preventing sql injection attacks using amnesia
play

Preventing SQL Injection Attacks Using AMNESIA William G.J. Halfond - PowerPoint PPT Presentation

Jan 23, 2024 •29 likes •239 views

Preventing SQL Injection Attacks Using AMNESIA William G.J. Halfond and Alessandro Orso Georgia Institute of Technology This work was partially supported by DHS contract FA8750-05-2-0214 and NSF awards CCR-0205422 and CCR-0209322 to Georgia

  1. Preventing SQL Injection Attacks Using AMNESIA William G.J. Halfond and Alessandro Orso Georgia Institute of Technology This work was partially supported by DHS contract FA8750-05-2-0214 and NSF awards CCR-0205422 and CCR-0209322 to Georgia Tech.

  2. SQL Injection Attacks • David Aucsmith (CTO of Security and Business Unit, Microsoft) defined SQLIA as one of the most serious threats to web apps • Open Web Application Security Project (OWASP) lists SQLIA in its top ten most critical web application security vulnerabilities • Successful attacks on Guess Inc., Travelocity, FTD.com, Tower Records, RIAA… William Halfond – ICSE Formal Demo – May 25 th , 2006

  3. Presentation Outline • Motivation • Background Info. • AMNESIA • Demonstration • Evaluation Overview • Summary William Halfond – ICSE Formal Demo – May 25 th , 2006

  4. SQLIA Vulnerability String queryString = "SELECT info FROM userTable WHERE "; if ((! login.equals("")) && (! pin.equals(""))) { queryString += "login='" + login + "' AND pin=" + pin ; } else { queryString+="login='guest'"; } ResultSet tempSet = stmt.execute(queryString); William Halfond – ICSE Formal Demo – May 25 th , 2006

  5. Attack Scenario String queryString = "SELECT info FROM userTable WHERE "; if ((! login.equals("")) && (! pin.equals(""))) { queryString += "login='" + login + "' AND pin=" + pin ; } else { queryString+="login='guest'"; } ResultSet tempSet = stmt.execute(queryString); Normal Usage ¬ User submits login “ doe ” and pin “ 123 ” ¬ SELECT info FROM users WHERE login= ` doe ’ AND pin= 123 William Halfond – ICSE Formal Demo – May 25 th , 2006

  6. Attack Scenario String queryString = "SELECT info FROM userTable WHERE "; if ((! login.equals("")) && (! pin.equals(""))) { queryString += "login='" + login + "' AND pin=" + pin ; } else { queryString+="login='guest'"; } ResultSet tempSet = stmt.execute(queryString); Malicious Usage ¬ Attacker submits “user ’ -- ” and pin of “0” ¬ SELECT info FROM users WHERE login=‘ user’ -- ’ AND pin=0 William Halfond – ICSE Formal Demo – May 25 th , 2006

  7. Many types of SQLIA [issse06] Types Sources • Piggy-backed • User input Queries • Cookies • Tautologies • Server variables • Alternate Encodings • Second-order • Inference • … • Illegal/Logically Incorrect Queries • Union Query • Stored Procedures William Halfond – ICSE Formal Demo – May 25 th , 2006

  8. AMNESIA [ase05] Basic Insights 1. Code contains enough information to accurately model all legitimate queries. 2. A SQL Injection Attack will violate the predicted model. Solution: Static analysis => build query models Runtime analysis => enforce models William Halfond – ICSE Formal Demo – May 25 th , 2006

  9. Overview of AMNESIA Identify all hotspots. 1. Build SQL query models for each 2. hotspot. Instrument hotspots. 3. Monitor application at runtime. 4. William Halfond – ICSE Formal Demo – May 25 th , 2006

  10. 1 – Identify Hotspots Scan application code to identify hotspots. String queryString = "SELECT info FROM userTable WHERE "; if ((! login.equals("")) && (! pin.equals(""))) { queryString += "login='" + login + "' AND pin=“ + pin; } else { queryString+="login='guest'"; } ResultSet tempSet = stmt.execute(queryString); Hotspot William Halfond – ICSE Formal Demo – May 25 th , 2006

  11. 2 – Build SQL Query Model Use Java String Analysis [1] to construct 1. character-level automata Parse automata to group characters into 2. SQL tokens = ‘ guest ‘ login SELECT info FROM userTable WHERE login β = β = ‘ ‘ AND pin William Halfond – ICSE Formal Demo – May 25 th , 2006

