Preventing SQL Injection Attacks Using AMNESIA William G.J. Halfond - - PowerPoint PPT Presentation

preventing sql injection attacks using amnesia
SMART_READER_LITE
LIVE PREVIEW

Preventing SQL Injection Attacks Using AMNESIA William G.J. Halfond - - PowerPoint PPT Presentation

Jan 23, 2024 29 likes •242 views

Preventing SQL Injection Attacks Using AMNESIA William G.J. Halfond and Alessandro Orso Georgia Institute of Technology This work was partially supported by DHS contract FA8750-05-2-0214 and NSF awards CCR-0205422 and CCR-0209322 to Georgia

slide-1
SLIDE 1

Preventing SQL Injection Attacks Using AMNESIA

William G.J. Halfond and Alessandro Orso Georgia Institute of Technology

This work was partially supported by DHS contract FA8750-05-2-0214 and NSF awards CCR-0205422 and CCR-0209322 to Georgia Tech.

slide-2
SLIDE 2

William Halfond – ICSE Formal Demo – May 25th, 2006

SQL Injection Attacks

  • David Aucsmith (CTO of Security and

Business Unit, Microsoft) defined SQLIA as

  • ne of the most serious threats to web apps
  • Open Web Application Security Project

(OWASP) lists SQLIA in its top ten most critical web application security vulnerabilities

  • Successful attacks on Guess Inc.,

Travelocity, FTD.com, Tower Records, RIAA…

slide-3
SLIDE 3

William Halfond – ICSE Formal Demo – May 25th, 2006

Presentation Outline

  • Motivation
  • Background Info.
  • AMNESIA
  • Demonstration
  • Evaluation Overview
  • Summary
slide-4
SLIDE 4

William Halfond – ICSE Formal Demo – May 25th, 2006

SQLIA Vulnerability

String queryString = "SELECT info FROM userTable WHERE "; if ((! login.equals("")) && (! pin.equals(""))) { queryString += "login='" + login + "' AND pin=" + pin ; } else { queryString+="login='guest'"; } ResultSet tempSet = stmt.execute(queryString);

slide-5
SLIDE 5

William Halfond – ICSE Formal Demo – May 25th, 2006

Attack Scenario

String queryString = "SELECT info FROM userTable WHERE "; if ((! login.equals("")) && (! pin.equals(""))) { queryString += "login='" + login + "' AND pin=" + pin ; } else { queryString+="login='guest'"; } ResultSet tempSet = stmt.execute(queryString);

Normal Usage ¬User submits login “doe” and pin “123” ¬SELECT info FROM users WHERE login= `doe’ AND pin= 123

slide-6
SLIDE 6

William Halfond – ICSE Formal Demo – May 25th, 2006

Attack Scenario

String queryString = "SELECT info FROM userTable WHERE "; if ((! login.equals("")) && (! pin.equals(""))) { queryString += "login='" + login + "' AND pin=" + pin ; } else { queryString+="login='guest'"; } ResultSet tempSet = stmt.execute(queryString);

Malicious Usage ¬Attacker submits “user’ -- ” and pin of “0” ¬SELECT info FROM users WHERE login=‘user’ -- ’ AND pin=0

slide-7
SLIDE 7

William Halfond – ICSE Formal Demo – May 25th, 2006

Many types of SQLIA

[issse06]

Types

  • Piggy-backed

Queries

  • Tautologies
  • Alternate Encodings
  • Inference
  • Illegal/Logically

Incorrect Queries

  • Union Query
  • Stored Procedures

Sources

  • User input
  • Cookies
  • Server variables
  • Second-order
slide-8
SLIDE 8

William Halfond – ICSE Formal Demo – May 25th, 2006

AMNESIA

[ase05]

Basic Insights

  • 1. Code contains enough information to

accurately model all legitimate queries.

  • 2. A SQL Injection Attack will violate the

predicted model.

Solution: Static analysis => build query models Runtime analysis => enforce models

slide-9
SLIDE 9

William Halfond – ICSE Formal Demo – May 25th, 2006

Overview of AMNESIA

1.

Identify all hotspots.

2.

Build SQL query models for each hotspot.

3.

Instrument hotspots.

4.

Monitor application at runtime.

slide-10
SLIDE 10

William Halfond – ICSE Formal Demo – May 25th, 2006

1 – Identify Hotspots

Scan application code to identify hotspots.

