Using Positive Tainting and Syntax-Aware Evaluation to Counter SQL - - PowerPoint PPT Presentation

using positive tainting and syntax aware evaluation to
SMART_READER_LITE
LIVE PREVIEW

Using Positive Tainting and Syntax-Aware Evaluation to Counter SQL - - PowerPoint PPT Presentation

Apr 02, 2023 329 likes •685 views

Using Positive Tainting and Syntax-Aware Evaluation to Counter SQL Injection Attacks William G.J. Halfond Alessandro Orso Panagiotis Manolios Georgia Institute of Technology Supported by NSF awards CCR-0205422 and CCR-0306372 to GA Tech and

slide-1
SLIDE 1

Group Group

Using Positive Tainting and Syntax-Aware Evaluation to Counter SQL Injection Attacks

William G.J. Halfond Alessandro Orso Panagiotis Manolios

Supported by NSF awards CCR-0205422 and CCR-0306372 to GA Tech and by DHS and US Air Force under Contract No. FA8750-05-C-0179.

Georgia Institute of Technology

slide-2
SLIDE 2

William Halfond – FSE 2006 – November 8th, 2006 – Slide 2

Group Group

Introduction

Internet DB Other Systems Web Server End Users

Deployment context of a typical Web application.

slide-3
SLIDE 3

William Halfond – FSE 2006 – November 8th, 2006 – Slide 3

Group Group

Introduction

Internet DB Other Systems Web Server End Users

Deployment context of a typical Web application.

slide-4
SLIDE 4

William Halfond – FSE 2006 – November 8th, 2006 – Slide 4

Group Group

SQL Injection Attacks

Easy to create a database query – hard to do it securely.

  • Open Web Application Security Project (OWASP)

lists SQLIA in its top ten most critical web application security vulnerabilities

  • David Aucsmith (CTO of Security and Business

Unit, Microsoft) defined SQLIA as one of the most serious threats to web apps

  • Successful attacks on Guess Inc., Travelocity,

FTD.com, Tower Records, RIAA, …

  • Companies have built their business on detecting

SQLIAs

slide-5
SLIDE 5

William Halfond – FSE 2006 – November 8th, 2006 – Slide 5

Group Group

Example of an SQLIA

public Login(request, response) { String login = request.getParameter(“login”); String passwd = request.getParameter(“passwd”); String query = "SELECT info FROM userTable WHERE "; if ((! login.equals("")) && (! password.equals(""))) query += "login='"+login+"' AND pass='"+passwd +"'" else query+="login='guest'"; ResultSet result = stmt.executeQuery(query); if (result != null) displayAccount(result); else sendAuthFailed(); }

slide-6
SLIDE 6

William Halfond – FSE 2006 – November 8th, 2006 – Slide 6

Group Group

Example of an SQLIA

Normal Usage

  • User submits login “doe” and passwd “xyz”
  • SELECT info FROM users WHERE login= `doe’ AND pass= ‘xyz’

public Login(request, response) { String login = request.getParameter(“login”); String passwd = request.getParameter(“passwd”); String query = "SELECT info FROM userTable WHERE "; if ((! login.equals("")) && (! password.equals(""))) query += "login='"+login+"' AND pass='"+passwd +"'" else query+="login='guest'"; ResultSet result = stmt.executeQuery(query); if (result != null) displayAccount(result); else sendAuthFailed(); }

slide-7
SLIDE 7

William Halfond – FSE 2006 – November 8th, 2006 – Slide 7

Group Group

Example of an SQLIA

public Login(request, response) { String login = request.getParameter(“login”); String passwd = request.getParameter(“passwd”); String query = "SELECT info FROM userTable WHERE "; if ((! login.equals("")) && (! password.equals(""))) query += "login='"+login+"' AND pass='"+passwd +"'" else query+="login='guest'"; ResultSet result = stmt.executeQuery(query); if (result != null) displayAccount(result); else sendAuthFailed(); }

Malicious Usage

  • Attacker submits “admin’ -- ” and passwd of “0”
  • SELECT info FROM users WHERE login=‘admin’ -- ’ AND pass=‘0’
slide-8
SLIDE 8

William Halfond – FSE 2006 – November 8th, 2006 – Slide 8

Group Group

Presentation Outline

  • Our Technique
  • Positive tainting
  • Syntax-aware evaluation
  • Implementation -- WASP
  • Evaluation
  • Related work
  • Conclusions and future work
slide-9
SLIDE 9

