis of Overhead in Dynamic Java Performance Monitoring Vojtch Hork, Jaroslav Kotr,

Analysis of Overhead in Dynamic Java Performance Monitoring Vojtch Hork, Jaroslav Kotr,

Analysis of Overhead in Dynamic Java Performance Monitoring Vojtch Hork, Jaroslav Kotr, Peter Libi and Petr Tma Charles University in Prague Context: Dynamic Monitoring of Production Systems Dynamic Monitoring of Production Systems

999 views • 61 slides
Network Telescope Data Analysis: IBR Monitoring telescope/darknets/darkspace, 22 Mar 11 Nevil

Network Telescope Data Analysis: IBR Monitoring telescope/darknets/darkspace, 22 Mar 11 Nevil

Network Telescope Data Analysis: IBR Monitoring telescope/darknets/darkspace, 22 Mar 11 Nevil Brownlee IBR Monitoring CAIDA, 2011 p.1/17 Background, Earlier Work Moore, Shannon et al, CAIDA/UCSD, 2000..2006 telescope gives a whole-world

321 views • 17 slides
Level 3 Course Options The Arts The Arts (Mrs Owens) Photography - Design - Painting What are

Level 3 Course Options The Arts The Arts (Mrs Owens) Photography - Design - Painting What are

Level 3 Course Options The Arts The Arts (Mrs Owens) Photography - Design - Painting What are these subjects about? Developing a personalised body of work that explores your own interests, cultures, beliefs and ideas through different fields of

580 views • 35 slides
Cambridge Assessment Conference 2012 Glenys Stacey

Cambridge Assessment Conference 2012 Glenys Stacey

Cambridge Assessment Conference 2012 Glenys Stacey Good morning. When Paul Newton asked me sometime ago if I would take part in

390 views • 8 slides
Community Research Academic <->Community Pasifika Trivia 1. There are 3 sub regions in

Community Research Academic <->Community Pasifika Trivia 1. There are 3 sub regions in

Community Research Academic <->Community Pasifika Trivia 1. There are 3 sub regions in the Pacific. Polynesia and Melanesia are 2 of them. What is the 3 rd sub-region? 2. What is the Pacific country closest to New Zealand? 3. Which

116 views • 10 slides
IMPLEMENTATION OF OECD ADVOCACY TOOLS FOR COMPETITION AUTHORITIES IN SEE CONFERENCE ON

IMPLEMENTATION OF OECD ADVOCACY TOOLS FOR COMPETITION AUTHORITIES IN SEE CONFERENCE ON

IMPLEMENTATION OF OECD ADVOCACY TOOLS FOR COMPETITION AUTHORITIES IN SEE CONFERENCE ON INSTITUTION BUILDING OF THE COMPETITION AUTHORITIES IN SOUTH EAST EUROPE BELGRADE, 2 3 JUNE 2016 Sabine Zigelski Senior Competition Expert OECD

295 views • 13 slides
LBBD Property Licensing Update Gary Jones Private Rented Property Licensing Enforcement Update

LBBD Property Licensing Update Gary Jones Private Rented Property Licensing Enforcement Update

LBBD Property Licensing Update Gary Jones Private Rented Property Licensing Enforcement Update September 2015. Private Rented Property Licensing Update To date there have been 10,000 applications received for private rented property

234 views • 10 slides
Maximizing Shareholder Value With an Enterprise Mindset Dave Denton Executive Vice President

Maximizing Shareholder Value With an Enterprise Mindset Dave Denton Executive Vice President

Maximizing Shareholder Value With an Enterprise Mindset Dave Denton Executive Vice President & Chief Financial Officer Agenda Strong Record of Execution Strong Record of Execution Marketplace Misconceptions 2017 Guidance Review Solid

799 views • 63 slides
Californias Statewide Stay At Home Order and Other Californias Statewide Stay At Home Order

Californias Statewide Stay At Home Order and Other Californias Statewide Stay At Home Order

CLIENT ALERT Californias Statewide Stay At Home Order and Other Californias Statewide Stay At Home Order and Other Updates Updates Stradling continues to monitor developments related to the COVID-19 pandemic and provide guidance to

600 views • 5 slides
Traffic Regulation Order Process for Public Rights of Way Traffic Regulation Order Process

Traffic Regulation Order Process for Public Rights of Way Traffic Regulation Order Process

Traffic Regulation Order Process for Public Rights of Way Traffic Regulation Order Process Everybody has the right to use the public rights of way across Essex. To temporarily or permanently restrict a public right of way requires a

395 views • 15 slides

More recommend