nach oben

Erschienen in:

2016 | OriginalPaper | Buchkapitel

Minimizing Databases Attack Surface Against SQL Injection Attacks

verfasst von : Dimitris Geneiatakis

Erschienen in: Information and Communications Security

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Lately, end-users and database administrators face continuously personal data exposures. Among different type of vulnerabilities an adversary might exploit, to gain access to this data, SQL injections are considered one of the most serious vulnerabilities, which remain at the top twenty most known vulnerabilities more than a decade. Though various defenses have been proposed against SQL injections for database protection, most of them require “modifications” on the underlying infrastructure, such as proxy interposition, middleware drivers, etc., while they cannot be employed transparently. In this paper, we propose a practical framework that enables the transparent enforcement of randomization to any given database for enhancing protection against SQL injection attacks, while being agnostic to the underlying database and completely transparent to end-user. We demonstrate a methodology for identifying automatically SQL statements on a given database application, and we introduce a runtime environment for enforcing the randomization and de-randomization mechanism in a completely transparent way, without requiring access to its source code. We evaluate in terms of overhead our approach using the well-known MySQL database under different configurations. Results indicate the employment feasibility of the proposed framework.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Nächstes Kapitel Ensuring Kernel Integrity Using KIPBMFH

https://github.com/neuroo/grabber.

We focus on this type of languages as most of the malicious inputs are generated through web based applications.

www.snort.org.

Barrantes, E.G., Ackley, D.H., Palmer, T.S., Stefanovic, D., Zovi, D.D.: Randomized instruction set emulation to disrupt binary code injection attacks. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS 2003. ACM (2003)

Bisht, P., Madhusudan, P., Venkatakrishnan, V.N.: CANDID : dynamic candidate evaluations for automatic prevention of SQL injection attacks. ACM Trans. Inf. Syst. Secur. 13(2), 14:1–14:39 (2010)CrossRef

Boyd, S.W., Keromytis, A.D.: SQLrand: Preventing SQL Injection Attacks. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 292–302. Springer, Heidelberg (2004)CrossRef

Chess, B., West, J.: Secure Programming With Static Analysis: Software Security Series, NZ1. Addison-Wesley, Boston (2007)

Felt, A.P., Finifter, M., Weinberger, J., Wagner, D.: Diesel : applying privilege separation to database access. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2011. ACM (2011)

A.N.S. for Information Systems. Database language - sql, November 1992

Geneiatakis, D., Portokalidis, G., Kemerlis, V.P., Keromytis, A.D.: Adaptive defenses for commodity software through virtual application partitioning. In: Proceedings of the ACM Conference on Computer and Communications Security, CCS 2012. ACM (2012)

Halfond, W.G.J., Orso, A.: AMNESIA : analysis and monitoring for neutralizing SQL-injection attacks. In: Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering, ASE 2005. ACM (2005)

Johari, R., Sharma, P.: A survey on web application vulnerabilities (SQLIA, XSS) exploitation and security engine for SQL injection. In: Proceedings of the International Conference on Communication Systems and Network Technologies, CSNT 2012. IEEE Computer Society (2012)

10.

Kc, G.S., Keromytis, A.D., Prevelakis, V.: Countering code-injection attacks with instruction-set randomization. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS 2003. ACM (2003)

11.

Lee, I., Jeong, S., Yeo, S., Moon, J.: A novel method for SQL injection attack detection based on removing SQL query attribute values. Math. Comput. Modell. 55(1–2), 58–68 (2012)MathSciNetCrossRef

12.

Liu, A., Yuan, Y., Wijesekera, D., Stavrou, A.: SQLProb : a proxy-based architecture towards preventing SQL injection attacks. In: Proceedings of the ACM Symposium on Applied Computing, SAC 2009. ACM (2009)

13.

Luk, C.-K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V.J., Hazelwood, K.: Pin : building customized program analysis tools with dynamic instrumentation. In: Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2005. ACM (2005)

14.

Mason, T., Brown, D.: Lex & Yacc. O’Reilly & Associates Inc., Sebastopol (1990)

15.

Mitropoulos, D., Spinellis, D.: SDriver : location-specific signatures prevent SQL injection attacks. Comput. Secur. 28(3–4), 121–129 (2009)CrossRef

16.

Portokalidis, G., Keromytis, A.D.: Fast and practical instruction-set randomization for commodity systems. In: Proceedings of the 26th Annual Computer Security Applications Conference, ACSAC 2010. ACM (2010)

17.

Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. SIGPLAN Not. 41(1), 372–382 (2006)CrossRef

18.

Wei, K., Muthuprasanna, M., Kothari, S.: Preventing SQL injection attacks in stored procedures. In: Australian Software Engineering Conference, April 2006

19.

Zhu, J., Xie, J., Lipford, H.R., Chu, B.: Supporting secure programming in web applications through interactive static analysis. J. Adv. Res. 5(4), 449–462 (2014). Cyber SecurityCrossRef

Titel: Minimizing Databases Attack Surface Against SQL Injection Attacks
verfasst von: Dimitris Geneiatakis
Verlag: Springer International Publishing
Buch: Information and Communications Security
Print ISBN: 978-3-319-29813-9

Electronic ISBN: 978-3-319-29814-6

Copyright-Jahr: 2016
DOI: https://doi.org/10.1007/978-3-319-29814-6_1

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"