William Halfond – FSE 2006 – November 8th, 2006 – Slide 9

Group Group

Our Technique

Basic approach => Only allow developer- trusted strings to form sensitive parts of a query Solution:

1. Positive tainting: Identify and mark developer- trusted strings. Propagate taint markings at runtime 2. Syntax-Aware Evaluation: Check that all keywords and operators in a query were formed using marked strings

slide-10
SLIDE 10

William Halfond – FSE 2006 – November 8th, 2006 – Slide 10

Group Group

Example: Positive vs. Negative Tainting

public Login(request, response) { String login = request.getParameter(“login”); String passwd = request.getParameter(“passwd”); String query = "SELECT info FROM userTable WHERE "; if ((! login.equals("")) && (! password.equals(""))) query += "login='"+login+"' AND pass='"+passwd + "'" else query+="login='guest'"; ResultSet result = stmt.executeQuery(query); if (result != null) displayAccount(result); else sendAuthFailed(); }

Negative tainting. Positive tainting.

Identify and mark trusted data instead of untrusted data.

slide-11
SLIDE 11

William Halfond – FSE 2006 – November 8th, 2006 – Slide 11

Group Group

Benefits of Positive Tainting

⇒Increased safety: Incompleteness leads to easy-to-eliminate false positives ⇒Normal in-house testing causes set of trusted data to converge to complete set ⇒Implements security principle of “fail-safe defaults” [Saltzer and Schroeder] ⇒Increased automation: Trusted data readily identifiable in Web applications

slide-12
SLIDE 12

William Halfond – FSE 2006 – November 8th, 2006 – Slide 12

Group Group

Syntax-aware Evaluation

  • Cannot simply forbid the use of

untrusted data in queries

  • Dependence on filtering rules requires

unsafe assumptions ⇒Syntax-aware evaluation

  • Performed right before the query is sent to

the database

  • Consider the context in which trusted and

untrusted data is used

slide-13
SLIDE 13

William Halfond – FSE 2006 – November 8th, 2006 – Slide 13

Group Group

Complete Example

  • 1. String queryString = "SELECT info FROM userTable WHERE ";
  • 2. if ((! login.equals("")) && (! password.equals(""))) {
  • 3. queryString += "login='" + login + "' AND pass='" + password + "'";

} else {

  • 4. queryString+="login='guest'";

}

  • 5. ResultSet tempSet = stmt.executeQuery(queryString);

login -> “doe”, password -> “xyz”

slide-14
SLIDE 14

William Halfond – FSE 2006 – November 8th, 2006 – Slide 14

Group Group

Complete Example

  • 1. String queryString = "SELECT info FROM userTable WHERE ";
  • 2. if ((! login.equals("")) && (! password.equals(""))) {
  • 3. queryString += "login='" + login + "' AND pass='" + password + "'";

} else {

  • 4. queryString+="login='guest'";

}

  • 5. ResultSet tempSet = stmt.executeQuery(queryString);

queryString [S][E][L][E][C][T] … [W][H][E][R][E][]

login -> “doe”, password -> “xyz”

slide-15
SLIDE 15

William Halfond – FSE 2006 – November 8th, 2006 – Slide 15

Group Group

Complete Example

  • 1. String queryString = "SELECT info FROM userTable WHERE ";
  • 2. if ((! login.equals("")) && (! password.equals(""))) {
  • 3. queryString += "login='" + login + "' AND pass='" + password + "'";

} else {

  • 4. queryString+="login='guest'";

}

  • 5. ResultSet tempSet = stmt.executeQuery(queryString);

queryString [S][E][L][E][C][T] … [W][H][E][R][E][]

login -> “doe”, password -> “xyz”

tmp0 [l][o][g][i][n][=][‘] tmp1 [d][o][e] tmp2 [‘][][A][N][D][][p][a][s][s][=][‘] tmp3 [x][y][z] tmp4 [‘]

slide-16
SLIDE 16

William Halfond – FSE 2006 – November 8th, 2006 – Slide 16

Group Group

Complete Example

  • 1. String queryString = "SELECT info FROM userTable WHERE ";
  • 2. if ((! login.equals("")) && (! password.equals(""))) {
  • 3. queryString += "login='" + login + "' AND pass='" + password + "'";

} else {

  • 4. queryString+="login='guest'";

