preventing sql injection attacks using amnesia
play

Preventing SQL Injection Attacks Using AMNESIA William G.J. Halfond - PowerPoint PPT Presentation

Jan 23, 2024 •29 likes •239 views

Preventing SQL Injection Attacks Using AMNESIA William G.J. Halfond and Alessandro Orso Georgia Institute of Technology This work was partially supported by DHS contract FA8750-05-2-0214 and NSF awards CCR-0205422 and CCR-0209322 to Georgia

  1. Preventing SQL Injection Attacks Using AMNESIA William G.J. Halfond and Alessandro Orso Georgia Institute of Technology This work was partially supported by DHS contract FA8750-05-2-0214 and NSF awards CCR-0205422 and CCR-0209322 to Georgia Tech.

  2. SQL Injection Attacks • David Aucsmith (CTO of Security and Business Unit, Microsoft) defined SQLIA as one of the most serious threats to web apps • Open Web Application Security Project (OWASP) lists SQLIA in its top ten most critical web application security vulnerabilities • Successful attacks on Guess Inc., Travelocity, FTD.com, Tower Records, RIAA… William Halfond – ICSE Formal Demo – May 25 th , 2006

  3. Presentation Outline • Motivation • Background Info. • AMNESIA • Demonstration • Evaluation Overview • Summary William Halfond – ICSE Formal Demo – May 25 th , 2006

  4. SQLIA Vulnerability String queryString = "SELECT info FROM userTable WHERE "; if ((! login.equals("")) && (! pin.equals(""))) { queryString += "login='" + login + "' AND pin=" + pin ; } else { queryString+="login='guest'"; } ResultSet tempSet = stmt.execute(queryString); William Halfond – ICSE Formal Demo – May 25 th , 2006

  5. Attack Scenario String queryString = "SELECT info FROM userTable WHERE "; if ((! login.equals("")) && (! pin.equals(""))) { queryString += "login='" + login + "' AND pin=" + pin ; } else { queryString+="login='guest'"; } ResultSet tempSet = stmt.execute(queryString); Normal Usage ¬ User submits login “ doe ” and pin “ 123 ” ¬ SELECT info FROM users WHERE login= ` doe ’ AND pin= 123 William Halfond – ICSE Formal Demo – May 25 th , 2006

  6. Attack Scenario String queryString = "SELECT info FROM userTable WHERE "; if ((! login.equals("")) && (! pin.equals(""))) { queryString += "login='" + login + "' AND pin=" + pin ; } else { queryString+="login='guest'"; } ResultSet tempSet = stmt.execute(queryString); Malicious Usage ¬ Attacker submits “user ’ -- ” and pin of “0” ¬ SELECT info FROM users WHERE login=‘ user’ -- ’ AND pin=0 William Halfond – ICSE Formal Demo – May 25 th , 2006

  7. Many types of SQLIA [issse06] Types Sources • Piggy-backed • User input Queries • Cookies • Tautologies • Server variables • Alternate Encodings • Second-order • Inference • … • Illegal/Logically Incorrect Queries • Union Query • Stored Procedures William Halfond – ICSE Formal Demo – May 25 th , 2006

  8. AMNESIA [ase05] Basic Insights 1. Code contains enough information to accurately model all legitimate queries. 2. A SQL Injection Attack will violate the predicted model. Solution: Static analysis => build query models Runtime analysis => enforce models William Halfond – ICSE Formal Demo – May 25 th , 2006

  9. Overview of AMNESIA Identify all hotspots. 1. Build SQL query models for each 2. hotspot. Instrument hotspots. 3. Monitor application at runtime. 4. William Halfond – ICSE Formal Demo – May 25 th , 2006

  10. 1 – Identify Hotspots Scan application code to identify hotspots. String queryString = "SELECT info FROM userTable WHERE "; if ((! login.equals("")) && (! pin.equals(""))) { queryString += "login='" + login + "' AND pin=“ + pin; } else { queryString+="login='guest'"; } ResultSet tempSet = stmt.execute(queryString); Hotspot William Halfond – ICSE Formal Demo – May 25 th , 2006

  11. 2 – Build SQL Query Model Use Java String Analysis [1] to construct 1. character-level automata Parse automata to group characters into 2. SQL tokens = ‘ guest ‘ login SELECT info FROM userTable WHERE login β = β = ‘ ‘ AND pin William Halfond – ICSE Formal Demo – May 25 th , 2006

  12. 3 – Instrument Application Wrap each hotspot with call to monitor. String queryString = "SELECT info FROM userTable WHERE "; if ((! login.equals("")) && (! pin.equals(""))) { queryString += "login='" + login + "' AND pin=" + pin ; } else { queryString+="login='guest'"; } Call to Monitor if (monitor.accepts (hotspotID, queryString) { ResultSet tempSet = stmt.execute(queryString); } Hotspot William Halfond – ICSE Formal Demo – May 25 th , 2006

