CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks

Q Engineering
Prithvi Bisht, P. Madhusudan, V. Venkatakrishnan
{"title":"CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks","authors":"Prithvi Bisht, P. Madhusudan, V. Venkatakrishnan","doi":"10.1145/1698750.1698754","DOIUrl":null,"url":null,"abstract":"SQL injection attacks are one of the top-most threats for applications written for the Web. These attacks are launched through specially crafted user inputs, on Web applications that use low-level string operations to construct SQL queries. In this work, we exhibit a novel and powerful scheme for automatically transforming Web applications to render them safe against all SQL injection attacks.\n A characteristic diagnostic feature of SQL injection attacks is that they change the intended structure of queries issued. Our technique for detecting SQL injection is to dynamically mine the programmer-intended query structure on any input, and detect attacks by comparing it against the structure of the actual query issued. We propose a simple and novel mechanism, called Candid, for mining programmer intended queries by dynamically evaluating runs over benign candidate inputs. This mechanism is theoretically well founded and is based on inferring intended queries by considering the symbolic query computed on a program run. Our approach has been implemented in a tool called Candid that retrofits Web applications written in Java to defend them against SQL injection attacks. We have also implemented Candid by modifying a Java Virtual Machine, which safeguards applications without requiring retrofitting. We report extensive experimental results that show that our approach performs remarkably well in practice.","PeriodicalId":50912,"journal":{"name":"ACM Transactions on Information and System Security","volume":"19 1","pages":"14:1-14:39"},"PeriodicalIF":0.0000,"publicationDate":"2010-02-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"184","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"ACM Transactions on Information and System Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/1698750.1698754","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q","JCRName":"Engineering","Score":null,"Total":0}
引用次数: 184

Abstract

SQL injection attacks are one of the top-most threats for applications written for the Web. These attacks are launched through specially crafted user inputs, on Web applications that use low-level string operations to construct SQL queries. In this work, we exhibit a novel and powerful scheme for automatically transforming Web applications to render them safe against all SQL injection attacks. A characteristic diagnostic feature of SQL injection attacks is that they change the intended structure of queries issued. Our technique for detecting SQL injection is to dynamically mine the programmer-intended query structure on any input, and detect attacks by comparing it against the structure of the actual query issued. We propose a simple and novel mechanism, called Candid, for mining programmer intended queries by dynamically evaluating runs over benign candidate inputs. This mechanism is theoretically well founded and is based on inferring intended queries by considering the symbolic query computed on a program run. Our approach has been implemented in a tool called Candid that retrofits Web applications written in Java to defend them against SQL injection attacks. We have also implemented Candid by modifying a Java Virtual Machine, which safeguards applications without requiring retrofitting. We report extensive experimental results that show that our approach performs remarkably well in practice.
CANDID:用于自动防止SQL注入攻击的动态候选评估
SQL注入攻击是为Web编写的应用程序面临的最大威胁之一。这些攻击是通过精心设计的用户输入在使用低级字符串操作构造SQL查询的Web应用程序上发起的。在这项工作中,我们展示了一种新颖而强大的方案,用于自动转换Web应用程序,使其免受所有SQL注入攻击。SQL注入攻击的一个特征诊断特性是,它们会改变所发出查询的预期结构。我们检测SQL注入的技术是在任何输入上动态挖掘程序员预期的查询结构,并通过将其与发出的实际查询的结构进行比较来检测攻击。我们提出了一种简单而新颖的机制,称为Candid,用于通过动态评估良性候选输入上的运行来挖掘程序员想要的查询。这种机制在理论上是有充分依据的,它基于通过考虑在程序运行时计算的符号查询来推断预期的查询。我们的方法已经在一个名为Candid的工具中实现,该工具可以改进用Java编写的Web应用程序,以保护它们免受SQL注入攻击。我们还通过修改Java虚拟机实现了Candid,该虚拟机可以保护应用程序而无需进行改造。我们报告了大量的实验结果,表明我们的方法在实践中表现得非常好。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
ACM Transactions on Information and System Security
ACM Transactions on Information and System Security 工程技术-计算机:信息系统
CiteScore
4.50
自引率
0.00%
发文量
0
审稿时长
3.3 months
期刊介绍: ISSEC is a scholarly, scientific journal that publishes original research papers in all areas of information and system security, including technologies, systems, applications, and policies.
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信