  12. 3 – Instrument Application Wrap each hotspot with call to monitor. String queryString = "SELECT info FROM userTable WHERE "; if ((! login.equals("")) && (! pin.equals(""))) { queryString += "login='" + login + "' AND pin=" + pin ; } else { queryString+="login='guest'"; } Call to Monitor if (monitor.accepts (hotspotID, queryString) { ResultSet tempSet = stmt.execute(queryString); } Hotspot William Halfond – ICSE Formal Demo – May 25 th , 2006

  13. 4 – Runtime Monitoring Check queries against SQL query model. = ‘ guest ‘ login SELECT info FROM userTable WHERE login β = β = ‘ ‘ AND pin Normal Usage: SELECT info FROM userTable WHERE login = ‘ doe ‘ AND pin = 123 William Halfond – ICSE Formal Demo – May 25 th , 2006

  14. 4 – Runtime Monitoring Check queries against SQL query model. = ‘ guest ‘ login SELECT info FROM userTable WHERE login β = β = ‘ ‘ AND pin Malicious Usage: SELECT info FROM userTable WHERE login = ‘ user ‘ -- ‘ AND pin = 0 William Halfond – ICSE Formal Demo – May 25 th , 2006

  15. AMNESIA Implementation William Halfond – ICSE Formal Demo – May 25 th , 2006

  16. AMNESIA Demonstration • Attacking a commercial application: • Evade login protection • Change contents of the database – “Special sale price” • Blocking attacks with AMNESIA • Examine SQL query models William Halfond – ICSE Formal Demo – May 25 th , 2006

  17. Evaluation: Research Questions RQ1: What percentage of attacks can our technique detect and prevent that would otherwise go undetected and reach the database? RQ2: How much overhead does our technique impose on web applications at runtime? RQ3: What percentage of legitimate accesses does our technique prevent from reaching the database? William Halfond – ICSE Formal Demo – May 25 th , 2006

  18. Evaluation: Experiment Setup Average Subject LOC Hotspots Automata size Checkers 5,421 5 289 (772) Office Talk 4,543 40 40 (167) Employee Directory 5,658 23 107 (952) Bookstore 16,959 71 159 (5,269) Events 7,242 31 77 (550) Classifieds 10,949 34 91 (799) Portal 16,453 67 117 (1,187) • Applications are a mix of commercial (5) and student projects (2) • Attacks and legitimate inputs developed independently • Attack inputs represent broad range of exploits William Halfond – ICSE Formal Demo – May 25 th , 2006

  19. Evaluation Results: RQ1 Subject Unsuccessful Successful Detected Checkers 1195 248 248 (100%) Office Talk 598 160 160 (100%) Employee Directory 413 280 280 (100%) Bookstore 1028 182 182 (100%) Events 875 260 260 (100%) Classifieds 823 200 200 (100%) Portal 880 140 140 (100%) ⇒ No false negatives ⇒ Unsuccessful attacks = filtered by application William Halfond – ICSE Formal Demo – May 25 th , 2006

  20. Evaluation Results: RQ2 & RQ3 • Runtime Overhead • Less than 1ms. • Insignificant compared to cost of network/database access • No false positives • No legitimate input was flagged as SQLIA William Halfond – ICSE Formal Demo – May 25 th , 2006

  21. Conclusions & Future Work • AMNESIA detects and prevents SQLIAs by using static analysis and runtime monitoring • Builds models of expected legitimate queries • At runtime, ensure all generated queries match model • In our evaluation • No false positives • No false negatives • Future work => address limitations • Imprecision in static analysis • External trusted input William Halfond – ICSE Formal Demo – May 25 th , 2006

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

AMNESIA: Analysis and Monitoring for Neutralizing SQL- Injection Attacks William Halfond

AMNESIA: Analysis and Monitoring for Neutralizing SQL- Injection Attacks William Halfond

AMNESIA: Analysis and Monitoring for Neutralizing SQL- Injection Attacks William Halfond Alessandro Orso Georgia Institute of Technology This work was supported in part by NSF awards CCR-0306372, CCR-0205422, and CCR-0209322 to Georgia Tech,

627 views • 23 slides
Understanding and Automatically Preventing Injection Attacks on Node.js Michael Pradel TU

Understanding and Automatically Preventing Injection Attacks on Node.js Michael Pradel TU

Understanding and Automatically Preventing Injection Attacks on Node.js Michael Pradel TU Darmstadt Joint work with Cristian Staicu (TU Darmstadt) and Ben Livshits (Microsoft Research, Redmond) 1 Why JavaScript? Relevant and challenging

520 views • 48 slides
Synode: Understanding and Automatically Preventing Injection Attacks on Node.js Cristian-Alexandru

Synode: Understanding and Automatically Preventing Injection Attacks on Node.js Cristian-Alexandru

Synode: Understanding and Automatically Preventing Injection Attacks on Node.js Cristian-Alexandru Staicu 1 Michael Pradel 1 Ben Livshits 2 1 TU Darmstadt 2 Imperial College London, Brave Software February 20, 2018 This Talk Node.JS and

492 views • 47 slides
CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin ini CEH, ITIL L V3, 3, CCNA, CCNP, CASP, PCI-DS DSS.. .. Lead Security Researcher @ Netwatch Technologies Project Consultant, Information

377 views • 20 slides
Countering Code-Injection Attacks With Instruction-Set Randomization Gaurav S. Kc, Angelos D.

