Abstract
We present a practical protection mechanism against SQL injection attacks. Such attacks target databases that are accessible through a web front-end, and take advantage of flaws in the input validation logic of Web components such as CGI scripts. We apply the concept of instruction-set randomization to SQL, creating instances of the language that are unpredictable to the attacker. Queries injected by the attacker will be caught and terminated by the database parser. We show how to use this technique with the MySQL database using an intermediary proxy that translates the random SQL to its standard language. Our mechanism imposes negligible performance overhead to query processing and can be easily retrofitted to existing systems.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
CERT Vulnerability Note VU#282403 (September 2002), http://www.kb.cert.org/vuls/id/282403
Acharya, A., Raje, M.: Mapbox: Using parameterized behavior classes to confine applications. In: Proceedings of the 9th USENIX Security Symposium, August 2000, pp. 1–17 (2000)
Aleph One. Smashing the stack for fun and profit. Phrack, 7(49) (1996)
Alexandrov, A., Kmiec, P., Schauser, K.: Consh: A confined execution environment for internet computations (December 1998)
Anley, C.: Advanced SQL Injectio. In: SQL Server Applications (2002), http://www.nextgenss.com/papers/advanced_sql_injection.pdf
Anupam, V., Mayer, A.: Security of Web Browser Scripting Languages: Vulnerabilities, Attacks, and Remedies. In: Proceedings of the 7th USENIX Security Symposium, January 1998, pp. 187–200 (1998)
Balzer, R., Goldman, N.: Mediating connectors:A non-bypassable process wrapping technology. In: Proceeding of the 19th IEEE International Conference on Distributed Computing Systems (June 1999)
Barrantes, E.G., Ackley, D.H., Forrest, S., Palmer, T.S., Stefanovic, D., Zovi, D.D.: Randomized Instruction Set Emulation to Disrupt Binary Code Injection Attacks. In: Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS), October 2003, pp. 281–289 (2003)
Berman, A., Bourassa, V., Selberg, E.: TRON: Process-Specific File Protection for the UNIX Operating System. In: Proceedings of the USENIX Technical Conference (January 1995)
Bhatkar, S., DuVarney, D.C., Sekar, R.: Address Obfuscation: an Efficient Approach to Combat a Broad Range of Memory Error Exploits. In: Proceedings of the 12th USENIX Security Symposium, August 2003, pp. 105–120 (2003)
Cowan, C., Beattie, S., Johansen, J., Wagle, P.: PointGuard: Protecting Pointers From Buffer Overflow Vulnerabilities. In: Proceedings of the 12th USENIX Security Symposium, August 2003, pp. 91–104 (2003)
Cowan, C., Beattie, S., Pu, C., Wagle, P., Gligor, V.: SubDomain: Parsimonious Security for Server Appliances. In: Proceedings of the 14th USENIX System Administration Conference (LISA 2000) (March 2000)
Cowan, C., Hinton, H., Pu, C., Walpole, J.: The Cracker Patch Choice: An Analysis of Post Hoc Security Techniques. In: Proceedings of the National Information Systems Security Conference (NISSC) (October 2000)
Cowan, C., Pu, C., Maier, D., Hinton, H., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q.: Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks. In: Proceedings of the 7th USENIX Security Symposium (January 1998)
Dor, N., Rodeh, M., Sagiv, M.: CSSV: Towards a realistic tool for statically detecting all buffer overflows in C. In: Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI) (June 2003)
Forrest, S., Somayaji, A., Ackley, D.: Building Diverse Computer Systems. In: HotOS-VI (1997)
Foster, J., Faḧndrich, M., Aiken, A.: A theory of type qualifiers. In: Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI) (May 1999)
Fraser, T., Badger, L., Feldman, M.: Hardening COTS Software with Generic Software Wrappers. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA (May 1999)
Garfinkel, T.: Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools. In: Proceedings of the Symposium on Network and Distributed Systems Security (SNDSS), February 2003, pp. 163–176 (2003)