  13. 4 – Runtime Monitoring Check queries against SQL query model. = ‘ guest ‘ login SELECT info FROM userTable WHERE login β = β = ‘ ‘ AND pin Normal Usage: SELECT info FROM userTable WHERE login = ‘ doe ‘ AND pin = 123 William Halfond – ICSE Formal Demo – May 25 th , 2006

  14. 4 – Runtime Monitoring Check queries against SQL query model. = ‘ guest ‘ login SELECT info FROM userTable WHERE login β = β = ‘ ‘ AND pin Malicious Usage: SELECT info FROM userTable WHERE login = ‘ user ‘ -- ‘ AND pin = 0 William Halfond – ICSE Formal Demo – May 25 th , 2006

  15. AMNESIA Implementation William Halfond – ICSE Formal Demo – May 25 th , 2006

  16. AMNESIA Demonstration • Attacking a commercial application: • Evade login protection • Change contents of the database – “Special sale price” • Blocking attacks with AMNESIA • Examine SQL query models William Halfond – ICSE Formal Demo – May 25 th , 2006

  17. Evaluation: Research Questions RQ1: What percentage of attacks can our technique detect and prevent that would otherwise go undetected and reach the database? RQ2: How much overhead does our technique impose on web applications at runtime? RQ3: What percentage of legitimate accesses does our technique prevent from reaching the database? William Halfond – ICSE Formal Demo – May 25 th , 2006

  18. Evaluation: Experiment Setup Average Subject LOC Hotspots Automata size Checkers 5,421 5 289 (772) Office Talk 4,543 40 40 (167) Employee Directory 5,658 23 107 (952) Bookstore 16,959 71 159 (5,269) Events 7,242 31 77 (550) Classifieds 10,949 34 91 (799) Portal 16,453 67 117 (1,187) • Applications are a mix of commercial (5) and student projects (2) • Attacks and legitimate inputs developed independently • Attack inputs represent broad range of exploits William Halfond – ICSE Formal Demo – May 25 th , 2006

  19. Evaluation Results: RQ1 Subject Unsuccessful Successful Detected Checkers 1195 248 248 (100%) Office Talk 598 160 160 (100%) Employee Directory 413 280 280 (100%) Bookstore 1028 182 182 (100%) Events 875 260 260 (100%) Classifieds 823 200 200 (100%) Portal 880 140 140 (100%) ⇒ No false negatives ⇒ Unsuccessful attacks = filtered by application William Halfond – ICSE Formal Demo – May 25 th , 2006

  20. Evaluation Results: RQ2 & RQ3 • Runtime Overhead • Less than 1ms. • Insignificant compared to cost of network/database access • No false positives • No legitimate input was flagged as SQLIA William Halfond – ICSE Formal Demo – May 25 th , 2006

  21. Conclusions & Future Work • AMNESIA detects and prevents SQLIAs by using static analysis and runtime monitoring • Builds models of expected legitimate queries • At runtime, ensure all generated queries match model • In our evaluation • No false positives • No false negatives • Future work => address limitations • Imprecision in static analysis • External trusted input William Halfond – ICSE Formal Demo – May 25 th , 2006

Recommend

AMNESIA: Analysis and Monitoring for Neutralizing SQL- Injection Attacks William Halfond

AMNESIA: Analysis and Monitoring for Neutralizing SQL- Injection Attacks William Halfond

AMNESIA: Analysis and Monitoring for Neutralizing SQL- Injection Attacks William Halfond Alessandro Orso Georgia Institute of Technology This work was supported in part by NSF awards CCR-0306372, CCR-0205422, and CCR-0209322 to Georgia Tech,

627 views • 23 slides
Understanding and Automatically Preventing Injection Attacks on Node.js Michael Pradel TU

Understanding and Automatically Preventing Injection Attacks on Node.js Michael Pradel TU

Understanding and Automatically Preventing Injection Attacks on Node.js Michael Pradel TU Darmstadt Joint work with Cristian Staicu (TU Darmstadt) and Ben Livshits (Microsoft Research, Redmond) 1 Why JavaScript? Relevant and challenging

520 views • 48 slides
Synode: Understanding and Automatically Preventing Injection Attacks on Node.js Cristian-Alexandru

Synode: Understanding and Automatically Preventing Injection Attacks on Node.js Cristian-Alexandru

Synode: Understanding and Automatically Preventing Injection Attacks on Node.js Cristian-Alexandru Staicu 1 Michael Pradel 1 Ben Livshits 2 1 TU Darmstadt 2 Imperial College London, Brave Software February 20, 2018 This Talk Node.JS and

492 views • 47 slides
CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin ini CEH, ITIL L V3, 3, CCNA, CCNP, CASP, PCI-DS DSS.. .. Lead Security Researcher @ Netwatch Technologies Project Consultant, Information

377 views • 20 slides
Countering Code-Injection Attacks With Instruction-Set Randomization Gaurav S. Kc, Angelos D.