}

  • 5. ResultSet tempSet = stmt.executeQuery(queryString);

login -> “doe”, password -> “xyz”

queryString … [W][H][E][R][E][][l][o][g][i][n][=][‘][d][o][e][‘][A][N][D][][p][a][s][s][=][‘][x][y][z][‘]

slide-17
SLIDE 17

William Halfond – FSE 2006 – November 8th, 2006 – Slide 17

Group Group

Complete Example

  • 1. String queryString = "SELECT info FROM userTable WHERE ";
  • 2. if ((! login.equals("")) && (! password.equals(""))) {
  • 3. queryString += "login='" + login + "' AND pass='" + password + "'";

} else {

  • 4. queryString+="login='guest'";

}

  • 5. ResultSet tempSet = stmt.executeQuery(queryString);

login -> “doe”, password -> “xyz”

SELECT info FROM userTable WHERE login=‘doe‘ AND pass=‘xyz‘

slide-18
SLIDE 18

William Halfond – FSE 2006 – November 8th, 2006 – Slide 18

Group Group

Complete Example

  • 1. String queryString = "SELECT info FROM userTable WHERE ";
  • 2. if ((! login.equals("")) && (! password.equals(""))) {
  • 3. queryString += "login='" + login + "' AND pass='" + password + "'";

} else {

  • 4. queryString+="login='guest'";

}

  • 5. ResultSet tempSet = stmt.executeQuery(queryString);

login -> “doe”, password -> “xyz”

SELECT info FROM userTable WHERE login = ‘ ‘ doe AND pass = ‘ ‘ xyz

slide-19
SLIDE 19

William Halfond – FSE 2006 – November 8th, 2006 – Slide 19

Group Group

Complete Example

  • 1. String queryString = "SELECT info FROM userTable WHERE ";
  • 2. if ((! login.equals("")) && (! password.equals(""))) {
  • 3. queryString += "login='" + login + "' AND pass='" + password + "'";

} else {

  • 4. queryString+="login='guest'";

}

  • 5. ResultSet tempSet = stmt.executeQuery(queryString);

login -> “admin’ -- ”, password -> “”

queryString … [R][E][][l][o][g][i][n][=][‘][a][d][m][i][n][‘][][-][-][][‘][A][N][D][][p][a][s][s][=][‘][‘]

slide-20
SLIDE 20

William Halfond – FSE 2006 – November 8th, 2006 – Slide 20

Group Group

Complete Example

  • 1. String queryString = "SELECT info FROM userTable WHERE ";
  • 2. if ((! login.equals("")) && (! password.equals(""))) {
  • 3. queryString += "login='" + login + "' AND pass='" + password + "'";

} else {

  • 4. queryString+="login='guest'";

}

  • 5. ResultSet tempSet = stmt.executeQuery(queryString);

login -> “admin’ -- ”, password -> “”

SELECT info FROM userTable WHERE login=‘admin’ -- ‘ AND pass=‘‘

slide-21
SLIDE 21

William Halfond – FSE 2006 – November 8th, 2006 – Slide 21

Group Group

Complete Example

  • 1. String queryString = "SELECT info FROM userTable WHERE ";
  • 2. if ((! login.equals("")) && (! password.equals(""))) {
  • 3. queryString += "login='" + login + "' AND pass='" + password + "'";

} else {

  • 4. queryString+="login='guest'";

}

  • 5. ResultSet tempSet = stmt.executeQuery(queryString);

login -> “admin’ -- ”, password -> “”

SELECT info FROM userTable WHERE login = ‘ ‘ admin AND pass = ‘ ‘ ‘

slide-22
SLIDE 22

William Halfond – FSE 2006 – November 8th, 2006 – Slide 22

Group Group

WASP Architecture

slide-23
SLIDE 23

William Halfond – FSE 2006 – November 8th, 2006 – Slide 23

Group Group

Tracking the Taint Markings

⇒ MetaStrings: library that mimics all string-related classes Benefits of the approach: 1. Complete mediation of all string operations 2. Polymorphism reduces instrumentation. 3. Track at the right level of granularity: character- level tainting

slide-24
SLIDE 24

William Halfond – FSE 2006 – November 8th, 2006 – Slide 24

Group Group

Implementation: Positive Tainting

  • Identify developer-trusted strings.

