200 likes | 406 Views
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection. Yuji Kosuga, Kenji Kono, Miyuki Hanaoka Keio University Miho Hishiyama, Yu Takahama IX Knowledge Inc. 2007 Annual Computer Security Applications Conference (ACSAC). OUTLINE. Introduction Related Work
E N D
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection Yuji Kosuga, Kenji Kono, Miyuki Hanaoka Keio University Miho Hishiyama, Yu Takahama IX Knowledge Inc. 2007 Annual Computer Security Applications Conference (ACSAC)
OUTLINE • Introduction • Related Work • Design of Sania • Implementation • Experiments • Conclusion
1. Introduction • Databases are threatened by SQL injection attacks. • Sanitizing • Discovering SQL injection vulnerabilities are based on a penetration testing. SELECT * FROM users WHERE name = 'xxx' AND password = '' or '1'='1' SELECT * FROM users WHERE name = 'xxx' AND password = '" or "1"="1'
1. Introduction (cont.) • Sania • Automatically identifies potentially vulnerable spots in the SQL queries. • Generates attack requests. • Comparing the parse trees of the SQL queries between innocent HTTP request and attack request.
2. Related Work • Framework Support • A validator prohibits an input from including meta-characters. • To transform the dangerous characters to safe ones.
2. Related Work (cont.) • Prepare Statement • separates the values in a query from the structure of SQL • All the legacy web applications must be re-written. PreparedStatement stmt = conn.prepareStatement( "INSERT INTO message VALUES(?, ?)"); stmt.setString(1, “razor"); stmt.setString(2, “razor@mail.com"); stmt.executeUpdate(); stmt.clearParameters();
2. Related Work (cont.) • Combined Static and Dynamic Analysis • Uses a static analysis to build the models of the SQL queries. • Intercepts all the SQL queries before they are sent to the database. • Checks each query against the statically built models.
2. Related Work (cont.) • Machine Learning Approach • An intrusion detection system (IDS) based on a machine learning technique. • The overall IDS quality depends on the quality of the training set. • It cannot thoroughly check all the vulnerable spots like the traditional penetration testing.
2. Related Work (cont.) • Instruction-Set Randomization • To create SQL queries using randomized keywords instead of the normal SQL keywords.
3. Design of Sania • Specifying Vulnerable Spots • The vulnerable spots have the potential to be security holes of SQL injection. HTTP request includes id=555&cat=book Generated SQL query SELECT * FROM users WHERE user id=555
3. Design of Sania (cont.) • Crafting Attack Requests • Linear attack • Sania inserts an attack code to a single vulnerable spot. • Combination attack • Sania inserts attack codes in two or more vulnerable spots at the same time.
3. Design of Sania (cont.) • Linear attack • Each attack code represented as a four-element tuple: • SELECT id, xxx from users (λ, ε, false, from yyy-- | from yyy;-- | from yyy/*). • SELECT id, xxx from yyy--from users (userInput, metaCharacter, parentheses, insertedSQL). (λ | ε, ’ | ", true, or ’1’=’1 | or "1"="1 | or 1=1-- | or 1=1;-- | or 1=1/*). (userInput, metaCharacter, parentheses, insertedSQL). (λ | ε, ’ | ", true, or ’1’=’1 | or "1"="1 | or 1=1-- | or 1=1;-- | or 1=1/*). (userInput, metaCharacter, parentheses, insertedSQL). (λ | ε, ’ | ", true, or ’1’=’1 | or "1"="1 | or 1=1-- | or 1=1;-- | or 1=1/*). (userInput, metaCharacter, parentheses, insertedSQL). (λ | ε, ’ | ", true, or ’1’=’1 | or "1"="1 | or 1=1-- | or 1=1;-- | or 1=1/*).
3. Design of Sania (cont.) • Combination Attack • A combination attack exploits two or more vulnerable spots at the same time to inject an SQL query. • SELECT * FROM users WHERE name=’ø1’ and password=’ø2’ (øi: vulnerable spot). • SELECT * FROM users WHERE name=’\’ and password=’ or 1=1--’
3. Design of Sania (cont.) • Validation • SELECT * FROM users WHERE name=’’ or ’1’=’1’ Properly sanitized parse tree Improperly sanitized parse tree
3. Design of Sania (cont.) • Validation • Because of dynamic query, Sania allows the user to control the matching of parse trees.
4. Implementation • Sania in Java that had 13,000 lines of code. • A list of attack codes in XML that had 1,800 lines of code • An SQL parser implemented by JavaCC and JSqlParser
5. Experiments (cont.) • This result reveals that Sania can: • Execute precise linear attacks. • Execute powerful combination attacks.
5. Experiments (cont.) • False Positives Database Record Conflict Length and Type Error Misallocated Backslash Field Data Conflict Attacking Potentially Safe Spots Mishandling of Dynamic Contents Duplicate Warnings
6. Conclusion • Sania, which is designed to check for SQL injection vulnerabilities in the development and debugging phases. • Sania has been proved effective; it found 39 SQL injection vulnerabilities and incurred only 13 false positives.