Minimizing Databases Attack Surface Against SQL Injection Attacks

  • Dimitris GeneiatakisEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9543)


Lately, end-users and database administrators face continuously personal data exposures. Among different type of vulnerabilities an adversary might exploit, to gain access to this data, SQL injections are considered one of the most serious vulnerabilities, which remain at the top twenty most known vulnerabilities more than a decade. Though various defenses have been proposed against SQL injections for database protection, most of them require “modifications” on the underlying infrastructure, such as proxy interposition, middleware drivers, etc., while they cannot be employed transparently. In this paper, we propose a practical framework that enables the transparent enforcement of randomization to any given database for enhancing protection against SQL injection attacks, while being agnostic to the underlying database and completely transparent to end-user. We demonstrate a methodology for identifying automatically SQL statements on a given database application, and we introduce a runtime environment for enforcing the randomization and de-randomization mechanism in a completely transparent way, without requiring access to its source code. We evaluate in terms of overhead our approach using the well-known MySQL database under different configurations. Results indicate the employment feasibility of the proposed framework.


  1. 1.
    Barrantes, E.G., Ackley, D.H., Palmer, T.S., Stefanovic, D., Zovi, D.D.: Randomized instruction set emulation to disrupt binary code injection attacks. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS 2003. ACM (2003)Google Scholar
  2. 2.
    Bisht, P., Madhusudan, P., Venkatakrishnan, V.N.: CANDID : dynamic candidate evaluations for automatic prevention of SQL injection attacks. ACM Trans. Inf. Syst. Secur. 13(2), 14:1–14:39 (2010)CrossRefGoogle Scholar
  3. 3.
    Boyd, S.W., Keromytis, A.D.: SQLrand: Preventing SQL Injection Attacks. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 292–302. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  4. 4.
    Chess, B., West, J.: Secure Programming With Static Analysis: Software Security Series, NZ1. Addison-Wesley, Boston (2007)Google Scholar
  5. 5.
    Felt, A.P., Finifter, M., Weinberger, J., Wagner, D.: Diesel : applying privilege separation to database access. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2011. ACM (2011)Google Scholar
  6. 6.
    A.N.S. for Information Systems. Database language - sql, November 1992Google Scholar
  7. 7.
    Geneiatakis, D., Portokalidis, G., Kemerlis, V.P., Keromytis, A.D.: Adaptive defenses for commodity software through virtual application partitioning. In: Proceedings of the ACM Conference on Computer and Communications Security, CCS 2012. ACM (2012)Google Scholar
  8. 8.
    Halfond, W.G.J., Orso, A.: AMNESIA : analysis and monitoring for neutralizing SQL-injection attacks. In: Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering, ASE 2005. ACM (2005)Google Scholar
  9. 9.
    Johari, R., Sharma, P.: A survey on web application vulnerabilities (SQLIA, XSS) exploitation and security engine for SQL injection. In: Proceedings of the International Conference on Communication Systems and Network Technologies, CSNT 2012. IEEE Computer Society (2012)Google Scholar
  10. 10.
    Kc, G.S., Keromytis, A.D., Prevelakis, V.: Countering code-injection attacks with instruction-set randomization. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS 2003. ACM (2003)Google Scholar
  11. 11.
    Lee, I., Jeong, S., Yeo, S., Moon, J.: A novel method for SQL injection attack detection based on removing SQL query attribute values. Math. Comput. Modell. 55(1–2), 58–68 (2012)MathSciNetCrossRefzbMATHGoogle Scholar
  12. 12.
    Liu, A., Yuan, Y., Wijesekera, D., Stavrou, A.: SQLProb : a proxy-based architecture towards preventing SQL injection attacks. In: Proceedings of the ACM Symposium on Applied Computing, SAC 2009. ACM (2009)Google Scholar
  13. 13.
    Luk, C.-K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V.J., Hazelwood, K.: Pin : building customized program analysis tools with dynamic instrumentation. In: Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2005. ACM (2005)Google Scholar
  14. 14.
    Mason, T., Brown, D.: Lex & Yacc. O’Reilly & Associates Inc., Sebastopol (1990)Google Scholar
  15. 15.
    Mitropoulos, D., Spinellis, D.: SDriver : location-specific signatures prevent SQL injection attacks. Comput. Secur. 28(3–4), 121–129 (2009)CrossRefGoogle Scholar
  16. 16.
    Portokalidis, G., Keromytis, A.D.: Fast and practical instruction-set randomization for commodity systems. In: Proceedings of the 26th Annual Computer Security Applications Conference, ACSAC 2010. ACM (2010)Google Scholar
  17. 17.
    Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. SIGPLAN Not. 41(1), 372–382 (2006)CrossRefGoogle Scholar
  18. 18.
    Wei, K., Muthuprasanna, M., Kothari, S.: Preventing SQL injection attacks in stored procedures. In: Australian Software Engineering Conference, April 2006Google Scholar
  19. 19.
    Zhu, J., Xie, J., Lipford, H.R., Chu, B.: Supporting secure programming in web applications through interactive static analysis. J. Adv. Res. 5(4), 449–462 (2014). Cyber SecurityCrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.Electrical and Computer Engineering DepartmentAristotle University of ThessalonikiThessalonikiGreece

Personalised recommendations