Countering Code-Injection Attacks With Instruction-Set Randomization Gaurav S. Kc, Angelos D.

Countering Code-Injection Attacks With Instruction-Set Randomization Gaurav S. Kc, Angelos D. Keromytis Columbia University Vassilis Prevelakis Drexel University 1 Overview of Technique Protect from code-injection attacks create

608 views • 19 slides
Code-Injection Attacks in Browsers Supporting Policies Elias Athanasopoulos , Vasilis Pappas, and

Code-Injection Attacks in Browsers Supporting Policies Elias Athanasopoulos , Vasilis Pappas, and

Code-Injection Attacks in Browsers Supporting Policies Elias Athanasopoulos , Vasilis Pappas, and Evangelos P. Markatos FORTH-ICS What is all about? New code-injection attacks or return-to-libc attacks in the web

666 views • 48 slides
Using Partial Taint Tracking To Protect Against Injection Attacks Ioannis Papagiannis , Matteo

Using Partial Taint Tracking To Protect Against Injection Attacks Ioannis Papagiannis , Matteo

PHP Aspis: Using Partial Taint Tracking To Protect Against Injection Attacks Ioannis Papagiannis , Matteo Migliavacca, Peter Pietzuch Department of Computing, Imperial College London USENIX WebApps 2011 Portland, OR, USA Injection

763 views • 47 slides
A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a password manager is a good idea! SQL injection is ironic SQL injection is funny Overviewtrated Account Summary Account: Account: "SELECT

445 views • 32 slides
SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017

SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017

SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017 Rank Name 1 Injection 2 Broken Authentication 3 Sensitive Data Exposure 4 XML External Entities 5 Broken Access Control 6 Security

682 views • 8 slides
Server-side Web Security: SQL Injection Attacks & XSS CS 161: Computer Security Prof. David

Server-side Web Security: SQL Injection Attacks & XSS CS 161: Computer Security Prof. David

Server-side Web Security: SQL Injection Attacks & XSS CS 161: Computer Security Prof. David Wagner February 12, 2014 SQL Injection Scenario Suppose web server front end stores URL parameter recipient in variable $recipient and

656 views • 37 slides
SQL Injection Attacks Many web servers have backing databases Much of their information

SQL Injection Attacks Many web servers have backing databases Much of their information

SQL Injection Attacks Many web servers have backing databases Much of their information stored in a database Web pages are built (in part) based on queries to a database Possibly using some client input . . . Lecture 16 Page 1

646 views • 21 slides
Understanding and preventing common attacks Romain Wartel 7th March 2010, ISGC Security

Understanding and preventing common attacks Romain Wartel 7th March 2010, ISGC Security

WLCG Group Understanding and preventing common attacks Romain Wartel 7th March 2010, ISGC Security Workshop, Taiwan. 1 Overview Underground market The main motive behind most security attacks: money. 3 Exposure and motivation Grids

434 views • 25 slides
Outline Classic code injection attacks CSci 5271 Announcements intermission Introduction to

Outline Classic code injection attacks CSci 5271 Announcements intermission Introduction to

Outline Classic code injection attacks CSci 5271 Announcements intermission Introduction to Computer Security Day 4: Low-level attacks Shellcode techniques Stephen McCamant University of Minnesota, Computer Science & Engineering

412 views • 5 slides
Server -side security risks (esp sp. . injection jection atta ttacks) s) websec 1 Attacks

Server -side security risks (esp sp. . injection jection atta ttacks) s) websec 1 Attacks

Web Securi rity ty Server -side security risks (esp sp. . injection jection atta ttacks) s) websec 1 Attacks on the web server malicious input web server er output This can be attacks on Availability: i.e. DoS attack, where attacker

1.86k views • 79 slides
CSS Injection Attacks or how to leak content with <style> * { author: Pepe Vila; year:

CSS Injection Attacks or how to leak content with <style> * { author: Pepe Vila; year:

CSS Injection Attacks or how to leak content with <style> * { author: Pepe Vila; year: 2019; } Historical background (might be historically inaccurate) ~2007: Gareth Heyes, David Lindsay and Eduardo Vela (from sla.ckers.org) published

412 views • 15 slides
Using Positive Tainting and Syntax-Aware Evaluation to Counter SQL Injection Attacks William