Countering Code-Injection Attacks With Instruction-Set Randomization Gaurav S. Kc, Angelos D.

Countering Code-Injection Attacks With Instruction-Set Randomization Gaurav S. Kc, Angelos D. Keromytis Columbia University Vassilis Prevelakis Drexel University 1 Overview of Technique Protect from code-injection attacks create

608 views • 19 slides
Code-Injection Attacks in Browsers Supporting Policies Elias Athanasopoulos , Vasilis Pappas, and

Code-Injection Attacks in Browsers Supporting Policies Elias Athanasopoulos , Vasilis Pappas, and

Code-Injection Attacks in Browsers Supporting Policies Elias Athanasopoulos , Vasilis Pappas, and Evangelos P. Markatos FORTH-ICS What is all about? New code-injection attacks or return-to-libc attacks in the web

666 views • 48 slides
Using Partial Taint Tracking To Protect Against Injection Attacks Ioannis Papagiannis , Matteo

Using Partial Taint Tracking To Protect Against Injection Attacks Ioannis Papagiannis , Matteo

PHP Aspis: Using Partial Taint Tracking To Protect Against Injection Attacks Ioannis Papagiannis , Matteo Migliavacca, Peter Pietzuch Department of Computing, Imperial College London USENIX WebApps 2011 Portland, OR, USA Injection

763 views • 47 slides
A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a password manager is a good idea! SQL injection is ironic SQL injection is funny Overviewtrated Account Summary Account: Account: "SELECT

445 views • 32 slides
SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017

SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017

SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017 Rank Name 1 Injection 2 Broken Authentication 3 Sensitive Data Exposure 4 XML External Entities 5 Broken Access Control 6 Security

682 views • 8 slides
Server-side Web Security: SQL Injection Attacks & XSS CS 161: Computer Security Prof. David

Server-side Web Security: SQL Injection Attacks & XSS CS 161: Computer Security Prof. David

Server-side Web Security: SQL Injection Attacks & XSS CS 161: Computer Security Prof. David Wagner February 12, 2014 SQL Injection Scenario Suppose web server front end stores URL parameter recipient in variable $recipient and

656 views • 37 slides
SQL Injection Attacks Many web servers have backing databases Much of their information

SQL Injection Attacks Many web servers have backing databases Much of their information

SQL Injection Attacks Many web servers have backing databases Much of their information stored in a database Web pages are built (in part) based on queries to a database Possibly using some client input . . . Lecture 16 Page 1

646 views • 21 slides
Understanding and preventing common attacks Romain Wartel 7th March 2010, ISGC Security

Understanding and preventing common attacks Romain Wartel 7th March 2010, ISGC Security

WLCG Group Understanding and preventing common attacks Romain Wartel 7th March 2010, ISGC Security Workshop, Taiwan. 1 Overview Underground market The main motive behind most security attacks: money. 3 Exposure and motivation Grids

434 views • 25 slides
Outline Classic code injection attacks CSci 5271 Announcements intermission Introduction to

Outline Classic code injection attacks CSci 5271 Announcements intermission Introduction to

Outline Classic code injection attacks CSci 5271 Announcements intermission Introduction to Computer Security Day 4: Low-level attacks Shellcode techniques Stephen McCamant University of Minnesota, Computer Science & Engineering

412 views • 5 slides
Server -side security risks (esp sp. . injection jection atta ttacks) s) websec 1 Attacks

Server -side security risks (esp sp. . injection jection atta ttacks) s) websec 1 Attacks

Web Securi rity ty Server -side security risks (esp sp. . injection jection atta ttacks) s) websec 1 Attacks on the web server malicious input web server er output This can be attacks on Availability: i.e. DoS attack, where attacker

1.86k views • 79 slides
CSS Injection Attacks or how to leak content with <style> * { author: Pepe Vila; year:

CSS Injection Attacks or how to leak content with <style> * { author: Pepe Vila; year:

CSS Injection Attacks or how to leak content with <style> * { author: Pepe Vila; year: 2019; } Historical background (might be historically inaccurate) ~2007: Gareth Heyes, David Lindsay and Eduardo Vela (from sla.ckers.org) published

412 views • 15 slides
Using Positive Tainting and Syntax-Aware Evaluation to Counter SQL Injection Attacks William

Using Positive Tainting and Syntax-Aware Evaluation to Counter SQL Injection Attacks William

Using Positive Tainting and Syntax-Aware Evaluation to Counter SQL Injection Attacks William G.J. Halfond Alessandro Orso Panagiotis Manolios Georgia Institute of Technology Supported by NSF awards CCR-0205422 and CCR-0306372 to GA Tech and

678 views • 34 slides
United States v. Global Partners LLP, et al. Proposed Consent Decree CITY COUNCIL WORKSHOP

United States v. Global Partners LLP, et al. Proposed Consent Decree CITY COUNCIL WORKSHOP

United States v. Global Partners LLP, et al. Proposed Consent Decree CITY COUNCIL WORKSHOP APRIL 16, 2019 Why Were Here In March, the United States Environmental Protection Agency (EPA) filed a complaint against Global Partners LLC

492 views • 22 slides
Toward GPUs being mainstream in analytic processing An initial argument using simple scan-

Toward GPUs being mainstream in analytic processing An initial argument using simple scan-

Toward GPUs being mainstream in analytic processing An initial argument using simple scan- aggregate queries Jason Power || Yinan Li || Mark D. Hill Jignesh M. Patel || David A. Wood < powerjg@cs.wisc.edu> DaMoN 2015 6/1/2015 UNIVERSITY

429 views • 42 slides
Q4 2018 and Capital Markets Update 5 March 2019 | Aalborg, Denmark Agenda Lunch 1200-1230

Q4 2018 and Capital Markets Update 5 March 2019 | Aalborg, Denmark Agenda Lunch 1200-1230

Q4 2018 and Capital Markets Update 5 March 2019 | Aalborg, Denmark Agenda Lunch 1200-1230 Building a gaming and enthusiast brand Strategic development, Andr Sloth Eriksen, CEO 1230-1300 Driven by the end-user experience The renamed

911 views • 63 slides
Rules for presentation of ITU-T | ISO/IEC common text (September 2014) This guide provides rules

Rules for presentation of ITU-T | ISO/IEC common text (September 2014) This guide provides rules

Rules for presentation of ITU-T | ISO/IEC common text (September 2014) This guide provides rules for use by editors in preparing common text ITU-T Recommendations | ISO/IEC International Standards (or Technical Reports). The presentation rules

463 views • 25 slides
Memory Chapter 7 Encoding, Storage and Retrieval of Memor y Encoding Storage

Memory Chapter 7 Encoding, Storage and Retrieval of Memor y Encoding Storage

Memory Chapter 7 Encoding, Storage and Retrieval of Memor y Encoding Storage Retrieval Forgetting Three Systems of Memory Sensory memory Iconic memory Echoic memory Working/ short-term memory - storage process

701 views • 19 slides
LEARNING AND MEMORY Chapter 11 Learning and Memory Learning How experience changes the

LEARNING AND MEMORY Chapter 11 Learning and Memory Learning How experience changes the

LEARNING AND MEMORY Chapter 11 Learning and Memory Learning How experience changes the brain Memory How changes are stored and subsequently reactivated Memories are stored in specific structures, not diffusely throughout the

678 views • 29 slides
NEUROPSYCHOLOGICAL CONSULTATION: COMMON REFERRAL ISSUES NEW MEXICO NURSE PRACTITIONERS

NEUROPSYCHOLOGICAL CONSULTATION: COMMON REFERRAL ISSUES NEW MEXICO NURSE PRACTITIONERS

NEUROPSYCHOLOGICAL CONSULTATION: COMMON REFERRAL ISSUES NEW MEXICO NURSE PRACTITIONERS ASSOCIATION 2013 CONFERENCE Rex M. Swanda, Ph.D., ABPP-CN VA Medical Center Neuropsychological Consultation: General Approach Review relevant records

559 views • 14 slides
Concussion Management and Update Ricardo Guirola MD M Ed Pediatric Rheumatology Primary Care

Concussion Management and Update Ricardo Guirola MD M Ed Pediatric Rheumatology Primary Care

6/18/2014 Concussion Management and Update Ricardo Guirola MD M Ed Pediatric Rheumatology Primary Care Sports Medicine Objectives Review definition, signs and symptoms Discuss the initial evaluation of a patient with concussion

265 views • 24 slides

More recommend