1.Hard-coded strings 2.Implicitly-created strings 3.Strings from external sources

  • Use instrumentation to:

1.Replace with MetaStrings 2.Assign trust markings

slide-25
SLIDE 25

William Halfond – FSE 2006 – November 8th, 2006 – Slide 25

Group Group

Minimal Deployment Requirements

  • No need for a customized runtime

system

  • Based on instrumentation
  • Off-line
  • On the fly
  • Highly automated
  • Transparent for the system

administrator

slide-26
SLIDE 26

William Halfond – FSE 2006 – November 8th, 2006 – Slide 26

Group Group

Evaluation

  • 1. False negatives: How many attacks

go undetected?

  • 2. False positives: How many legitimate

accesses are blocked as attacks?

  • 3. Overhead: What is the runtime cost of

using WASP?

slide-27
SLIDE 27

William Halfond – FSE 2006 – November 8th, 2006 – Slide 27

Group Group

Experiment Setup

67 16,453 Portal 34 10,949 Classifieds 31 7,242 Events 71 16,959 Bookstore 23 5,658 Employee Directory 40 4,543 Office Talk 5 5,421 Checkers

Database Interaction Points LOC Subject

  • Applications are a mix of commercial (5) and student

projects (2)

  • Attacks and legitimate inputs developed

independently

  • Attack inputs represent broad range of exploits
slide-28
SLIDE 28

William Halfond – FSE 2006 – November 8th, 2006 – Slide 28

Group Group

Evaluation Results: Accuracy

3,016 6,403 1,080 Portal 1,973 5,968 574 Classifieds 2,141 6,207 900 Events 1,999 6,154 607 Bookstore 2,066 6,398 658

  • Empl. Dir

499 5,888 424 Office Talk 922 4,431 1,359 Checkers WASP Protected Web Apps Original Web Apps Total # Attacks False Positives # Legit. Accesses Subject Successful Attacks

slide-29
SLIDE 29

William Halfond – FSE 2006 – November 8th, 2006 – Slide 29

Group Group

Evaluation Results: Accuracy

3,016 6,403 1,080 Portal 1,973 5,968 574 Classifieds 2,141 6,207 900 Events 1,999 6,154 607 Bookstore 2,066 6,398 658

  • Empl. Dir

499 5,888 424 Office Talk 922 4,431 1,359 Checkers WASP Protected Web Apps Original Web Apps Total # Attacks False Positives # Legit. Accesses Subject Successful Attacks

slide-30
SLIDE 30

William Halfond – FSE 2006 – November 8th, 2006 – Slide 30

Group Group

Evaluation Results: Accuracy

3,016 6,403 1,080 Portal 1,973 5,968 574 Classifieds 2,141 6,207 900 Events 1,999 6,154 607 Bookstore 2,066 6,398 658

  • Empl. Dir

499 5,888 424 Office Talk 922 4,431 1,359 Checkers WASP Protected Web Apps Original Web Apps Total # Attacks False Positives # Legit. Accesses Subject Successful Attacks

No false positives or false negatives in our evaluation.

slide-31
SLIDE 31

William Halfond – FSE 2006 – November 8th, 2006 – Slide 31

Group Group

Evaluation Results: Overhead

19% 16 83 1,080 Portal 5% 3 70 574 Classifieds 1% 1 70 900 Events 6% 4 70 607 Bookstore 5% 3 63 658

  • Empl. Dir

2% 1 56 424 Office Talk 5% 5 122 1,359 Checkers % Overhead

  • Avg. Access

Overhead (ms)

  • Avg. Access

Time (ms) # Inputs Subject

Overhead is dominated by network and database access time.

slide-32
SLIDE 32

William Halfond – FSE 2006 – November 8th, 2006 – Slide 32

Group Group

Related Work

Similar Dynamic Tainting Approaches

  • Nguyen-Tuong et. al.
  • Pietraszek and Berghe

Other Dynamic Tainting Approaches

  • Haldar, Chandra, and Franz
  • Martin, Livshits, and Lam

Other approaches discussed in the paper.

slide-33
SLIDE 33

William Halfond – FSE 2006 – November 8th, 2006 – Slide 33

Group Group

Conclusions and Future Work

  • WASP: Highly automated technique for securing

applications against SQL Injection Attacks

  • Positive tainting
  • Accurate and efficient taint propagation
  • Syntax-aware evaluation
  • Minimal deployment requirements
  • Evaluation involving over 47,000 web accesses

showed no false positives or false negatives

  • Future work
  • Use static analysis to optimize dynamic

instrumentation

  • Apply general principle to other forms of attacks
slide-34
SLIDE 34

William Halfond – FSE 2006 – November 8th, 2006 – Slide 34

Group Group

Questions?