String queryString = "SELECT info FROM userTable WHERE "; if ((! login.equals("")) && (! pin.equals(""))) { queryString += "login='" + login + "' AND pin=“ + pin; } else { queryString+="login='guest'"; } ResultSet tempSet = stmt.execute(queryString);

Hotspot

slide-11
SLIDE 11

William Halfond – ICSE Formal Demo – May 25th, 2006

2 – Build SQL Query Model

1.

Use Java String Analysis[1] to construct character-level automata

2.

Parse automata to group characters into SQL tokens

SELECT info FROM userTable WHERE login = ‘ guest ‘ login = ‘ ‘ β AND pin = β

slide-12
SLIDE 12

William Halfond – ICSE Formal Demo – May 25th, 2006

3 – Instrument Application

Wrap each hotspot with call to monitor.

String queryString = "SELECT info FROM userTable WHERE "; if ((! login.equals("")) && (! pin.equals(""))) { queryString += "login='" + login + "' AND pin=" + pin ; } else { queryString+="login='guest'"; } if (monitor.accepts (hotspotID, queryString) { ResultSet tempSet = stmt.execute(queryString);

} Hotspot Call to Monitor

slide-13
SLIDE 13

William Halfond – ICSE Formal Demo – May 25th, 2006

4 – Runtime Monitoring

SELECT info FROM userTable WHERE login = ‘ guest ‘ login = ‘ ‘ β AND pin = β SELECT info FROM userTable WHERE login = ‘ ‘ doe AND pin = 123

Check queries against SQL query model.

Normal Usage:

slide-14
SLIDE 14

William Halfond – ICSE Formal Demo – May 25th, 2006

4 – Runtime Monitoring

SELECT info FROM userTable WHERE login = ‘ guest ‘ login = ‘ ‘ β AND pin = β

Malicious Usage:

Check queries against SQL query model.

SELECT info FROM userTable WHERE login = ‘ ‘ AND pin =

user

slide-15
SLIDE 15

William Halfond – ICSE Formal Demo – May 25th, 2006

AMNESIA Implementation

slide-16
SLIDE 16

William Halfond – ICSE Formal Demo – May 25th, 2006

AMNESIA Demonstration

  • Attacking a commercial application:
  • Evade login protection
  • Change contents of the database –

“Special sale price”

  • Blocking attacks with AMNESIA
  • Examine SQL query models
slide-17
SLIDE 17

William Halfond – ICSE Formal Demo – May 25th, 2006

Evaluation: Research Questions

RQ1: What percentage of attacks can our technique detect and prevent that would

  • therwise go undetected and reach the

database? RQ2: How much overhead does our technique impose on web applications at runtime? RQ3: What percentage of legitimate accesses does our technique prevent from reaching the database?

slide-18
SLIDE 18

William Halfond – ICSE Formal Demo – May 25th, 2006

Evaluation: Experiment Setup

117 (1,187) 91 (799) 77 (550) 159 (5,269) 107 (952) 40 (167) 289 (772)

Average Automata size

67 16,453 Portal 34 10,949 Classifieds 31 7,242 Events 71 16,959 Bookstore 23 5,658 Employee Directory 40 4,543 Office Talk 5 5,421 Checkers

Hotspots LOC Subject

  • Applications are a mix of commercial (5) and student

projects (2)

  • Attacks and legitimate inputs developed

independently

  • Attack inputs represent broad range of exploits
slide-19
SLIDE 19

William Halfond – ICSE Formal Demo – May 25th, 2006

140 (100%) 140 880 Portal 200 (100%) 200 823 Classifieds 260 (100%) 260 875 Events 182 (100%) 182 1028 Bookstore 280 (100%) 280 413 Employee Directory 160 (100%) 160 598 Office Talk 248 (100%) 248 1195 Checkers

Detected Successful Unsuccessful Subject

Evaluation Results: RQ1

⇒ No false negatives ⇒ Unsuccessful attacks = filtered by application

slide-20
SLIDE 20

William Halfond – ICSE Formal Demo – May 25th, 2006

Evaluation Results: RQ2 & RQ3

  • Runtime Overhead
  • Less than 1ms.
  • Insignificant compared to cost of

network/database access

  • No false positives
  • No legitimate input was flagged as SQLIA
slide-21
SLIDE 21

William Halfond – ICSE Formal Demo – May 25th, 2006

Conclusions & Future Work

  • AMNESIA detects and prevents SQLIAs by

using static analysis and runtime monitoring

  • Builds models of expected legitimate queries
  • At runtime, ensure all generated queries match

model

  • In our evaluation
  • No false positives
  • No false negatives
  • Future work => address limitations
  • Imprecision in static analysis
  • External trusted input