Ghormley, D.P., Petrou, D., Rodrigues, S.H., Anderson, T.E.: SLIC: An Extensibility System for Commodity Operating Systems. In: Proceedings of the 1998 USENIX Annual Technical Conference, June 1998, pp. 39–52 (1998)
Goldberg, I., Wagner, D., Thomas, R., Brewer, E.A.: A Secure Environment for Untrusted Helper Applications. In: Procedings of the 1996 USENIX Annual Technical Conference (1996)
Kc, G.S., Keromytis, A.D., Prevelakis, V.: Countering Code-Injection Attacks With Instruction-Set Randomization. In: Proceedings of the ACM Computer and Communications Security (CCS) Conference, October 2003, pp. 272–280 (2003)
Larochelle, D., Evans, D.: Statically Detecting Likely Buffer Overflow Vulnerabilities. In: Proceedings of the 10th USENIX Security Symposium, August 2001, pp. 177–190 (2001)
Larson, E., Austin, T.: High Coverage Detection of Input-Related Security Faults. In: Proceedings of the 12th USENIX Security Symposium, August 2003, pp. 121–136 (2003)
Lhee, K., Chapin, S.J.: Type-assisted dynamic buffer overflow detection. In: Proceedings of the 11th USENIX Security Symposium, August 2002, pp. 81–90 (2002)
Linn, C., Debray, S.: Obfuscation of Executable Code to Improve Resistance to Static Disassembly. In: Proceedings of the 10th ACMConference on Computer and Communications Security (CCS), October 2003, pp. 290–299 (2003)
Litchfield, D.: Web Application Disassembly wth ODBC Error Messages, http://www.nextgenss.com/papers/webappdis.doc
Loscocco, P., Smalley, S.: Integrating Flexible Support for Security Policies into the Linux Operating System. In: Proceedings of the USENIX Annual Technical Conference, Freenix Track, June 2001, pp. 29–40 (2001)
Conover, M., and w00w00 Security Team. w00w00 on heap overflows (January 1999), http://www.w00w00.org/files/articles/heaptut.txt
Mitchem, T., Lu, R., O’Brien, R.: Using Kernel Hypervisors to Secure Applications. In: Proceedings of the Annual Computer Security Applications Conference (December 1997)
Peterson, D.S., Bishop, M., Pandey, R.: A Flexible Containment Mechanism for Executing Untrusted Code. In: Proceedings of the 11th USENIX Security Symposium, August 2002, pp. 207–225 (2002)
Prevelakis, V., Spinellis, D.: Sandboxing Applications. In: Proceedings of the USENIX Technical Annual Conference, Freenix Track, June 2001, pp. 119–126 (2001)
Provos, N.: Improving Host Security with System Call Policies. In: Proceedings of the 12th USENIX Security Symposium, August 2003, pp. 257–272 (2003)
Shankar, U., Talwar, K., Foster, J.S., Wagner, D.: Detecting Format String Vulnerabilities with Type Qualifiers. In: Proceedings of the 10th USENIX Security Symposium, August 2001, pp. 201–216 (2001)
Wagner, D., Foster, J.S., Brewer, E.A.: andA.Aiken.AFirst Step towardsAutomated Detection of Buffer Overrun Vulnerabilities. In: Proceedings of the ISOC Symposium on Network and Distributed System Security (SNDSS), February 2000, pp. 3–17 (2000)
Walker, K.M., Stern, D.F., Badger, L., Oosendorp, K.A., Petkac, M.J., Sherman, D.L.: Confining root programs with domain and type enforcement. In: Proceedings of the USENIX Security Symposium, July 1996, pp. 21–36 (1996)
Watson, R.N.M.: TrustedBSD: Adding Trusted Operating System Features to FreeBSD. In: Proceedings of the USENIX Annual Technical Conference, Freenix Track, June 2001, pp. 15–28 (2001)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Boyd, S.W., Keromytis, A.D. (2004). SQLrand: Preventing SQL Injection Attacks. In: Jakobsson, M., Yung, M., Zhou, J. (eds) Applied Cryptography and Network Security. ACNS 2004. Lecture Notes in Computer Science, vol 3089. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-24852-1_21
Download citation
DOI: https://doi.org/10.1007/978-3-540-24852-1_21
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-22217-0
Online ISBN: 978-3-540-24852-1
eBook Packages: Springer Book Archive