Using Positive Tainting and Syntax-Aware Evaluation to Counter SQL Injection Attacks William

Using Positive Tainting and Syntax-Aware Evaluation to Counter SQL Injection Attacks William G.J. Halfond Alessandro Orso Panagiotis Manolios Georgia Institute of Technology Supported by NSF awards CCR-0205422 and CCR-0306372 to GA Tech and

678 views • 34 slides
Combining Static Analysis and Runtime Monitoring to Counter SQL-Injection Attacks William

Combining Static Analysis and Runtime Monitoring to Counter SQL-Injection Attacks William

Combining Static Analysis and Runtime Monitoring to Counter SQL-Injection Attacks William Halfond & Alessandro Orso Georgia Institute of Technology This work was supported in part by NSF awards CCR-0306372, CCR-0205422, and CCR-0209322 to

187 views • 17 slides
FAROS: Illuminating In-Memory Injection Attacks via Provenance-based Whole System Dynamic

FAROS: Illuminating In-Memory Injection Attacks via Provenance-based Whole System Dynamic

FAROS: Illuminating In-Memory Injection Attacks via Provenance-based Whole System Dynamic Information Flow Tracking Meisam Navaki Arefi , Geoffrey Alexander, Hooman Rokham, Aokun Chen, Michalis Faloutsos, Xuetao Wei, Daniela Seabra Oliveira and

588 views • 32 slides
SoC, why should we care about Fault Injection Attacks ? Guillaume BOUFFARD (

SoC, why should we care about Fault Injection Attacks ? Guillaume BOUFFARD (

SoC, why should we care about Fault Injection Attacks ? Guillaume BOUFFARD ( guillaume.boufgard@ssi.gouv.fr ) David EL-BAZE ( david.elbaze@ssi.gouv.fr ) with the help of Thomas TROUCHKINE Agence nationale de la scurit des systmes

523 views • 28 slides
RESEARCH PROJECT PREVENTING MOST COMMON ATTACKS ON CRITICAL INFRASTRUCTURES Wouter Miltenburg

RESEARCH PROJECT PREVENTING MOST COMMON ATTACKS ON CRITICAL INFRASTRUCTURES Wouter Miltenburg

RP#80 RESEARCH PROJECT PREVENTING MOST COMMON ATTACKS ON CRITICAL INFRASTRUCTURES Wouter Miltenburg & Koen Veelenturf University of Amsterdam Students Master System and Network Engineering Supervisors: Jaya Baloo & Oscar Koeroo

314 views • 14 slides
An Intelligent System for Preventing SSL Stripping-based Session Hijacking Attacks Mainuddin

An Intelligent System for Preventing SSL Stripping-based Session Hijacking Attacks Mainuddin

An Intelligent System for Preventing SSL Stripping-based Session Hijacking Attacks Mainuddin Ahmad Jonas, Md. Shohrab Hossain, Risul Islam, Husnu S. Narman , Mohammed Atiquzzaman Outlines Motivation Problem Contributions Results

1.03k views • 25 slides
Laser Fault Injection Attacks Wei He, Jakub Breier, Shivam Bhasin Physical Analysis and

Laser Fault Injection Attacks Wei He, Jakub Breier, Shivam Bhasin Physical Analysis and

Cheap & Cheerful A Low-Cost Digital Sensor for Detecting Laser Fault Injection Attacks Wei He, Jakub Breier, Shivam Bhasin Physical Analysis and Cryptographic Engineering (PACE), Nanyang Technological University, Singapore SPACE 2016,

667 views • 31 slides
Towards Generic Countermeasures Against Fault Injection Attacks Gilles Barthe 2 , cois Dupressoir

Towards Generic Countermeasures Against Fault Injection Attacks Gilles Barthe 2 , cois Dupressoir

Towards Generic Countermeasures Against Fault Injection Attacks Gilles Barthe 2 , cois Dupressoir 2 , Sylvain Guilley 1 , Fran Pablo Rauzy 1 , Pierre-Yves Strub 2 1 Telecom ParisTech 2 IMDEA Software Institute Crypto Seminar Day @ IMDEA

101 views • 9 slides
Abusing Wi-Fi Beacons and Detecting & Preventing Attacks Mathy Vanhoef, Prasant Adhikari, and

Abusing Wi-Fi Beacons and Detecting & Preventing Attacks Mathy Vanhoef, Prasant Adhikari, and

Abusing Wi-Fi Beacons and Detecting & Preventing Attacks Mathy Vanhoef, Prasant Adhikari, and Christina Ppper. With special thanks to various IEEE members. Black Hat Webcast, 17 September 2020. Background: beacons Wi-Fi networks use

798 views • 42 slides

More recommend